Windows Tips & Tricks UPDATE, July 26, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.
This Issue Sponsored By
Web Seminar: Best Practices for Managing Software Packaging and Pre-Deployment Preparation
Special Report: Patching the Enterprise
Sponsor: Web Seminar: Best Practices for Managing Software Packaging and Pre-Deployment Preparation
Even though most organizations deploy dozens -- even hundreds -- of new applications each year, most fail to properly prepare these applications to ensure their successful distribution and long-term reliability. The key is to implement a structured, proven approach to preparing every application for enterprise distribution -- an approach that involves software packaging and thorough pre-deployment testing. This web seminar examines the entire pre-deployment application preparation process, from the submission of an application request to IT to its eventual deployment to the organization, and offers best practices for each step of the way. It also presents ways for IT managers to more efficiently manage the entire process. Register today!
- Q. How can I determine the location of an executable file on my Windows Server 2003 system?
- Q. Why can't I update the Active Directory (AD) schema for Microsoft Systems Management Server (SMS)? Schema update is enabled, and I have Schema Admins permission.
- Q. How can I create a query-based Distribution Group (DG)?
- Q. How can I prevent nonadministrative users from creating top-level public folders in Exchange 2000 Server?
- Q. How can I start the local Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from the command line?
by John Savill, FAQ Editor, [email protected]
This week, I tell you how to determine the location of an executable file on a Windows Server 2003 system, troubleshoot a problem with updating the Active Directory (AD) schema for Microsoft Systems Management Server (SMS), and explain how to create a query-based Distribution Group (DG). I also explain how to prevent nonadministrators from creating top-level public folders in Exchange 2000 Server and how to start the local Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from the command line.
Sponsor: Special Report: Patching the Enterprise
According to IT industry experts, attacks by viruses and worms were up 50% in 2003. The future looks even bleaker. Get this free informative white paper "Taking the Risks and Guesswork Out of Patch Management" and find out how easy it can be to safeguard your entire network.
Q. How can I determine the location of an executable file on my Windows Server 2003 system?
A. Your Windows 2003 environment contains a PATH variable that's created by using the system path variable and a user-specific path variable. When a program resides in a folder that appears in the PATH variable, you can start the program simply by typing the executable's filename--for example, dcdiag.exe (assuming the Windows 2003 Support Tools--which include dcdiag.exe--are installed on your Windows 2003 system); you don't have to precede the executable name with the full pathname if the pathname is part of the PATH variable. You can check your PATH variable by running the command
from a command prompt; you'll see that the variable contains one or more paths, such as c:\program files;c:\program files\support tools. Using this PATH variable as an example, if the executable resides in either the Program Files or Support Tools folder, you don't need to type the complete path.
Sometimes you might want to check the location of an executable file (e.g., a command). To do so, start a command prompt (cmd.exe) and type
For example, entering the command
displays the following results:
C:\program files\support tools\dcdiag.exe
Q. Why can't I update the Active Directory (AD) schema for Microsoft Systems Management Server (SMS)? Schema update is enabled, and I have Schema Admins permission.
A. I recently had this problem. I had a lab environment in which I repeatedly tried--and failed--to update the schema for SMS by running the command
After I ran the command, the log file contained the following information:
Modifying Active Directory Schema - with SMS extensions. DS Root:CN=Schema,CN=Configuration,DC=savilltech,DC=com Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8206. Failed to create attribute cn=mS-SMS-Assignment Site-Code. Error code = 8206. Failed to create attribute cn=MS-SMS-Site- Boundaries. Error code = 8206. Failed to create attribute cn=MS-SMS-Roaming- Boundaries. Error code = 8206. Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8206. Failed to create attribute cn=mS-SMS-Device- Management-Point. Error code = 8206. Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8206. Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8206. Failed to create attribute cn=MS-SMS-Ranged-IP- Low. Error code = 8206. Failed to create attribute cn=MS-SMS-Ranged-IP- High. Error code = 8206. Failed to create class cn=MS-SMS-Management- Point. Error code = 8202. Failed to create class cn=MS-SMS-Server-Locator- Point. Error code = 8202. Failed to create class cn=MS-SMS-Site. Error code = 8202. Failed to create class cn=MS-SMS-Roaming- Boundary-Range. Error code = 8202. Failed to extend the Active Directory schema.
After much investigation, I discovered the reason for the failed schema update: I had many domain controllers (DCs) that weren't running and consequently had replication errors. After I started the other DCs and resolved the replication errors by forcing a replication, the schema update worked perfectly, as you can see in the following log file output:
Modifying Active Directory Schema - with SMS extensions. DS Root:CN=Schema,CN=Configuration,DC=savilltech,DC=com Defined attribute cn=MS-SMS-Site-Code. Defined attribute cn=mS-SMS-Assignment-Site-Code. Defined attribute cn=MS-SMS-Site-Boundaries. Defined attribute cn=MS-SMS-Roaming-Boundaries. Defined attribute cn=MS-SMS-Default-MP. Defined attribute cn=mS-SMS-Device-Management- Point. Defined attribute cn=MS-SMS-MP-Name. Defined attribute cn=MS-SMS-MP-Address. Defined attribute cn=MS-SMS-Ranged-IP-Low. Defined attribute cn=MS-SMS-Ranged-IP-High. Defined class cn=MS-SMS-Management-Point. Defined class cn=MS-SMS-Server-Locator-Point. Defined class cn=MS-SMS-Site. Defined class cn=MS-SMS-Roaming-Boundary-Range. Successfully extended the Active Directory schema. Please refer to the SMS documentation for instructions on the manual configuration of access rights in active directory which may still need to be performed. (Although the AD schema has now been extended, AD must be configured to allow each SMS Site security rights to publish in each of their domains.)
Q. How can I create a query-based Distribution Group (DG)?
A. Most groups in Active Directory (AD) contain static members--that is, group membership doesn't change unless you open the group and add users or other groups to it. In some cases, you might want to include in a group users who meet certain criteria and have AD reevaluate the group's membership each time the group is used. To evaluate a group's membership and determine who should be in the group, you use a Lightweight Directory Access Protocol (LDAP) query to create a query-based DG, a feature that Microsoft introduced in Exchange Server 2003.
The group-membership evaluation process uses more processor resources than using static groups because you must rerun the LDAP query that defines a group's membership every time you use the query-based DG.
To create a query-based DG, perform the following steps:
- Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
- Right-click the container in which you want to create the new query-based DG and select New, Query-based Distribution Group.
- Enter a name for the DG and click Next.
- You can select the root container that the query will search for matching objects. By default, this is the container in which you're creating the new object; however, you can change the default root container by clicking the Change button.
- You can define a standard type of query-based group that filters members according to the criteria that the figure at http://www.winnetmag.com/content/content/43355/qbdgcreate1.gif shows. Alternatively, you can select "Customize filter" and click Customize to set up a customized filter that contains your own criteria. After you click Customize, you'll see the Find Exchange Recipients dialog box. Select the Advanced tab to define the attributes of the objects and the values that AD will use to evaluate the membership.
- After you've finished configuring the query-based DG, click Next.
- Click Finish.
You can view a query-based DG's current membership by right-clicking the DG and selecting Properties, then selecting the Preview tab. Remember that query-based DGs are evaluated against a Global Catalog (GC); if a GC isn't available, Exchange places the evaluation in a retry state and reattempts it in 1 hour.
Q. How can I prevent nonadministrative users from creating top-level public folders in Exchange 2000 Server?
A. Exchange Server 2003 doesn't let nonadministrators create top-level public folders. To modify Exchange 2000 so that nonadministrative users can't create top-level folders, perform these steps:
- Enable the Exchange organization's Security tab, as explained in the FAQ "How can I enable the Security tab at the Exchange organization level?" (http://www.winnetmag.com/articles/index.cfm?articleid=42869).
- Start the Exchange System Manager (ESM) utility.
- Right-click the organization and select Properties.
- Select the Security tab.
- Under Name, select the "Everyone" entry.
- In the Permissions section, clear the "Create top level public folder" check box under the Allow column.
- Click OK.
If you don't plan to add Exchange 2000 servers and have the Exchange 2003 installation media, an alternative method is to run the Exchange 2003 command
Be aware that if you use this method, adding another Exchange 2000 server in the future will re-enable all users' ability to create top-level folders.
Q. How can I start the local Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from the command line?
A. To start the local Active Directory Users and Computers snap-in from the command line on a Windows Server 2003 or Windows 2000 Server system, enter the command
To start the snap-in from the command line on a Windows XP Professional Edition system, enter the command
(from Windows & .NET Magazine and its partners)
Microsoft and Windows & .NET Magazine team up to produce the essential conference for network administrators and IT managers on Windows and Exchange technology. Register early and attend sessions for free at the concurrently run Microsoft Exchange Connections. See the complete conference brochure online or call 800-505-1201 for more information.
Don't miss your opportunity to evaluate your server options and discover which Windows version is right for your needs to lower licensing and operating costs. You'll learn how to create a centralized server environment and develop an IT infrastructure plan to get the most out of your systems while minimizing the costs involved. Get your Small Business Servers Toolkit now!
In this free eBook, we'll examine four main types of monitoring crucial to any network: performance, capacity, availability, and security. For each area, you'll find out the most important events and conditions to monitor to maximize performance, manage capacity, ensure availability, and stay on top of security. Download this free eBook today!
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
Don't miss 2 intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent intruders from attacking your network and how to perform a security checkup on your Exchange deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now!
Comparison Paper: The Argent Guardian Easily Beats Out MOM
Free Download--New - Launch NetOp Remote Control from a USB Drive
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.winnetmag.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
Contact Our Sponsors
InstallShield -- http://www.installshield.com
St. Bernard Software -- http://www.stbernard.com
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.