\[Editor's Note: Share your NT discoveries, comments, problems, solutions, and experiences with products and reach out to other Windows NT Magazine readers (including Microsoft). Email your contributions (400 words or less) to [email protected] Please include your phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
NT System Policy Editor
In my domain, I use system policies extensively (sometimes to the dismay of users who want to install custom screen savers). These policies disable certain privileges depending on users' group affiliations. My coworker was working on a Windows 95 machine and was having trouble accessing the network configuration and running regedit to change his permissions, because of the policy restrictions I had set. I had removed the config.pol file for Win95 from my PDC, leaving the previous user's restrictions in effect on the machine.
My coworker's first thought was to reinstall Windows to gain access to the Registry. However, I had disabled Registry editing, so a reinstallation wouldn't let him change the Registry settings. To solve the problem, I used Windows NT's System Policy Editor (SPE). I copied the poledit.exe and admin.adm files to a 3.5" disk and ran poledit.exe from the disk. Then, I used the admin.adm file to open the Registry from SPE and made the changes to restore my coworker's permissions. (For more information about SPE, see Clayton Johnson, "Expanding Your System Policy Capabilities," December 1998.)
—Jon D. Paskett
SMS Security Manager Template
The Microsoft article "SMS: How to Create a Custom Remote Control Group in SMS" at http://support.microsoft.com/ support/kb/articles/ q191/3/36.asp discusses the permissions a typical Help desk person needs. A problem with this recommendation is that you can't create a template in Microsoft's Systems Management Server (SMS) Security Manager. The SMS database's SecurityUserTemplates table stores SMS templates. The script in Listing 1, page 28, lets you easily create an SMS Security Manager Help desk template based on Microsoft's recommended settings. (For information about SMS 2.0, see Ethan Wilansky, Systems Management Server 2.0 Client Features," May 1999.)
DMZ with Proxy Server 2.0
You can't use Microsoft Proxy Server 2.0's Winsock proxy service to reverse-host network applications and services such as Windows NT file and print services and PPTP servers or UNIX- or mainframe-based terminal services. However, you can create a demilitarized zone (DMZ) to provide this kind of service from behind the proxy server while protecting the internal networks (private and DMZ) with Proxy Server's packet filters. (For a detailed article about Proxy Server, see Zubair Ahmad, "Proxy Server 2.0," October 1998.)
Microsoft's "How to Create a DMZ Network with Proxy Server 2.0" at http://support.microsoft.com/support/kb/ articles/q191/1/46.asp describes DMZ setup with Proxy Server 2.0. This article recommends that you use three NICs in the Proxy Server computer to split three networks (i.e., Internet, intranet, DMZ) into separate physical segments.
However, you don't need a separate NIC for DMZ. You can create a DMZ on the same segment as your intranet. You must assign the second IP address (i.e., the DMZ's address) to the proxy server's internal NIC, and assign appropriate IP addresses and default gateways (i.e., the proxy server's internal DMZ IP address) to the hosts that will comprise the DMZ. Switched media prevents DMZ traffic from congesting the network.
When you implement a DMZ, you need to analyze the security of services that you expose to the Internet. You can easily configure a DMZ to provide Telnet access to an internal UNIX host, but Telnet sessions are insecure. SSH Communications Security (http://www.ssh.fi) provides such services in a secure manner.
Rather than exposing network services via a DMZ, you might want to implement a VPN solution such as RRAS or PPTP. However, VPNs aren't suitable for public access.
Microsoft's Adaptive Testing
I've taken all Microsoft's core Windows NT tests as regular exams, but I took the Microsoft Exchange Server 5.5 test as an adaptive exam. I have one comment for Microsoft: Shame on you!
Each regular test required most of the allotted 90 minutes, but I spent only 10 or 15 minutes on the adaptive test. I felt as if someone skimmed over a few high points from the Exchange Server curriculum and put a stamp of approval on my abilities. I don't believe such a test evaluates the skill level that Microsoft claims Microsoft Certified Professionals (MCPs) and MCSEs have.
I wonder whether Microsoft is interested only in how much money it can make and, therefore, is making the tests easier so that more people will take them. This practice only cheapens the tests' value. If Microsoft wants to keep high certification standards, it needs to rethink the adaptive testing process. (For another opinion about Microsoft certification, see David Chernicoff, Forefront: "The Problem with Certification Programs," January 1999.)
Automatic Internet Connection
In January 1999's Web Community Watch ("Automatic Internet Connection"), a reader asked, "I must log on as Administrator to connect to the Internet. As soon as I log off, the Internet connection disconnects. How can I access the Internet without logging on to the server? Is this connection impossible?" The answer the reader received wasn't the best one.
To maintain your RAS connection when you log off, add the following Registry key: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft \Windows NT\ CurrentVersion\Winlogon\KeepRasConnections. Set the type to REG_SZ and the value to 1. (For more information about this fix, see the Microsoft article "How to Keep RAS Connections Active After Logging Off" at http://support.microsoft.com/ support/kb/articles /q158/9/09.asp.)
To keep my Internet connection active without even logging on, I use Somarsoft's freeware utility ReDial. This utility runs as a Windows NT service. To download a copy of the utility, go to Somarsoft's Web site at http://www.somarsoft.com. (For more information about ReDial, see Sean Daily, "Watch Your RAS," August 1997.)
Another Unlikely Cause of Blue-Screen Errors
I have a home-built 233MHz MMX Pentium processor that was repeatedly generating STOP errors such as IRQL_NOT_LESS_OR_EQUAL, PAGE_FAULT_IN_NONPAGED_AREA, and KERNEL_ MODE_EXCEPTION _NOT_HANDLED. These errors occurred randomly (e.g., on startup, after I reinstalled a service pack, after I updated a video driver, after several hours of inactivity).
I spent many hours trying to fix the problem, including reinstalling Windows NT several times. I remembered that in the October 1998 issue, Dianne M. Daniels wrote about a similar problem ("An Unlikely Cause of Blue-Screen Errors"). She discovered that an unplugged CPU fan was the cause. I tried replacing the processor's economy case with a well-ventilated one, but the STOP errors continued. I searched the Internet for a solution, but to no avail. I found a Microsoft article that suggested the motherboard, processor, or memory might be causing the errors. Microsoft's Hardware Compatibility List (HCL) didn't list my motherboard, although the manufacturer assured me that the motherboard was "fully NT certified." I used my growing toolkit of (mostly DOS-based) utilities to test and retest the processor and memory, which showed no problems.
All my system parts were new, so I couldn't figure out what was causing the STOP errors. Finally, I replaced the DIMM with an equivalent SIMM. Miraculously, my problems were over.
Exchange IS Startup Error
My company runs Microsoft Exchange Server 5.0 with Service Pack 2 (SP2) on a Windows NT Server 4.0 SP3 machine servicing about 50 client mailboxes. Email traffic is light, and the 2GB hard disk meets users' storage needs. The disk is split into three NTFS partitions, and the log files and Exchange Information Store (IS) databases reside on different partitions. Circular logging is active on the directory and the IS.
One day, I received complaints from several users who couldn't connect to the Exchange Server machine. I investigated the problem and discovered that the IS service had stopped. The system's event log contained two relevant entries: One was from the Exchange Database (EDB) source and read Unable to write to section 0 while flushing the log Error -1808, and the other was from the IS source and read An error occurred while writing to the database file. Attempting to stop the Information Store.
I tried to manually start the IS service from the Services applet in Control Panel, but the system returned a service-specific error number. I searched Microsoft's Web site but didn't find any information about the error number. I rebooted the server, but the IS service still didn't start. I reviewed the event log messages again, and I discovered that as Exchange was processing the \exchsrvr\ mdbdata\edb.log file, the system generated the following error message: Error -1017 initializing the MS Exchange Server Information Store database. I also tried using the edbutil.exe and isinteg.exe utilities from the \exchsrvr\bin directory, but they returned similar error messages. I didn't have a recent tape backup of the IS, and I was running out of ideas.
I decided to search Microsoft's Web site for information about the two error messages (i.e., -1808 and -1017). The article "XADM: Reclaiming Disk Space for the Information Store" at http://support.microsoft.com/ support/kb/articles/q128/ 3/25.asp suggested that error -1808 resulted from insufficient disk space. However, each of my three partitions had more than 100MB of free space. Microsoft's Exchange Disaster Recovery Guide said error -1017 occurred because of a missing Jet database record.
Exchange typically writes transactions to the edb*.log files, then commits these transactions to the priv.edb or pub.edb databases. The edb.chk file serves as a checkpoint to determine the point in the log files up to which Exchange has written records to the databases. Based on all the error messages the system had generated, I hypothesized that a logical or physical corruption in the disk was preventing Exchange from writing records to the edb.log file (the current log file in use). I knew that when you shut down Exchange services, the program commits all the log files to the database. Thus, I decided to shut down Exchange and eliminate the log files.
I manually shut down all Exchange-related services. I copied the edb*.log files in the \mdbdata and \dsadata folders to another location to serve as a backup. Then, I deleted the edb*.log files in the two folders and attempted to restart the IS service. The service still failed to start, and the system's Application log recorded the message Unable to start the Exchange Information Store Error -1201. I searched Microsoft's Web site for information about this error message, and I found "XADM: Error -1201 Occurs When Starting the Information Store" at http://support.microsoft.com/support/ kb/articles/q181/5/59.asp, which cited minor inconsistencies in or corruption of the *.edb or *.log files as the problem.
As a last resort, I shut down all Exchange services, deleted the new edb.log file from the \mdbdata and \dsadata folders, and copied the original edb*.log files to their original locations. Voilà! I was able to successfully start the IS service and all other Exchange services, and my server was back up and running.
From this experience, I concluded that the disk sector Exchange tried to write the log file to must have been physically corrupt. Because NT supports bad-cluster remapping on NTFS partitions, when I copied the original log files, the system mapped the sectors as bad and copied the files to clean locations. (For more information about the IS, see Tony Redmond, "Inside the Exchange Information Store," April 1998, and "Maintaining Exchange's Information Store," May 1998.)