Windows Tips & Tricks UPDATE--July 12, 2004

Windows Tips & Tricks UPDATE, July 12, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This Issue Sponsored By

Argent Software
http://www.argent.com/products/download.cgi?product=xxx&Source=WNT

Sunbelt Software
http://www.sunbelt-software.com/rd/rd.cfm?id=040712EB-WINTT

Sponsor: Argent Software

Free Download: Monitor Your Entire Infrastructure with ONE Solution
The Argent Guardian monitors servers, applications, any and all SNMP-compliant devices as well as the overall health of the entire network at a fraction of the cost of "framework" solutions. Network Testing Labs states that "The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Using a patented Agent-Optional architecture, the Argent Guardian is easily installed and monitoring your infrastructure in a matter of hours. Download a fully-functioning copy of the Argent Guardian at:
http://www.argent.com/products/download.cgi?product=xxx&Source=WNT

FAQs

Q. How can I merge multiple primary versions of the same DNS zone for different servers into one Active Directory-integrated zone?
Q. What causes the error I receive in the event log when I attempt to replicate the ForestDNSZones directory partition?
Q. What are the NetBIOS-over-TCP/IP name-resolution types?
Q. How can I restore tombstoned objects?
Q. How can I load more than one third-party disk controller disk during Windows Server 2003 setup?

Commentary
by John Savill, FAQ Editor, [email protected]

This week, I tell you how to merge multiple primary versions of the same DNS zone into one Active Directory-integrated zone and explain what causes an error during an attempted replication of the ForestDNSZones directory partition. I also discuss the NetBIOS-over-TCP/IP name-resolution types, tell you how to restore tombstoned Active Directory (AD) objects, and explain how to load more than one third-party disk controller disk during Windows Server 2003 setup.

Sponsor: Sunbelt Software

Monitor Server Status and Keep Them Secure with ServerVision!
A brand new Uptime and Event Monitor that allows you to keep an eye on your servers and keep them secure at the same time. You get powerful server and event log monitoring that's EASY to configure, EASY to run, and EASY on your budget. Getting started is a breeze with straightforward wizards and both an MMC snap-in and web-based interface. Try it free for 30 days!
http://www.sunbelt-software.com/rd/rd.cfm?id=040712EB-WINTT

FAQs

Q. How can I merge multiple primary versions of the same DNS zone for different servers into one Active Directory-integrated zone?

A. Only one primary version of the DNS zone should exist for zones that aren't Active Directory-integrated. If necessary, you can create additional secondary versions of zones on other DNS servers to support fault tolerance and load balancing.

If you have multiple primary versions of a zone that isn't Active Directory-integrated, those zones won't replicate or remain synchronized. Here are the possible actions that can occur when you move these multiple versions into Active Directory (AD) for storage:

After the first DNS server stores its zone information in AD, all subsequent DNS servers lose their DNS zone content and use the first DNS server's zone information in AD.
As each DNS server is modified to store its information in AD, the new DNS zone data overwrites the existing DNS zone data in AD.
As each DNS server is modified to store its information in AD, the new DNS server's data merges with the existing data.

When you opt to integrate the second instance of the zone (or any subsequent instance of the zone on a different DNS server) in AD--as explained in the FAQ "How can I change how DNS information is stored on a DNS server?" (http://www.winnetmag.com/articles/index.cfm?articleid=43104)--you can choose between the first and second options. In the Active Directory Service box, which the figure at http://www.winnetmag.com/content/content/43249/addnsintegrate1.gif shows, you must select either "Discard the new zone, and load the existing zone from Active Directory" or "Overwrite the existing zone in Active Directory with the new zone." After you make your selection, click OK, then click OK again to confirm it.

Q. What causes the error I receive in the event log when I attempt to replicate the ForestDNSZones directory partition?

A. The ForestDNSZones directory partition is replicated among all domain controllers (DCs) in a forest that have the DNS service installed. When you replicate ForestDNSZones, you might see an error message similar to the following (the error-message text is enclosed in quotes):

"Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 6/25/2004
Time: 10:43:45 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: OMEGA
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following
directory partition.

Directory partition:
DC=ForestDnsZones,DC=savilltech,DC=com

There is insufficient site connectivity information in Active Directory Sites
and Services for the KCC to create a spanning tree replication topology. Or,
one or more domain controllers with this directory partition are unable to
replicate the directory partition information. This is probably due to
inaccessible domain controllers.

User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site. This
is the preferred option.
- Add a Connection object to a domain controller that contains the directory
partition in this site from a domain controller that contains the same
directory partition in another site.

If neither of the Active Directory Sites and Services tasks correct this
condition, see previous events logged by the KCC that identify the
inaccessible domain controllers.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

This error can occur when you have several sites that don't have a site link between them, site-link bridging is disabled (and no site-link bridge has been manually created), and some sites have a DC that runs DNS and is connected to a site that has DCs that don't run DNS. The ForestDNSZones partition, which replicates only between DCs that have DNS installed, can't replicate across the DCs that don't have DNS installed. The figure at http://www.winnetmag.com/content/content/43249/adrepproblemfordns.gif shows a scenario in which this problem will occur. The error appears on DCs in sites A and C, assuming that no DCs in site B have DNS installed, site-link bridging is disabled, and no site-link bridge was manually created.

To solve this problem, you must either create a site-link bridge between sites A and C or, if sites A and C aren't connected because of routing restrictions, install DNS on a DC in the central site (B). Using either method allows replication through the DC in site B. You don't need to configure any zones on the DC; merely having DNS installed is enough to add the DC to the ForestDNSZones partition's replication set.

Q. What are the NetBIOS-over-TCP/IP name-resolution types?

A. Windows resolves a NetBIOS name to an IP address in three ways:

a lookup in the LMHOSTS file
a broadcast on the local subnet
a request to a WINS server

Windows resolves NetBIOS names by using one of the following four methods. (The value in parentheses is the WINS/NetBT node type setting, option 46, which you must specify when you configure TCP/IP on a Windows network.) Those four methods are:

B node (broadcast, 0x1)--Windows uses broadcasts for both name registration and name resolution. Depending on gateway configuration, a B-node client might not be able to send packets beyond the local subnet. Therefore, B node isn't suitable for large networks. Microsoft actually modified the standard B-node type so that Windows tries to resolve the name first by checking the LMHOSTS name cache. If that doesn't work, Windows sends a broadcast. Then, if the broadcast fails, Windows tries to resolve the name by checking the actual LMHOSTS file.
P node (point-to-point, 0x2)--This method doesn't use a broadcast. Instead, at start-up, the computers on the network register their names with the configured WINS server that's also on the network. When a computer needs to resolve a name, it sends the resolution request to the WINS server. This method works as long as the WINS server is up and running. If the WINS server fails, resolution can't occur.
M node (mixed, 0x4)--Windows uses B node (i.e., broadcasting) first and, if it fails to resolve the name, uses P node (i.e., it checks the WINS server). M node isn't the best solution because it uses broadcasts initially, which takes longer and uses more network resources than issuing a request to the WINS server.
H node (hybrid, 0x8)--Windows uses P node first and, if it fails to resolve the name, uses B node. Therefore, Windows uses a broadcast only when the WINS lookup fails (which isn't likely). Typically, H node is the best method to use and is the default.

Q. How can I restore tombstoned objects?

A. When an object is deleted from Active Directory (AD), it isn't actually removed but is instead marked as deleted by an internal marker called a tombstone. A Sysinternals freeware product, AdRestore, lets you restore tombstoned objects. AdRestore is a command-line utility that lists and lets you restore deleted Windows Server 2003 AD objects. You can use AdRestore to restore tombstoned objects without performing an authoritative backup restore. You can download the utility at http://www.sysinternals.com/files/adrestore.zip. After you install AdRestore, you can restore an object by running the command

adrestore -r

The -r tells AdRestore to prompt the user before restoring the AD objects to their original location. When you run the command, you'll see messages similar to the following (the message text is enclosed in quotes):

"Enumerating domain deleted objects:

cn: Clark Kent
DEL:26931e28-18f5-4f08-a486-760b199c9d4d
distinguishedName: CN=Clark Kent\0ADEL:26931e28-18f5-4f08-a486-
760b199c9d4d,CN=Deleted Objects,DC=savilltech,DC=com
lastKnownParent: CN=Users,DC=savilltech,DC=com

Do you want to restore this object (y/n)? n
..
Found 99 items matching search criteria."

You can optionally specify a search filter so that AdRestore displays only objects with the specified text in their name, by entering a command similar to the following

adrestore -r kent

The sample command displays only deleted objects with the name "kent". After you enter the command, you'll see a message similar to the following:

"...

Enumerating domain deleted objects:

cn: Clark Kent
DEL:26931e28-18f5-4f08-a486-760b199c9d4d
distinguishedName: CN=Clark Kent\0ADEL:26931e28-18f5-4f08-a486-
760b199c9d4d,CN=Deleted Objects,DC=savilltech,DC=com
lastKnownParent: CN=Users,DC=savilltech,DC=com

Do you want to restore this object (y/n)? n

Found 1 item matching search criteria."

Q. How can I load more than one third-party disk controller disk during Windows Server 2003 set-up?

A. Usually, when you're prompted to press a key during Windows 2003 installation, you can press F6 to boot from the Windows 2003 CD-ROM and install an additional third-party disk controller or alternative hardware abstraction layer (HAL). If you subsequently need to install drivers or a HAL from another disk, pressing F6 again produces the following error message:

The disk you supplied does not contain relevant support files. Press any key to continue.

To avoid the error, press F6 without a disk in the drive and insert only the second disk when prompted on screen.

Hot Release: Veritas Software
Download the White Paper: "How to Reclaim 30 Percent of your Storage Space and Control Storage Growth." This free technical white paper is brought to you courtesy of Veritas Software and Windows & .NET Magazine's White Paper Central.
http://ad.doubleclick.net/clk;8652712;8469764;a?http://ad.doubleclick.net/clk;8450690;9350453;m?http://www.veritas.com/offer?a_id=6704

Announcements
(from Windows & .NET Magazine and its partners)

Find Out How To Secure Your Messaging Center

Find out everything you need to know to secure your messaging environment including information about antigen antivirus solutions, antispam, and content-filtering. Get access to FAQs, free seminars, and the latest articles. Go to the Secure Messaging Center now!
http://www.winnetmag.com/microsoftexchangeoutlook/securemessaging

New! The Shifting Tactics of Spammers: How to Stop the Newest Email Threats

Stopping new spam techniques requires detection and prevention in real time at the SMTP connection point. In this free Web seminar, you'll learn how spam filters operate as well as real-world examples of spammers' new attacks and threats so that you can learn what you must do to protect your organization. Register now!
http://www.winnetmag.com/seminars/newspamtechniques/index.cfm?code=0712emailannc

We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series About Security And Exchange

Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent attackers from attacking your network and how to perform a security checkup on your Exchange Server deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now.
http://www.winnetmag.com/workshops/securingwindowsandexchange/index.cfm?tc=0712emailannc

Events Central
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

New! Extending Microsoft Office with Integrated Fax Messaging

Are you "getting by" using fax machines or relying on a less savvy solution that doesn't offer truly integrated faxing from within user applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now!
href="http://www.winnetmag.com/seminars/faxsolutions/index.cfm?code=0712emailannc

Comments

Plain text