Skip navigation
Menu
Security

Windows XP and 2000 Tips & Tricks UPDATE, October 28, 2002

Windows XP and 2000 Tips & Tricks UPDATE—brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

THIS ISSUE SPONSORED BY

Ultimus Workflow Suite Enterprise BPM Platform
http://www.ultimus.com/optin/winnet10.htm

Networking UPDATE Email Newsletter
http://www.winnetmag.com/email/networking
(below COMMENTARY)

SPONSOR: ULTIMUS WORKFLOW SUITE ENTERPRISE BPM PLATFORM

The Ultimus Workflow Suite is an essential component of the enterprise nervous system that orchestrates your mission-critical business processes. Leverage seamless integration with third-party applications using Ultimus Flobots (workflow robots) that reduce cost, eliminate manual intervention and increase customer response. Learn first-hand how real-time enterprise-level workflow automation and business process management can improve efficiency in your company. Sign up for an Ultimus Webinar and a FREE whitepaper, "Categorizing and Evaluating Workflow Automation Software."
http://www.ultimus.com/optin/winnet10.htm

October 28, 2002—In this issue:

1. COMMENTARY

2. FAQS

  • Q. How can I stop Windows 2000 from using an encrypted format when I copy encrypted files to a server?
  • Q. How can I view and clear my DNS cache content?
  • Q. How can I configure the amount of time the DNS cache stores positive and negative responses?
  • Q. What's DNS round robin and subnet prioritization?
  • Q. How can I enable or disable subnet prioritization on a client machine?
  • Q. How can I enable or disable subnet prioritization on the DNS server?
  • Q. How can I ensure that the DNS resolver uses only results from queried DNS servers?
  • Q. How can I stop Windows XP from displaying the time in the notification area?

3. ANNOUNCEMENTS

  • Attend Our Free Tips & Tricks Web Summit
  • Try a Sample Issue of Exchange & Outlook Administrator

4. CONTACT US

  • See this section for a list of ways to contact us.

1. COMMENTARY
(contributed by John Savill, FAQ Editor, [email protected])

This week, I explain how to stop Windows 2000 from using an encrypted format after you copy encrypted files to a server, how to upgrade an IEEE 1394 (FireWire)-connected disk to a dynamic disk in Windows XP, and how to view and clear DNS cache content. I also tell you how to configure the amount of time the DNS cache stores responses, what DNS round robin and subnet prioritization are, and how to enable and disable subnet prioritization. I describe how to ensure that DNS resolver uses only results from queried DNS servers and how to stop XP from displaying the time in the notification area on the desktop.

Around the industry this week, Microsoft has released MSN Messenger 5.0, which you can download at http://messenger.msn.com . The company has also announced that Win2K Service Pack 4 (SP4) will soon be going to beta. Microsoft will also release Office 11 beta 1 in the near future, and several leaked versions of Longhorn (the next version of Windows) have been floating around the Internet with some early screen shots that look interesting.

SPONSOR: NETWORKING UPDATE EMAIL NEWSLETTER

NEW! NEWS, TIPS, AND MORE TO KEEP YOUR NETWORK HUMMING
Networking UPDATE brings you the how-to tips and news you need to implement and maintain a rock-solid networking infrastructure. We'll explore interoperability solutions, hardware (including servers, routers, and switches), network architecture, network management, network security, installation technology, network training, and WAN disaster recovery. Subscribe (at no cost!) at:
http://www.winnetmag.com/email/networking

2. FAQS

  • Q. How can I stop Windows 2000 from using an encrypted format when I copy encrypted files to a server?

    • A. By default, when you copy locally encrypted files to a server, Win2K retains the encryption format. However, you might not want server-based files to be encrypted. For example, a laptop user might want to encrypt files locally for security reasons but want the server-based files to be unencrypted so that other users can view the files.

    To stop Win2K from copying files to a server in an encrypted format, perform the following steps on the destination server:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem registry subkey.
    3. Select the NtfsEncryptionService value, then select Edit, Delete from the menu bar.
    4. Close the registry editor.
    5. Reboot the server for the change to take effect.

    After you make this change, you'll no longer be able to encrypt files on the server and Win2K will decrypt any encrypted files that users copy to the server.

  • Q. How can I upgrade an IEEE 1394 (FireWire)-connected disk to a dynamic disk under Windows XP?

    • A. By default, XP doesn't let you convert a FireWire-connected disk to a dynamic disk. However, you can make a simple registry change to accomplish such an upgrade. To convert a FireWire-connected disk to a dynamic disk, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Parameters registry subkey.
    3. Double-click EnableDynamicConversionFor1394, set this value to 1, then click OK.
    4. Close the registry editor.
    5. Reboot the machine for the change to take effect.

  • Q. How can I view and clear my DNS cache content?

    • A. When a Windows XP or Windows 2000 machine queries a DNS server, the response is either positive (a match was found) or negative (no match was found). The OS stores these results in a local DNS cache so that local clients don't repeatedly query the DNS server for the same address. These DNS cache entries are known as DNS Resource Records (RR), and the DNS resolver always checks the local cache before it queries the DNS server.

    To view the current DNS resolver cache content and the entries preloaded from the Hosts file, go to the command prompt and type 

    C:\> ipconfig /displaydns

    Each entry shows the remaining Time to Live (TTL) in seconds. To clear the cache, go to the command prompt and type 

    C:\> ipconfig /flushdns

    Flushing the DNS cache clears all entries and reloads the entries from the Hosts file.

  • Q. How can I configure the amount of time the DNS cache stores positive and negative responses?

    • A. By default, Windows stores positive responses in the DNS cache for 86,400 seconds (i.e., 24 hours) and stores negative responses for 300 seconds (i.e., 5 minutes). To modify these values, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name MaxCacheEntryTtlLimit to change the positive cache period or the name NegativeCacheTime to change the negative cache period, then press Enter.
    5. Double-click the new value, set it to the desired number of seconds (e.g., if you entered the name NegativeCacheTime, you could set the value to 0 to stop Windows from caching any negative responses), then click OK.
    6. Repeat Step 5 for the other value, if required.
    7. Close the registry editor.
    8. Reboot the computer for the changes to take effect.

  • Q. What's DNS round robin and subnet prioritization?

    • A. The most common type of DNS record is a Resource Record (RR) type A, which is a record that provides the IP address for a specified host name. In certain instances, a host name might resolve to multiple IP addresses, each with its own A record. For example, if three servers host the http://www.savilltech.com Web site, the DNS server might contain the following three address records:

    www.savilltech.com.IN    A200.200.10.1
www.savilltech.com.IN    A200.200.11.1
www.savilltech.com.IN    A200.200.12.1

    When a client queries a DNS server for this host, the server returns all three address records. To avoid sending every client to the first address record (and, hence, the first host) every time, the DNS server uses a round-robin algorithm, which Internet Engineering Task Force (IETF) Request for Comments (RFC) 1794 describes. With each request, the algorithm rotates the order in which the DNS server returns the address records to more evenly distribute the load across all hosts. For example, the first time a client queries the DNS server, the server might return

    200.200.10.1   200.200.11.1   200.200.12.1

    to the client. The second time, the DNS server would return

    200.200.11.1   200.200.12.1   200.200.10.1

    The third time, the DNS server would return

    200.200.12.1   200.200.10.1   200.200.11.1

    and so on.

    If the client making the request connects directly to a subnet that contains one of the returned host addresses, having the client communicate directly with the host that corresponds to that address would reduce response time and network traffic. Subnet prioritization is a feature that recognizes when a host is on the same subnet as the client and returns the local host's address first. (Microsoft introduced subnet prioritization in Windows NT 4.0 Service Pack 4—SP4—and later.) When a client uses subnet prioritization, the client resolver receives address record results and sorts them according to the order of direct subnet connectivity.

    So, for example, if a client has address 200.200.11.5 (which is part of subnet 200.200.11) and the DNS server would typically return address record results of 

    200.200.10.1   200.200.11.1   200.200.12.1

    the local DNS resolver will use subnet prioritization to re-sort the results according to the local subnet priority and return results of 

    200.200.11.1   200.200.10.1   200.200.12.1

    to the client. Consequently, the local DNS resolver's subnet prioritization takes priority over the DNS server round robin when a resolved address is on the local subnet. Although this approach reduces network traffic, it doesn't balance the load across hosts.

  • Q. How can I enable or disable subnet prioritization on a client machine?

    • A. In the FAQ titled "What's DNS round robin and subnet prioritization?," I explained how subnet prioritization cuts down on network traffic but defeats the load-balancing effect of the DNS server round robin. If balancing the load across the hosts is more important than traffic management, you might want to disable subnet prioritization. To do so, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe) on each client machine.
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name PrioritizeRecordData, then press Enter.
    5. Double-click the new value, set it to 0, then click OK.
    6. Close the registry editor.
    7. Reboot the machine for the change to take effect.

    To reenable subnet prioritization, either delete the PrioritizeRecordData registry value or set this value to 1.

  • Q. How can I enable or disable subnet prioritization on the DNS server?

    • A. The DNS server can check the IP address of a client that's requesting name resolution and sort the results the DNS server returns to the client according to the proximity of the host address to the querying IP address. To enable or disable this functionality, perform the following steps on the DNS server:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ registry subkey.
    3. Double-click LocalNetPriority, or create this value of type DWORD if it doesn't exist.
    4. Set the value to 1 to enable subnet prioritization or 0 to disable subnet prioritization, then click OK.
    5. Restart the server for the change to take effect.

    Under Windows 2000 and later, you can also use the DNS Management Console to set this functionality. To use this tool to change the setting, go to Start, Programs, Administrative Tools, then click DNS Management Console; right-click the server and select Properties; select the Advanced tab; then clear or select the "Enable Netmask Ordering" check box. You can also control the round-robin functionality by opening the DNS Management Console Advanced tab and clearing or selecting "Enable round robin". The following list describes the expected functionality, depending on the values you set:

    • Subnet prioritization disabled, round robin disabled—The DNS server returns records in the order they were added to the database.
    • Subnet prioritization enabled, round robin disabled—The DNS server returns records in the order of the local subnet priority.
    • Subnet prioritization disabled, round robin enabled—The DNS server returns records in rotation according to the order they were added to the database.
    • Subnet prioritization enabled, round robin enabled—The DNS server returns records in rotation according to the local net priority.

  • Q. How can I ensure that the DNS resolver uses only results from queried DNS servers?

    • A. By default, if a client requests name resolution, the client will accept any response with the correct query ID, regardless of where the response is from. This behavior could lead to security problems if a rogue process that deliberately returns incorrect information exists on a system. To force the DNS resolver to match the source IP address of the response with the DNS servers that the DNS resolver queried, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe) on each client machine.
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name QueryIpMatching, then press Enter.
    5. Double-click the new value, set it to 1, then click OK.
    6. Close the registry editor.
    7. Reboot the machine for the change to take effect.

  • Q. How can I stop Windows XP from displaying the time in the notification area?

    • A. To stop XP from displaying the time on the desktop in the notification area, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer registry subkey to hide the time for the current user or to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer registry subkey to hide the time for all users.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name HideClock, then press Enter.
    5. Double-click the new value, set it to 1, then click OK.
    6. Close the registry editor.
    7. Log off or restart the machine for the change to take effect.

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT

    • Join us on December 19th for our Tips & Tricks Web Summit featuring three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion Detection: Win2K Security Log Secrets, and Merging Exchange Systems: Tips for Managing 5 Key Challenges. There is no charge for this event, but space is limited so register today!
    http://www.winnetmag.com/seminars/tipstricks

  • TRY A SAMPLE ISSUE OF EXCHANGE & OUTLOOK ADMINISTRATOR

    • If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way toward preventing serious problems and downtime for your enterprise. Get a free sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!
    http://www.exchangeadmin.com/sub.cfm?code=efei232jup

    4. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading Windows XP and 2000 Tips & Tricks UPDATE.

    TAGS: Security
    Hide comments

    More information about text formats

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish
    Recommended Reading
    Businesswoman challenges concept and gender obstacles
    Women in Cybersecurity Face Barriers to Hiring, Advancement
    Apr 15, 2024
    person typing on keyboard with icons for certificates
    Top IT Certifications for a Career in Finance
    Apr 12, 2024
    employee working on a laptop with AI
    Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
    Mar 26, 2024
    cleaning products
    6 Essential Steps for Spring Cleaning Your Website
    Mar 21, 2024