Windows Tips & Tricks UPDATE, February 23, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
This Issue Sponsored By
Be Proactive with Real-Time Monitoring
Windows & .NET Magazine
Sponsor: TNT Software's ELM Enterprise Manager
There are two ways to manage your critical systems: Reactive and Proactive. ELM Enterprise Manager supports the latter. ELM Enterprise Manager is the affordable solution that monitors the health and status of your systems and alerts you in time to take prompt corrective action. Imagine the productivity increases when consolidated event frequencies, performance trends, state changes, and quality of service breaches are clearly displayed and easily accessible. Equally important, be notified while the problems are developing. Be proactive, download your FREE fully featured 30-Day evaluation copy of ELM Enterprise Manager NOW and start experiencing the benefits for real-time monitoring.
- Q. After I install Microsoft Exchange Server 2003 on my domain controller (DC), why does the DC take so long to shut down?
- Q. How can I move objects between domains?
- Q. Can I use the Movetree command-line tool to move individual users between domains?
- Q. How can I move a computer account from one domain to another?
- Q. What's the Microsoft Systems Management Server (SMS) 2003 Administration Feature Pack?
- Q. Why doesn't my Windows XP system display drive letters for my network drives, and why can't I create long filenames and folders?
by John Savill, FAQ Editor, [email protected]
This week, I tell you how to move objects between domains, how to use the Movetree command-line tool to move individual users between domains, and how to move a computer account from one domain to another. I also describe the Microsoft Systems Management Server (SMS) 2003 Administration Feature Pack and explain why a Windows XP system might not display drive letters and why you might not be able to create long filenames and folders on the same system.
Sponsor: Windows & .NET Magazine
Get 2 Sample Issues of Windows & .NET Magazine!
Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange Server, and more. Our expert authors deliver content you simply can't find anywhere else. Try two, no-risk sample issues today, and find out why 100,000 IT professionals read Windows & .NET Magazine each month!
Q. After I install Microsoft Exchange Server 2003 on my domain controller (DC), why does the DC take so long to shut down?
A. Exchange relies heavily on Active Directory (AD) and uses several services to optimize AD communication. One of these services is the DSAccess service, which provides a cache of information from AD to various Exchange components, including the Information Store (IS), the Message Transfer Agent (MTA), and any other component that requires AD information. By recovering cached AD information, Exchange requires fewer direct queries to the DCs.
When you shut down a Windows Server 2003 DC, its services stop very quickly--faster than Windows 2000 services shut down, which is why this problem appears to be new to Windows 2003. An example of one such affected service is the Local Security Authority Subsystem (LSASS). DSAccess uses this service heavily. Because this service stops before DSAccess can stop cleanly, the DSAccess service goes through several timeouts before the system can shut down (these timeouts are set to 10 minutes by default). Other Exchange services have a similar problem, causing even longer delays.
To resolve these delays, you can create a script that you manually run before stopping your computer, and the script will stop each Exchange service cleanly because AD is still running. Sample content for the script might include
net stop msexchangeis net stop msexchangemta net stop msexchangemgmt net stop msexchangesa net stop resvc net stop smtpsvc net stop w3svc net stop httpfilter net stop http net stop iisadmin net stop winhttpautoproxysvc
You can also add the Shutdown command to the end of your script to automate the whole shutdown and restart process.
Another approach is to change the amount of time Windows 2003 waits before killing a service that's not responding. To adjust this timeout period, perform the following steps:
- Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control registry subkey.
- Double-click WaitToKillServiceTimeout.
- Change the value from the default of 600000 (10 minutes) to something else (e.g., 20000 for 20 seconds), then click OK.
- Close the registry editor.
Be aware that changing this registry value will change the wait period for all services to stop, so setting this value too low might cause problems with services if the OS is killing them before they can cleanly finish.
Q. How can I move objects between domains?
A. To move objects within the same domain, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (go to Start, Programs, Administrative Tools, and click Active Directory Users and Computers), right-click the object, then select Move from the context menu (or in Windows Server 2003, you can simply drag objects to their new location). Unfortunately, you can't use the snap-in to move objects between domains.
To move objects between domains, you can use the movetree.exe command-line tool. As the name suggests, Movetree lets you move trees containing objects from one domain to another in the same forest (you can't move objects between forests). For example, to move organizational unit (OU) texas from savilltech.com to child1.savilltech.com, I would type the command
movetree /check /s omega.savilltech.com /d vmsrv2003dc1.child1.savilltech.com /sdn OU=texas,DC=savilltech,DC=com /ddn OU=texas,DC=child1,DC=savilltech,DC=com
Unless you place the distinguished names (DNs) in double quotes, make sure that you don't add spaces in the DNs; otherwise, the command will result in an error. The components from the command above are
- /check--instructs Movetree to perform a test to determine whether it can move the tree without actually moving it
- /s <server>--identifies the source domain controller (DC) to use
- /d <server>--identifies the destination DC to use
- /sdn <source DN>--identifies the source DN of the tree to be moved
- /ddn <destination DN>--identifies the destination DN
You can optionally use the /u and /p switches to pass a username and password, if necessary. After I was satisfied with the results of the /check run, I performed the actual move by replacing /check with /start and typing
movetree /start /s omega.savilltech.com /d vmsrv2003dc1.child1.savilltech.com /sdn OU=texas,DC=savilltech,DC=com /ddn OU=texas,DC=child1,DC=savilltech,DC=com
At this point, the specified OU will no longer be in the original domain and will have been moved to the destination domain, including all the OU's contents (e.g., users, other OUs).
When you use the Movetree tool, keep the following conditions in mind:
- The destination domain must be in Windows 2000 Native mode or later.
- You can use Movetree to move computer accounts, but they won't work in the destination domain; use the Netdom command to move these accounts as described in the FAQ "How can I move a computer account from one domain to another?".
- You must lowercase the source and destination DNs.
For a full description of the Movetree tool, from the command line type
Q. Can I use the Movetree command-line tool to move individual users between domains?
A. Yes, Movetree can move entire trees as well as individual objects. If the object is a container, Movetree also moves its child objects. To move one object, simply specify its distinguished name (DN). For example, to move a user called moveme from the Users container to an organizational unit (OU) in another domain, I typed
movetree /start /s omega.savilltech.com /d vmsrv2003dc1.child1.savilltech.com /sdn CN=moveme,CN=users,DC=savilltech,DC=com /ddn CN=moveme,OU=texas,DC=child1,DC=savilltech,DC=com
Notice the source DN contains a common name (CN) component for a user object (moveme).
Q. How can I move a computer account from one domain to another?
A. The Netdom command-line tool lets you move a computer account from one domain to another. For example, to move an account, I typed
netdom move compmoveme /domain child1 /ud:[email protected] /pd:xxxxx
where "/domain" identifies which target domain to move the object to and "/ud" and "/pd" identify the account and password, respectively, to use for the specified domain. To see other options for Netdom, from the command line type
netdom move /?
Q. What's the Microsoft Systems Management Server (SMS) 2003 Administration Feature Pack?
A. The SMS 2003 Administration Feature Pack contains three tools:
- Manage Site Accounts Tool--This tool lets you use the command line to manage accounts and passwords for one or multiple sites in a hierarchy. The tool also lets you update, create, verify, delete, and list the Windows accounts for the SMS sites.
- Transfer Site Settings Wizard--This tool lets you copy site configuration, packages, and collection settings from one site to one or more target sites. You can copy settings interactively or by using XML templates. The tool provides both a graphical and command-line interface.
- Elevated Rights Deployment Tool (aka RunOnce)--This tool lets you use the elevated privileges of the SMS software distribution features to install applications that require administration rights after a system restart. The tool can execute the registry entries in the RunOnce location by moving the entries in the registry to a new SMS\RunOnce location at which SMS can execute those entries.
You can download the SMS 2003 Administration Feature Pack from the Microsoft Web site. After you download the software, run the downloaded file to create three folders, each containing one of the tools.
Q. Why doesn't my Windows XP system display drive letters for my network drives, and why can't I create long filenames and folders?
A. You might receive the error
"The drive that this file or folder is stored on does not allow long file names, or names containing blanks or any of the following characters: \ / : , ; * ? < > |"
You might also notice that no drive letters are assigned to your network drives. These problems can occur if Windows Explorer starts before your network logon script has finished running. A new feature in XP known as Fast Logon Optimization allows faster logon by letting the logon process continue, even while other tasks finish (such as applying Group Policy).
To resolve this error, you can revert the computer to a Windows 2000-style execution by performing the following steps:
- Open Group Policy Editor (GPE) and locate the Group Policy that affects the client computers (e.g., the Domain Group Policy).
- Navigate to Computer Configuration, Administrative Templates, System, Logon, then double-click "Always wait for the network at computer startup and logon."
- Select Enabled, then click OK.
- Close GPE.
Hot Release (Advertisement)
Join Mark Minasi and Indy Chakrabarti for a free Web seminar and discover how to maximize the return on your Active Directory investments and cut the cost of security exposures with secure task delegation, centralized auditing, and Group Policy management. Register now and receive NetIQ's free "Securing Access to Active Directory-A Layered Security Approach" white paper.
(from Windows & .NET Magazine and its partners)
Looking for one place to find the latest Web seminars, roadshows, and conferences? Event Central has every topic you’re looking for. Stay current on the latest developments in your field. Visit Event Central and find answers now!
This free eBook will help you understand the various kinds of performance monitoring and reporting and shows you examples of how and when to implement them. You’ll find practical examples that explain and illustrate the theory by using NetIQ tools as the basis of these examples.
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.
Free Trial - Fast and Easy Network Management. - NetSupport DNA
Don't risk server crashes and slowdowns--try DISKEEPER(R) 8.0 free!
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.winnetmag.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.