|
It is often asked how to change the value of the prompt that a user that logs on interactively receives when their password is nearing expiration, as there are no apparent options along with the other (domain-wide) password options.
This article explains this value and how to change it.
|
|
Read more...
|
|
When troubleshooting Windows 2000, Windows XP or Windows Server 2003 there are two suites of tools (predominantly made up of command line tools but also including some GUI-based tools) that are indispensable. These are the Support Tools and the Resource Kit tools. If you ever ask for help on a forum or newsgroup, or are following the instructions in a Microsoft or third-part knowledgebase article, you will undoubtedly come across tools mentioned that are not part of the core Windows installation. These are almost always either Windows Support Tools, or Windows Resource Kit tools. This article explains the differences between the two sets of tools and provides links (where appropriate) to downloads. |
|
Read more...
|
|
After upgrading Active Directory from Windows 2000 Server to Windows Server 2003 you might want to utilise the new DNS application partitions. These are not created by default, unless you allow the Windows Server 2003 DCPROMO to configure DNS for you. This article briefly discusses these application partitions, and explains how to create the partitions if you don't have them. |
|
Read more...
|
|
There can, on occasion by instances whereby the Logon to drop down list of the Winlogon dialog contains incorrect values. Or, more likely, it is missing trusted domains. This tip explains how to flush this list so that Winlogon repopulates it. |
|
Read more...
|
|
How-to configure a box that displays information, such as company policy, etc. at the Winlogon screen.
Companies sometimes find it useful to display a message before a user logs onto a workstation providing information or outlining a number of rules, etc. In some cases, the corporate security policy dictates this for the company to be able to exercise their rights to terminate staff for breach of contract and the like. Either way, people often want to be able to provide this message box. In Windows 2000, XP and 2003 you achieve this through a Group Policy setting. |
|
Read more...
|
|
One of the most common questions asked in the Microsoft public newsgroups is how one goes about removing all traces of an Active Directory Domain Controller (DC) that has been ungracefully removed from the domain. That is, a domain controller that has been removed from the domain by any method other than graceful demotion, for example disaster, loss, forceful removal, incorrectly decommissioned, etc.
There is often, although thankfully less often, the question of how to remove a domain that was not gracefully removed, usually for one of the earlier mentioned reasons.
This article addresses both of these scenarios, as well as the correct way to remove both domain controllers and domains, and provides step-by-step, graphical instructions on how to perform the metadata cleanup and the subsequent DNS and object cleanups necessary to get the forest again running as it should be. |
|
Read more...
|
|
A description of the NT4Emulator and NeutralizeNT4Emulator registry keys
When performing an in place upgrade from a Windows NT 4 domain to a Windows 2000 or Windows Server 2003 Active Directory, one of the main concerns or issues is the NT 5.x (Windows 2000 and XP clients and Windows 2000 Server and Windows Server 2003 member servers) systems overloading the first DC or DCs. This concern is a real one, particularly if you have a medium to large user base running non-downlevel Windows clients. |
|
Read more...
|
|
Different ways of discovering which DCs hold which roles
There are a number of ways to ascertain which DC holds which role. This article discusses the different ways of achieving this. |
|
Read more...
|
|
The question of how to add a domain group to the local administrators group of a client or number of clients is probably one of the most popular questions in the Microsoft Public Active Directory newsgroups. And the answer is the same almost every time - use one of the following methods:
- Restricted Groups GPO Security feature
- Startup Scripts (also applied via GPO)
- CUSRMGR command-line resource kit tool
|
|
Read more...
|
|
The question of delegating permissions to manually replicate Active Directory has cropped up in the news groups quite a few times. Therefore this article will discuss how to achieve this, and provide a little extra information, as it's not quite as simple as simply "replicating Active Directory". |
|
Read more...
|
|
By increasing the verbosity level of certain directory service (DS) threads, additional information is logged to the DS event log on domain controllers. The garbage collection process evaluates the size of the Directory Information Tree (DIT) - the physical Active Directory database file - and reports the size and the amount of whitespace. By increasing the verbosity of this process, the DIT size and amount of white space are logged to the DS Event Log of the DC where this is configured each time the garbage collection process runs (every 12 hours by default). |
|
Read more...
|
|
Windows systems do not enable IP Routing by default. If you install RRAS it automatically enables IP routing. However, you do not need RRAS to perform this function. RRAS grants you additional routing functionality such as RIP and OSPF. Any Windows NT 5.x systems can simply route IP packets though; even 2000 Professional and XP. The following registry value is used to configure this behaviour: |
|
Read more...
|
|
Allowing computers to use different DNS suffixes from their AD Domain name
As a general rule, it is usually stated that the authorative DNS zone should be exactly the same as the Active Directory Domain Name. There are, however, certain circumstances whereby this is not possible or desired.
Simply implementing a different domain name and DNS zone will cause problems. However, there is a work around. |
|
Read more...
|
|
Windows 2000 and 2003 have the concept of protected groups. Protected Groups are groups that Windows protects from unnecessary changes. In some instances, this process can confuse people and even concern some people enough to cry bug. This is not a bug, it is by design. This article will clarify the process that the PDCe takes in protecting its so-called protected groups and explain the roles of protected groups and how the adminSDHolder object is used in conjunction with protected groups. |
|
Read more...
|
|
Many Active Directory administrators are often asking questions about the password polices in their domains. Questions such as:
- Why does password and Kerberos policy need to be applied at the domain level?
- Why can't this be applied at the OU level?
- Is it possible to have different password policies applied to different objects in a single domain?
The answers to these questions are answered in this article. |
|
Read more...
|
|
Articles 
