Guy's Litmus Test Challenge
Total Page:16
File Type:pdf, Size:1020Kb
Guy’s Litmus Tests
Guy's Litmus Tests
Guy’s Litmus test idea
Guy's Litmus test is a concept that you can apply literally anywhere. Each test gives you an instant answer to the basic question: - 'Are you dealing with a professional, or is an amateur?' Is this the real deal or is it a turkey?
I have narrowed my Litmus test concept to focus on computing, each page will give you at least one test to see if you have the amateur or professional settings. This rating is a personal view, based on my professional judgement as an independent computer consultant and trainer.
Where the idea came from
The brainwave for the Litmus challenge came to me when a delegate said:- 'Guy, I have just joined a company; how do I know if their network and servers are running properly?' So I gave him a check list to find out whether his network was run by amateurs or professionals.
Flash back
As I was wondering what title to give the check list, my mind flashed back to my schoolboy days. Suddenly I remembered my chemistry teacher 'Sniffy' Pugh showing us Litmus tests. Perhaps you remember the test? What happens is you dip Litmus paper into a liquid, if the paper turns red it means acid, whereas if it turns blue the liquid is alkaline. It struck me that Litmus test was the ideal name for a quick test where there are only two possible results, one good the other bad.
Page 1 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Table of Contents for Guy’s Litmus Tests
Guy's Litmus Test challenge...... 1 1) Backup and the neglected Restore...... 3 2) Event Viewer and Logs...... 5 3) Restart Services instead of Rebooting...... 8 4) Share and NTFS permissions...... 10 5) Recovery Toolkit...... 13 6) Security - Administrator Account...... 15 7) Security Auditing...... 16 8) Security Templates...... 19 9) Time Synchronisation...... 22 10) Uninterruptible Power Supply...... 25 11) Dynamic Disk...... 26 12) Disk Quotas...... 28 13) DHCP...... 30 14) DNS...... 33 15) Networks...... 36 16) Partitions...... 37 17) Printer Pools...... 39 18) Remote Administration...... 41 19) Routing and Remote Access (RRAS)...... 42 20) WINS...... 44 21) Active Directory...... 45 22) FSMO (Flexible Single Master Operations)...... 45 23) Group Policy and GPMC...... 45 24) Installing Windows Server 2003 or W2K3...... 45 25) Logon Scripts...... 45 26) Raise Domain Levels (Mixed v Native Mode)...... 45 27) Organizational Units and Delegation...... 45 28) Printer Location...... 45 29) Site Links...... 45 30) Universal Groups...... 45 31) CMD.exe...... 45 32) First impressions...... 45 33) Luddites...... 45 34) Problem solving characteristics...... 45 35) Protocols...... 45 36) Readme files...... 45 37) Screen Savers...... 45 38) Tool kit...... 45 39) TCP/IP protocol suite...... 45 40) What next?...... 45
Page 2 of 83 Computerperformance.co.uk Guy’s Litmus Tests
1) Backup and the neglected Restore.
Guy's Litmus Test: When did you last test a full restore?
Professionals have tested a full restore in the last 6 months
Amateurs carry on backing up but they have no idea if the tapes will restore
1) Backup and Restore
One of my questions to companies is: 'Have you tried a restore lately?' In some ways this is a 'cheap shot' because hardly anyone tests a full restore. But think about it; you have invested in expensive software like ArcServe or BackupExec, how would you feel if you try a restore and it fails?
At first I did not believe the statistic that 35% of all backups do not restore in the way that you think. The software itself rarely fails; it is more likely that it's the human logic which is faulty. As I visited sites, the reasons for these failures became apparent. Let me illustrate with some salutary case histories.
Case A. The shifting files.
Backup does its job perfectly. It is just that the vital database files were moved to a new folder, e:\dbase to j:\dbase Carelessly, the new folder was not included in path for the backup job. So when it came to restore the database there were no files from the J:\dbase - woops! A variation of this problem is still backing up the old server, when you have moved all the data to the new server!
Case B. The nervous operator.
The boss buys a box of DAT tapes and shows the timid assistant how to insert the first tape into the drive. On day one backup works brilliantly. However, on day two the operator cannot eject the tape; so being resourceful, they get out the Tippex*. You have guessed what happened next; they write today's date on the label and repeat every day. Guess what happens when you want a full restore of last week’s data? You only get yesterday's incremental backup, because each day the previous tape is overwritten.
*Tippex is a white paint used for correcting typing misnakes.
Page 3 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Case C. The 'Rambo' operator
A new young strapping lad wishes to make an impression. The backup tape was reluctant to eject. No problem for our young Rambo - he ripped the tape out - drive and all! Well at least everyone knew that there was a problem with backing up.
Case D. Photocopy ≠ Backup!
One day the database server went down and the manager asked his assistant for the backups. The proud assistant got out a pile of photocopied records and said, 'There are the backups'! Were they able to restore the backup from photocopies? No way! I never did discover if the root cause was a language problem or just plain ignorance.
Case E. No tape drives
Shortly after I first started in IT, the IRA blew up Bishopsgate in London (England). Amazingly no-one was killed, but IT people were walking around like zombies, they had lost their data. Then the rumours started. Word was that the banks had no back-ups; people were saying: 'The bank phoned me up yesterday and asked me how much money I had in my account. Well I told them a million pounds. Their next question was can we see last month's statement to prove it.'
I must confess to repeating the story to anyone who would listen, then one day I told the sorry tale to an engineer. He said 'Guy, I was on that case, of course they had backups, the assistant manager had hundreds in his garage. So we collected all the tapes, but how do we restore the data? The IRA had destroyed the computer and that banks mainframe was so old that there was not another machine in the world that had a compatible tape drive.'
That was 1992, disaster recovery has come along way since then, but the ultimate proof of any backup strategy remains a full restore on another machine.
Summary: Pros always check backup by carrying out a full restore.
Page 4 of 83 Computerperformance.co.uk Guy’s Litmus Tests
2) Event Viewer and Logs
Guy's Litmus Test: How many errors do you see in your Event Logs?
Professionals have very few errors in the Event Logs
Amateurs see lots of red dots in their Event Viewer
2) Event Viewer and Logs
Where NT 4.0 had three event logs, Windows 2000 domain controllers had six event logs and Server 2003 even more. Lots of red dots in the event logs shout to me - 'Amateurs in charge'. On the other had few red dots, and regular archives it whispers quietly: - ‘Professionals work here'. While you are in the Event Viewer, remember to check the Application log as well as the System Log, especially if you are running Exchange or SQL.
Here is a severe problem with the CP domain - no logon servers available. Investigation revealed that CP domain controllers were offline.
Page 5 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Below is a yellow warning message telling us that a new machine has not been properly named. The network identification tab should be configured to include the domain suffix.
Increase the log size from the default of 512K to about 4MB.
Use the filter in event viewer, filter hidden away under the view menu.
Employ VBScripts or PowerShell cmdlets to help you monitor the logs
Challenge: Check the event logs DAILY.
It will give you a chance to practice troubleshooting skills You will get a feel for your server and its network. It will prevent problems building up on your network. For example, the log tells you that the mail service has stopped, so you restart it before users notice that there is no e-mail.
Page 6 of 83 Computerperformance.co.uk Guy’s Litmus Tests
You are always allowed to ask for a bonus!
I dare you: ask your boss for a bonus based on how many red dots (Errors) there are in the logs. This is the system that my mate 'mad' Mick negotiated. He starts with £100 a quarter per server, if there are no errors he gets the £100, but for each error he loses £1. Blue (Information) and yellow (Warning) messages do not count. After a shaky start where he owed the company £574, Mick now pockets a nice bonus and has learnt a great deal in the process.
Summary Pros check their event logs daily
Page 7 of 83 Computerperformance.co.uk Guy’s Litmus Tests
3) Restart Services instead of Rebooting
Guy's Litmus Test: Is your reflex to restart services or reboot the server?
Professionals prefer to restart faulty services
Amateurs always reboot the server - even if there is no need
3) Fewer Reboots
The good news is that Microsoft have reduced the number of actions that require a reboot from over 150 in NT 4.0 to just 7 in Windows 2003. The bad news is that rebooting the server is no longer as effective in curing problems as it was in NT. On occasions where rebooting solves a problem, restarting the individual service would work just as well. Think how much downtime you will save.
Where do you find the settings? Administrative tools, Services
Restarting services is particularly useful when troubleshooting Exchange 2003 or SQL problems. Rebooting the machine would achieve the same result but would take an age and other services would not be available until
Page 8 of 83 Computerperformance.co.uk Guy’s Litmus Tests the restart is complete. Stopping and restarting the services is more efficient and also teaches you the dependencies of service. For example, the Exchange Information Store is dependent on the System Attendant.
Configure services to restart automatically on failure. (An idea W2K3 has taken from Exchange). Investigate a VBScript to restart services automatically.
7 Main causes of a reboot in Windows 2003
1. Installing Active Directory (Run DCPROMO) 2. Changing the DNS IP address or domain suffix 3. Converting from Basic to Dynamic disk 4. Renaming your Machine 5. Install RIS 6. Add or Remove COM Ports 7. Modifying the Schema
Minor causes of a reboot
1. Altering the ISA configuration (why are you still using ISA stuff?) 2. Changing the System Locale (Should have done in during install) 3. Changing the System Font (Why worry on a server?) 4. Removing the GSNW (Just leave it?) 5. Some Terminal Services changes
Summary: Pros understand Services and know how to restart them and thus cure their problems
Page 9 of 83 Computerperformance.co.uk Guy’s Litmus Tests
4) Share and NTFS permissions
Guy's Litmus Test: What permissions do you give the group 'Everyone'?
Professionals remove the default permission 'Everyone' - Full Control
Amateurs don't mind 'Everyone' having full control of all shares
4) Share and NTFS permissions
Share permissions are like giving users a key to the office door. NTFS permissions are like giving them the key to the safe. Too many organisations leave the safe unlocked!
Make it your reflex to remove the group Everyone because they have full control, and substitute users and only give them read. It usually makes sense to also add the Administrators and give them full control.
Right click a shared folder, check the permissions under both Share and NTFS Tabs.
Note that there are two tabs to control permissions on any folder - Sharing (Key of the door) and Security (NTFS lock on the safe).
Page 10 of 83 Computerperformance.co.uk Guy’s Litmus Tests
The biggest change compared with NT 4.0 is that you now have the Deny permission. In NT 4.0 the No Access was rather a blunt tool, it meant you could not read documents or list files. The new Deny means that you can explicitly Deny Write. That means that if a user is a member of another group that is give Change permission, they still only end up with Read.
Little Known Snap-in - Shared Folders
Here is a little known snap-in called Shared Folders, I use it to check and set share permissions.
Page 11 of 83 Computerperformance.co.uk Guy’s Litmus Tests
If you get a few complaints from users about difficulties writing to folders, that indicates that your security is working. My Point is that no complaints about permissions may mean no security.
Right click a shared folder, check the permissions under both Share and NTFS Tabs
Windows Server 2003 (W2K3)
The default permissions in W2K3 and Server 2003 is users Read, Administrators full control
Summary: Pros limit the permissions given to the group Everyone
Page 12 of 83 Computerperformance.co.uk Guy’s Litmus Tests
5) Recovery Toolkit
Guy's Litmus Test: In event of a system failure, how many recovery tools can you use?
Professionals have a tried and test list of recovery strategies
Amateurs can only reinstall the server from scratch
5) Recovery Toolkit
The situation is that your machine crashes and will not restart properly, what do you do next?
1. Safe Mode 2. Recovery Console - CD 3. Directory Services Restore 4. Windows Server 2003 Repair 5. LKK 6. Restore Points XP 7. (ERD)
Safe mode
Those coming from NT 4.0 will be impressed with all the options revealed by pressing F8 on boot up; those who know Windows 98 will find old friends amongst these options. Safe Mode is my favourite strategy, I find it usually works, and I can get into the system and reverse what ever was stopping it booting normally.
Recovery Console
This is a great strategy if you have to repair a corrupted file by copying the original from CD. What happens is the command console boots into a shell which looks like dos, then you can copy the files from the CD to the WINNT folder.
Organized administrators prepare by installing the command console with winnt /cmdcons. As ever Microsoft provide two ways of doing everything, and you can also access the command console by inserting the CD and choosing R = Repair from the appropriate menu.
Directory Services Restore
This is a specialist technique for recovering parts of active directory that you have inadvertently deleted, for example, you delete an OU and you want it back. I say specialist because you have to understand LDAP and ADSI to select the items to be restored.
Windows Repair
Page 13 of 83 Computerperformance.co.uk Guy’s Litmus Tests
When crucial operating files get damaged, you could carry out a repair. The technique is to pretend you wish to install a new copy, but at the crucial menu, select Windows Repair on the menus. Note this is a different technique from Recovery Console, you will need the Product Key for this Repair option.
LKK - Last Known Good
This is used in one specialist situation, you have just installed a rogue driver which you are pretty sure is preventing the machine booting. I say specialist because it only solves incorrect configuration errors, if you did something that changed the registry, then you have a spare control set that you can revert to, however the moment you logon you create a new Last Known Good so would lose that spare set. LKK is first on my list because it is the first you should try.
Restore Points (XP and Longhorn only)
If you can get as far as logging on, then the restore points are one of the great recovery features of XP. The operating system creates a fixed point before you make any major changes, or else you can create the restore points yourself. Note, restore points are not available on Windows Server 2003 only XP.
(ERD) Emergency Recovery Disk
I put this last and in brackets because I have never had any success with this procedure. The idea is worthy, all the registry configuration settings can be saved and later restored. The fatal flaw is that the disk /file has to be updated manually every time you make a change, and for ordinary mortals that just does not happen. If there is one thing worse than not having an ERD it is having an out-of-date disk which corrupts the system.
If you would like to create an ERD then Click Start, Programs, Accessories, System Tools, then click Backup. Amateurs believe that the ERD is bootable - wrong. However, you CAN create a bootable disk by formatting a floppy in Windows 2003, and copying NTLDR, NTDETECT.COM and BOOT.INI on to the floppy. This is the same strategy as used in NT 4.0.
Summary: Pros have a rich variety of recovery tools and strategies.
Page 14 of 83 Computerperformance.co.uk Guy’s Litmus Tests
6) Security - Administrator Account
Guy's Litmus Test: Have you renamed the Administrator's account?
Professionals rename the Administrator Account
Amateurs as usual, leave security as the default settings
6) Security - Rename your Administrator account
Renaming the Administrator account is the single best thing you can do to secure of your system. It amazes me that companies spend thousands on security reports but do not rename the Administrator's account. Also remember to delete the description: Built-in account for administering the computer/domain when you rename the account.
The two points are:
1) Every hacker knows that Windows Server 2003 has an account called Administrator
2) By design, the Administrator account cannot be locked out. So hackers can try as many times as they like to discover the password.
Create a Dummy account
My mate 'Barking' Eddie renames the original Administrator = fredb, then creates a new dummy Administrator account with only guest rights. This drives hackers mad because they cannot understand why the Administrators account does not do what they want! He even adds the description: Built- in account for administering the computer/domain to the dummy account.
SG wrote to me pointing out what else you can do to secure the Administrator account:-
Deny Access to this computer from the network. SG reminds me that this account has a SID ending in 500 which cannot be changed. As a result, hackers using RedButton will always know which account is the original administrator and attack it.
You could also set a Security Policy which adds additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares.
Check the physical security of your server room. Also check who can log on locally on the server.
Summary: Pros Rename the Administrator account
Page 15 of 83 Computerperformance.co.uk Guy’s Litmus Tests
7) Security Auditing
Guy's Litmus Test: How many entries does your Security Log have?
Professionals set up auditing for security information
Amateurs say empty security logs means no problem
7) Security Auditing
Amateurs will almost certainly have a blank Audit log because the default setting is no auditing. Professionals will be alerted to unsuccessful logon's which could mean a hacker at work, or may be just Fred having trouble locating a file. Either way, the IT Professional will know.
Setting up File Auditing is a knack. There are three places you need to configure.
Firstly, set Auditing at the Domain level, go to Active Directory Users and Computers, Domain Object, Properties, Group Policy. From there configure as in the diagram below.
Page 16 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Secondly, you need to turn Auditing on at the Folder level. Note: that for once the group Everyone is your friend, as it may not be the person you think who is deleting the files. Warning: do not audit more than you need or the log will soon fill up and what is more, searching for the information will be like looking for a needle in a haystack.
Thirdly, check the Event Viewer, Security log for evidence of who was deleting the files.
A tip for the Boss. If I was the boss, I would have a meeting with my network manager and ask to see the security log options. Just asking for this information will jog the network manger's memory. The hidden message is that even the techie's actions are accountable. If the network manager is honorable then they will have nothing to fear. If they are a rogue, then okay they can get around it by deleting the log, but that in itself would be suspicious.
Security Warning
Guy's warning: - The more security you have, the more work there will be for the administrators.
Firstly, decide on an appropriate level of security for your organisation. Take passwords as an example: - ordinary companies do not need complex passwords, which users have to change every month. Whilst it would be inappropriate for banks to allow blank passwords which never expired.
Page 17 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Bonus Litmus Test: Professionals use account lock out
Account lockout - if an organisation has debated account policies then they are probably professionals. However, this is a classic case of there is no 'right answer'.
Several Universities have admitted to me that they have problems with account lockout. Immature students deliberately lockout their friends accounts by typing in the wrong password. If they can lock out a lecturer's account they think it's hilarious. (Sad people, but we have to deal with them.)
Guy's first suggestion for the University's problem was to add donotdisplaylastusername setting to the Winlogon part of the registry. This prevents users seeing the account that previously used the machine. Secondly I showed the administrators how to set up auditing; then we could see which workstations the rogue passwords were coming from. Then we had a word in the ear!
Summary: Pros turn on auditing and check the security log weekly
Page 18 of 83 Computerperformance.co.uk Guy’s Litmus Tests
8) Security Templates
Guy's Litmus Test: Have you ever used the Security Templates?
Professionals use the built-in snap for Security Templates
Amateurs have no structure for setting security
8) Security Templates
Security templates and the associated Security Analysis snap-in are one of the best secrets of Windows Server 2003. This is a shame, as this tool offers a powerful mechanism to configure, check and record the security settings for your domain. Needless to say there is a huge difference between those professionals who utilise these features, and the amateurs who do not realise they exist. a) Security Templates
The first move is to load the template that most nearly describes your situation. E.g. securedc = Secure Domain controller. The next move is crucial, Save As - yourfilename. This preserves the original while allowing you to experiment.
Page 19 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Your next move is to check out the settings and decide how much security you need in your organization. When you have finished checking, go to the Security Configuration and Analysis snap-in. (See diagram above.)
Page 20 of 83 Computerperformance.co.uk Guy’s Litmus Tests
b) Security Configuration and Analysis
Note this is a second separate snap-in. The first step is to right click and Load database and add your saved template. Next right click the Security Configuration, and select Analyse (NOT CONFIGURE)
The powerful analysis tool shows which settings will remain the same, for example, a tick next to 'Maximum Password age' tells you there is no difference between your template and the present setting. However a red x means that the template will change the current settings if you select CONFIGURE.
Experiment with different settings until you have the required security configuration. Note in passing that you can Export List from the Action menu and so save a record of your work.
If you make a terrible mistake with CONFIGURE, reapply the Basic Template and start again.
Summary: Pros use Security Templates to control all aspects of their security
Page 21 of 83 Computerperformance.co.uk Guy’s Litmus Tests
9) Time Synchronisation
Guy's Litmus Test: Do all your machines show the same time?
Professionals synchronize computer clocks throughout their network
Amateurs wonder why they get lots of Win32 time errors in the event log
9) Time Synchronization
With Windows 2003's Kerberos security, time synchronization has a new significance. This is because the Kerberos (KDC) service uses time stamps as part of the client authentication process. The default tolerance is only 5 minutes.
Command to issue from a batch file or the command line.
Use the SNTP (Time Protocol) to synchronisation time on your network. Naturally you need a server with a reliable time source. I suggest using google.com to search for 'internet time servers'.
Here is the syntax of the net time command : net time /setsntp:
One of my more controversial ideas is to give network managers bonuses dependent on curing red error dots in the Event logs. My proposal is to give them a bonus of x dollars or pounds, but to reduce the bonus by one dollar for each red dot. Those who take up this idea realise that they lose a lot of bonus if they do not master the win32 time command. See 2) Event Viewer
Example Script to Synchronize with the Windows Time Service
Purposes of the Script
The script synchronizes the local machine with an internet time server, then displays a message indicating if the internal clock was slow, fast or on time.
Page 22 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Instructions for Synchronizing with the Windows Time Service
This script is designed for Windows servers, but there is no reason why it should not work on an XP machine. If you use uk.pool.ntp.org or time- a.nist.gov as the time server, make sure that your machine has an internet connection.
1. Copy and paste the example script below into notepad or use a VBScript editor. 2. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages. 3. Save the file with a .vbs extension, for example: SynchTime.vbs 4. Double click SynchTime.vbs, and check the clock synchronization in the message box.
'======' VBScript Source File -- Created with XLnow OnScript ' SynchTime.vbs ' AUTHOR: Guy Thomas ' COMPANY: Computer Performance ' DATE: January 2006 Version 3.2 ' COMMENT: Script to synchronize with the Time service '======Option Explicit Dim objShell Dim intShortSleep, intLongSleep, strService Dim strTimeSrv, timeBefore, timeAfter, timeDiff Set objShell = CreateObject("WScript.Shell") strService = "w32Time" intShortSleep = 3000 intLongSleep = 6000 '1000 = 1 second
' Time Server set (Remove ' Rem if you want to change) strTimeSrv = "time-a.nist.gov" 'strTimeSrv = "uk.pool.ntp.org"
' Use .Run method to configure the time server objShell.Run "w32tm /config /syncfromflags:manual /manualpeerlist:"_ & strTimeSrv Call Restart() ' Collect time before the script synchronizes timeBefore = DatePart("s" , Now) + DatePart("n" , Now) *60 timeBefore = timeBefore + DatePart("h", Now) *3600
' Key command to resynchronize with time server objShell.Run "w32Tm /resync /rediscover" Wscript.Sleep intShortSleep timeAfter = DatePart("s" , Now) + DatePart("n" , Now) *60 timeAfter = timeAfter + DatePart("h", Now) *3600
' Cosmetic section to display the clock adjustment timeDiff = (timeAfter - timeBefore) - (intShortSleep/1000)
Page 23 of 83 Computerperformance.co.uk Guy’s Litmus Tests
If timeDiff < 0 then WScript.Echo "Clock was fast by " & -timeDiff & " secs" ElseIf timeDiff > 0 then WScript.Echo "Clock was slow by " & timeDiff & " secs" ElseIf timeDiff = 0 then WScript.Echo " Clock synchronized " & timeDiff & " difference" End if WScript.Quit
Sub Restart() ' Restart Service objShell.Run "net stop " & strService objShell.Run "net start " & strService Wscript.Sleep intLongSleep End Sub
VBScript Tutorial - Learning Points
Note 1: Get into the rhythm of the If, then, End If. This simple construction is versatile and greases the wheels of many VBScripts.
Note 2: ElseIf is better than Else If. My advice is avoid a space between Else and If, unless you deliberately want a different outcome. If you have more than five ElseIfs then investigate the alternative Select Case.
Note 3: Observe how this script employs the .Run method rather than .Sendkeys {}.
Challenges
Try deliberately setting the computer's script fast or slow. Give the script a real job by stopping the Windows Time service before running the script. Experiment with the intSleep variables. Try changing the values, or even removing them. See the difference a space makes in Else If (Instead of ElseIf) and see how Else If requires its own matching End If. I tried simplifying, timeAfter = DatePart("s" , Time) + DatePart("n" , Time) *60 to timeAfter = Time. My results were disappointing, the value was always the same, even though I changed the time on the computer clock.
XP Professional and Network Time
A neat feature of XP and Windows 2000 Professional clients is that they will automatically synchronise with their Domain Controller. The client uses the Windows Time service to communicate with the logon server. To begin with this happens every 45 minutes, when the machines get in synchrony, the time checks extend to 8 hrs.
Summary: Pros ensure that the clocks are synchronized on all their network machines
Page 24 of 83 Computerperformance.co.uk Guy’s Litmus Tests
10) Uninterruptible Power Supply
Guy's Litmus Test: When did you last service the UPS
Professionals have the UPS regularly serviced
Amateurs allow the UPS to leak acid
10) UPS
I sometimes offer my services on a no fee no fix basis. One job was abruptly terminated. When I went into test my solution, I was told that the server room had burnt down. When the fire brigade investigated it turned out that the UPS (uninterruptible power supply) was the centre of the inferno. It seemed that acid seeped out from the UPS battery and set fire to paper on the floor. It transpired that the UPS was 12 years old and had never been serviced.
Naturally I did not get paid, and had to settle for an ironic smile - the very device that should protect the server was responsible for its downfall. It is a situation where you can imagine a cartoon sequence of the acid leaking causing paper to catch fire, and the blaze enveloping the server.
The moral of the story - do not work for people who do not service their UPS!
The Role of the UPS in Disaster Recovery
Those great big batteries (UPS) at the side of the server are designed to prevent disaster striking should your site suffer a power failure.
I once stopped by at the UPS stand in a trade fair - they had great coffee and I needed a rest. Now I thought I knew about UPS devices, but the salesmen showed me some extra capabilities for disaster protection.
1. The most important job of the UPS is to cut-in when the power fails 2. UPS also protects against 'brown outs' when the light dims but the power stays on. 3. UPS will also smooth voltage preventing power surges during electric storms.
Additional UPS Features
The system I saw at the trade fair had 'bells and whistles' like short term capacitors and diesel engines that would deliver conventional AC power. It also had microprocessor sensors and switch over.
Page 25 of 83 Computerperformance.co.uk Guy’s Litmus Tests
11) Dynamic Disk
Guy's Litmus Test: Do you understand Dynamic Disk?
Professionals evaluate the pros and cons before upgrading to Dynamic Disk
Amateurs in their ignorance, retain basic disk
1) Dynamic Disks
Professionals take the trouble to investigate the features of 'Dynamic Disk'. One advantage of Dynamic Disk is that you can extend data partitions. How is this useful? Take a case where you need 3 partitions on a disk, but it is not clear which partition will grow the fastest. Assign 1/4 of the space to each partition leaving 1/4 available to extend which ever partition gets full first.
Dynamic disk has the advantages of supporting an unlimited number of volumes; this overcomes the limitation of only 4 primary partitions and 1 logical drive. You may also import dynamic disks from other computers, this is because the file information is held on the disk itself not in the registry. This also explains why you need 1 MB of unallocated space to convert from basic to dynamic disk; the space is needed to create the disk information database.
To convert to Dynamic Disk, go to Disk Management, right click the Disk and select : Upgrade to Dynamic Disk. (Call for the built in Help if you cannot find Disk Management)
Page 26 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Reasons not to upgrade to Dynamic Disk
Dynamic disk may not work with Cluster Service. Take care when converting disks that have Shadow copy enabled. You cannot revert to basic disk once you have converted to dynamic disk. You cannot boot into other operating systems on dual boot machines. You cannot install or Upgrade to Windows Server 2003. For some reason dynamic disk is not supported on laptop. Dynamic disk is not compatible with 'Ghosting' client disks.
This last point means that you may leave XP professional with the default basic disk. I have not found a convenient switch to automatically upgrade to dynamic disk, moreover the advantages of dynamic disk are not so important on a workstation.
More Disk Configuration Utilities
Defrag: Professionals regularly defragment their disks for faster file access.
Diskpart: Professionals employ Diskpart for command line configuration.
Summary: Pros research the consequences of Dynamic Disk
Page 27 of 83 Computerperformance.co.uk Guy’s Litmus Tests
12) Disk Quotas
Guy's Litmus Test Have you set Disk Quota?
Professionals set Quota limits on their file servers' volumes
Amateurs allow a few users to hog the available disk space
12 ) Disk Quotas
Controlling use (abuse) of server disk space has been high on administrator's wish list for a long time. Now with Disk Quotas you can limit users’ disk space.
Disk usage conforms to the 'Pareto Principle'; 20% of your users will consume 80% of the disk space. Configure disk quotas and make things fairer, stop one or two selfish users filling up the disk space unnecessarily. One strategy is to set the limits high and use quotas to plant the idea that users should implement good housekeeping with their files.
To activate disk quotas: Right click the root of any partition and you will see the Disk Quota tab.
Page 28 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Trap: Remember to check both boxes :- Enable quota management and Deny disk space to users exceeding their quota limit.
Tip: If you wanted to use disk quotas on separate folders rather than the whole disk investigate : Volume Mount Points.
On a related topic:
Encrypted File System (EFS)
Litmus test: Professionals show laptop users how to encrypt their files
There have been several high profile cases of lost laptops containing sensitive information. Windows 2003 offers the facility to transparently encrypt sensitive folders. So if the files get into the wrong hands, they will be very difficult to decrypt.
Summary: Pros set quota limits for users on shared server volumes
Page 29 of 83 Computerperformance.co.uk Guy’s Litmus Tests
13) DHCP
Guy's Simple Litmus Test: How do you assign a client's IP address?
Professionals automatically assign IP addresses for XP desktops
Amateurs manually configure the IP addresses on each client machine
Guy's Advanced Litmus Test: How many DHCP Options do you configure?
Professionals configure at least Type 003 Router and Type 006 DNS Servers
Amateurs never configure any Scope Options.
3) Dynamic Host Configuration Protocol (DHCP)
As late as 2004 I read a survey that found 20% of organisations still assign static IP addresses. Reasons included the need to track IP addresses to individual machines and dislike of DHCP. 80% of respondents trust DHCP and consider it to be the way of the future. My feeling is that in 2006 only about 10% of administrators are 'amateurs' and still refuse to consider DHCP.
It is relatively easy to configure a client so that it automatically get an IP address from the DHCP server. However, the benefits of DHCP are greater than just giving out the client IP address. For example, you can also give clients the IP address of the DNS server and the router. Thus if a DNS server changes its IP, you only have to alter configuration once on the DHCP scope. This is much better than going to every client and manually changing the default gateway at each TCP/IP property sheet.
DHCP is a service that you install on Windows Server 2003. The server does not have to be a Domain controller. Once installed you need to configure a scope or range of IP addresses. My advice is to configure 2 servers (but no more) for each subnet. For example, Server A range 20-120, server B range 121-254
I heard a horror story of how one company had to employ a contractor to alter the default gateway of all 750 machines by hand. If only they had used DHCP it would have taken but a minute, a classic of modern methods reducing the TCO (Total Cost of Ownership).
Page 30 of 83 Computerperformance.co.uk Guy’s Litmus Tests
When you create a DHCP scope, as well as Router (DHCP Option Type 003), it costs little time to add a DNS Server (Type 006) and also Domain name (Type 015). It is worth checking out over 40 other automatic settings you can assign at the same time as the IP address.
Incidentally, DHCP is an example of Windows 2003 having more options, menus and sub menus than NT 4.0. Take the time to investigate which options would help your network. For example, check dynamic updates and class options.
If you are troubleshooting client DHCP problems, ipconfig /all is the classic tool to run from the command prompt. (Do remember the /all switch)
Page 31 of 83 Computerperformance.co.uk Guy’s Litmus Tests
DHCP Logging
One persistent reason companies gave for not implementing DHCP was that it could not track who was using which IP address. They obviously did not realise that you could turn on Audit Logging. Diagram taken from the properties of the DHCP Server Object.
What else is new with DHCP?
On the server the DHCP server has to be registered in Active Directory before it can be activated. Microsoft claim this is to stop a tide of unauthorized DHCP servers on the network. Personally I think it is an unnecessary extra step! That said, I do recognise that there has been a tendency to have too many DHCP servers with the resultant risk of duplicate IP addresses where the administrators are not careful with scope ranges.
On a brighter note, Windows 2003 and XP support APIPA (Automatic Private IP Addresses). This was first introduced with Windows 98, if a DHCP server is unavailable, the client gives itself an IP address in the range 169.254.x.y. The benefit is that it can communicate with other clients on its subnet, and since it has a proper IP address, it can keep trying to contact the DHCP server for a more suitable IP address.
Page 32 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Summary: Pros setup DHCP and reap the benefits of reduced administrative effort.
Page 33 of 83 Computerperformance.co.uk Guy’s Litmus Tests
14) DNS
Guy's Litmus Test: Can you troubleshoot DNS?
Professionals take the time to master DNS settings
Amateurs use WINS where ever possible and avoid DNS
14) Domain Name System (DNS or DDNS)
In NT 4.0 DNS was a useful if peripheral skill, in Windows Server 2003 you cannot even install active directory without being an expert in DNS.
At its simplest, DNS is responsible for mapping IP addresses to machine names. For example in, the DNS database there could be a host record (Type = A) for a machine called London with an IP address of 192.168.0.230.
Note: The Cached Lookups in the diagram, to see that container, go to the View (Menu), Advanced.
To truly master DNS you must invest time in the terminology and learn to configure, Reverse Lookup, Zone, Active Directory Integration and other specialist DNS settings.
In Windows Server 2003, DNS can dynamically update its host records - hence the name DDNS. This overcomes a limitation of DNS in NT 4.0 and allows WINS to be phased out in pure Windows Server 2003 networks. The only real use of WINS is for organizations with distributed Exchange servers.
Page 34 of 83 Computerperformance.co.uk Guy’s Litmus Tests
DNS and Active Directory
DNS holds SRV or Service records which enables desktop computers and servers to find domain controllers that are providing specific services. For example Global Catalog and Kerberos are need for logon authentication; DNS returns the IP address of domain controller offering those services.
You can see the Active Directory SRV records in the above diagram, for example, look under nwtraders.msft and see _msdcs (Microsoft Domain Controllers).
Check out the new Monitoring tab; right click the DNS SERVER, Properties.
Bonus DNS litmus tests
Professionals configure DNS to use Active Integrated Zones and thus reduce replication traffic.
Amateurs use Primary and Secondary Zones
By integrating AD and DNS you reduce network traffic because only new or changed records are updated. This is known as incremental zone transfer
Page 35 of 83 Computerperformance.co.uk Guy’s Litmus Tests
(IXFR). In NT 4.0, the whole database was sent over the network even if just one record changed.
How to change to AD zones? Right click the DNS Zone, Properties, General Tab.
Challenge: Master NSLOOKUP
One of the most difficult, but most rewarding of the TCP/IP suite is NSLookup. Take the time to master it in interactive and non-interactive mode.
Summary: Pros are experts in DNS, they realise its essential role in Windows Server 2003
Page 36 of 83 Computerperformance.co.uk Guy’s Litmus Tests
15) Networks
Guy's Litmus Test: Do you use client server networks?
Professionals run a client server network with Windows Server 2003 and XP client
Amateurs run a Peer to Peer network of XP and Windows 98
15) Networks
The decision to use a client server network or a peer to peer network is really a 'no brainer'. The benefits of central administration and single user logon far outweigh the cost of a server. I would stick my neck out and say that no company is too small to benefit from a server on their network.
One client spent ages grappling with problems of XP acting as a server with Windows 98 clients. Both are designed as clients and neither works well as a server.
How many servers do you need?
Having made the case for servers, it is interesting to see the server philosophy in large companies. I keep wondering whether having hundreds servers is a badge of success or mark of inefficiency. Each case must be taken on merit. A small server in a branch office, can be much better than a using a slow link to authenticate at corporate HQ. Even this decision is not straightforward as fast WAN links get cheaper.
On the other hands 10's of small servers in a large building can be efficiently replaced by one or two powerful servers.
Factors to consider
Network speed (LAN and WAN). Server scalability e.g. extra RAM, another disk rack. Server characteristics e.g. DC, GC, DNS, DHCP services to well together while email and databases are best having their own server.
Summary: Even small networks should have a proper server
Page 37 of 83 Computerperformance.co.uk Guy’s Litmus Tests
16) Partitions
Guy's Litmus Test: How much FAT do you have!
Professionals format every partition with NTFS
Amateurs use FAT32 where ever possible
16) Partitions
The traditional reason to use NTFS was for file level security. However, the number one reason that I recommend NTFS on all partitions is, NTFS has 'write ahead' logs which protect the file system. This transaction logging is similar to the method that databases use to record events before they are committed to disk.
There are more technical benefits to formatting NTFS:
Faster recovery through checkpoint files More efficient storage of smaller files More efficient indexing Faster file access, especially for large disks
NTFS is a pre-requisite for important Windows Server 2003 features:
Active Directory. NTDS.dit and its logs must all reside on NTFS Disk Quotas Mount Points - useful when your c:\ drive is full EFS (Encrypted File System) DFS (Distributed File System)
Neither FAT nor FAT32 can support any of the above features. The only indisputable advantage of FAT32 is that you can dual boot into Window 98 - not much of an advantage for a server.
Page 38 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Command Console (CMDCONS)
For some (amateur) administrators the last stronghold of FAT was the c:\ drive. These Luddites insisted on formatting the c: drive as FAT or FAT 32. Their justification is : 'so that we can copy files from floppy'. Guy says: 'Try the Command Console'. Get the Windows Server 2003 CD and install with winnt32 \cmdcons.' With CMDCONS you can boot into a dos like shell and read and copy to NTFS partitions. You can also stop or start services that maybe preventing a boot.
Note: Do not confuse Command Console with F8 Safe mode, they are two different start up strategies.
Summary: Pros use NTFS everywhere, and have no FAT what so ever.
Page 39 of 83 Computerperformance.co.uk Guy’s Litmus Tests
17) Printer Pools
Guy's Litmus Test: Do you have a pool of printers?
Professionals create a pool of printers with different priorities
Amateurs only create one printer
17) Printer Pools
The idea of Printer Pools is to have several printers or print queues leading to one physical print device. The advantage is that you can set different priorities for different users. For example: high priority for mangers low priority for secretaries (or would that be better the other way around!).
How to Setup Printer Pools
To create a Printer Pool: Start Menu, Settings, Printer folder, add printer. The trick is to create multiple printers, each with a different priority. To adjust the priority, go to the Advanced Tab and look for the Priority box. Finally give different permissions to the various printers.
Page 40 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Bonus : Check out Web based printers
Once Microsoft realised the power of the browser they have made more and more interfaces browser compatible. Users can now use their Internet Explorers to search for printers and install the appropriate driver. Show the users this path: http://server/PRINTERS.
Note: Whilst server will vary dependent on the name of your print server, PRINTERS should be typed as shown, as there will be a share called PRINTERS on each server.
Summary: Pros create a number of printers and give them different priorities
Page 41 of 83 Computerperformance.co.uk Guy’s Litmus Tests
18) Remote Administration
Guy's Litmus Test: Can you remotely administer to your server?
Professionals install Adminpak.msi on their Professional machines
Amateurs make that long walk to the noisy server room
18) Remote Administration - AdminPak
When I offer my advice to network managers, there comes a time when we actually have to check settings on the server. If we have to make a long walk to a noisy freezing server room, I start having doubts if I am working with professionals. On the other hand, if they are able to bring up an MMC console and we can configure the servers from the comfort of the normal office, then I am impressed.
To avoid those spooky flashing lights, to get away from that feeling that aliens have landed in this dungeon called a server room, install Adminpak.msi. It surprises some amateurs that you need the Server CD \i386 folder and not the Professional CD to install these snap-ins that allow you to configure the server from the comfort of you own chair.
Bonus method: Remote Administration - Terminal Services
Perhaps an even better method of configuring distant servers is to use Terminal Services in Remote Administration mode. In Windows 2000 you must first plan and install the Terminal Services on the servers that you wish to configure ahead of time. But do you need terminal services licenses? No, in remote administration mode two administrators can connect concurrently without the need to purchase licenses.
It is even easier administer Windows Server 2003 because Terminal Services is installed by default. If there is a secret, it's to remember to enable Remote Desktop on the distant server.
With Terminal Services you can also configure RRAS and accept dial-in so that you can configure the server.
Summary: Pros install AdminPak and, or Terminal Services to administer their servers
Page 42 of 83 Computerperformance.co.uk Guy’s Litmus Tests
19) Routing and Remote Access (RRAS)
Guy's Litmus Test: Have you tested RRAS?
Professionals investigate Routing and RAS
Amateurs do not realise that RAS is installed by default
19) Routing and Remote Access Services (RRAS)
The fact that Routing and Remote Access is installed by default is an indication of its improved reliability. While RRAS is installed Windows Server 2003 server, you need to activate and decide whether to use it just for RAS or also as a static router. Once you have run the wizard once, you can right click the server object and configure the properties.
Group policies are every where in Windows Server 2003, and that includes RRAS. Use the power of the Group Policy to control users’ settings when ever they logon. One of the main benefits of switching the domain from mixed to native mode is that you can use group policies when users dial-in.
My Goal - To get you started with RRAS policies
1. Go to Start \ Programs \Administrative Tools \ Routing and Remote Access 2. Add Server (Local Computer) 3. Run the Wizard (Start with the VPN option if you want to practice) 4. Look for REMOTE ACCESS POLICIES (Start \Help if you are stuck) N.B. The default RRAS Policy is to Deny user’s access. This is a failsafe mechanism so that no-one can access the RAS server until the administrator has configured the server (or knows what they are doing!).
Page 43 of 83 Computerperformance.co.uk Guy’s Litmus Tests
N.B. To get the most out of your RRAS Policy and Profiles, your domain needs to be in NATIVE mode.
Each Policy has a PROFILE tab this is where you configure how long users can connect to the server, which protocols they use and much more besides.
Bonus: The Routing side of RRAS
Windows Server servers can act as a software router. Naturally you need at least two network cards. Check out the Routing by going to RRAS \
This RRAS console has menus with sub menus so there are many features to evaluate e.g. OSPF, L2TP, NAT.
RAS and DHCP Relay Agent
The Relay Agent is now found inside the \IP Routing \General tab of RRAS, if you are going to set up RRAS you either need to configure a separate scope of IP addresses or else use a DHCP Relay Agent to point to the real DHCP server.
Summary: Pros have run the RRAS wizard - many times.
Page 44 of 83 Computerperformance.co.uk Guy’s Litmus Tests
20) WINS
Guy's Litmus Test: Have you a plan to phase out WINS?
Professionals prefer DNS and avoid WINS where ever possible
Amateurs prefer WINS and do not understand DNS
10) Windows Internet Naming Service (WINS)
WINS is a Microsoft method for resolving names to IP addresses. As you have probably guessed I do not like WINS!
WINS is no longer needed in a pure Windows Server 2003 and XP networks. This is because DNS can handle the name resolution and find all the resources XP and W2K Pro need. However, WINS still has two minor roles, enabling Windows 9x clients to find their logon servers. Also WINS enables Exchange 2003 servers to see each other if they are on Remote Networks.
To be fair to WINS, it has always allowed dynamic updates, but with DDNS clients can now also automatically change their IP registrations in DNS. To be fair to WINS, it has always allowed dynamic updates, but with DDNS clients can now also automatically change their IP registrations in DNS.
Finding WINS entries
If you wish to find entries in WINS use * (Star)
If you must implement WINS, make sure that you integrate it with DNS and DHCP.
Summary: Pros plan to phase out WINS and use 100% DNS for name resolution.
Page 45 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Professionals understand Exchange 2003's dependence on WINS
Amateurs have no idea that Exchange 2003 still uses WINS in certain circumstances
Exchange 2003's Dependency on WINS
If you want to investigate the relationship between WINS and Exchange 2003 you have 3 choices:
1. Just install WINS and get on with life. Configure records for ALL the Exchange servers and Domain controllers. 2. Ignore WINS, everything IS working fine on MY small network. 3. The thinking man's approach. Try to make sense of Exchange's dependency on WINS. If you go down this route, you may find that the waters get muddier before you see clear bottom.
Clarifying Exchange 2003's Dependency on WINS
I had been labouring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe is that Exchange 2003 does not absolutely need WINS. What various Exchange 2003 processes absolutely need is, NetBIOS name resolution. On simple networks, like mine, Exchange 2003 can resolve NetBIOS names simply by just broadcasting. Now I expect that you are ahead of me on why big networks still need WINS, because broadcasts are limited to the local subnet.
Let us consider a quote: 'Microsoft tries to make sure all programs work without NetBIOS, but this may only apply to future products.' From the Microsoft source knowledgebase article: PSS ID Number: 837391.
The above article points out problems with these configurations:
Exchange Setup needs WINS. (Setup works fine on my simple network without WINS.) ExMerge the Mailbox Merge Wizard requires WINS. Changing the password from an OWA client needs WINS. Outlook 2002 and earlier, versions need WINS. Outlook 2003 and future versions will not need WINS. This typifies Microsoft's approach to NetBIOS. Exchange System Manger loses some (unspecified) functionality. Exchange 2003 needs WINS to contact Exchange 5.5. (Especially if there is any NT 4.0 around.) There are consistent reports that clustering needs WINS. Particularly for setup. SMS 2003 needs NetBIOS, but SMS 2003 with SP1, no longer uses NetBIOS. Messenger and Alerter services require WINS. However, they both work for me without WINS, provided I start the services and send messages to computers on the same subnet.
Page 46 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Solutions to Exchange's need for NetBIOS Name Resolution.
1. WINS (Best). 2. LMHosts - Troubleshooting. 3. Broadcast - Local Subnet only.
Associated programs - DNS, DHCP, Outlook and possibly SMS.
Exchange 2003's Dependency on WINS - Summary
Exchange 2003 still makes NetBIOS calls. So either configure resource records in WINS, or else rely on broadcasts to resolve the NetBIOS requests.
Footnote:
WINS will be phased out in Exchange 2007 and Longhorn.
Page 47 of 83 Computerperformance.co.uk Guy’s Litmus Tests
21) Active Directory
Guy's Litmus Test: How do you deploy Windows Server 2003?
Professionals install the Active Directory feature of Windows 2003
Amateurs use Windows Server 2003 only as Member servers in an NT 4.0 Domain
1) Active Directory
While the uptake of Windows Server 2003 has been brisk, by no means all administrators are confident in installing the Active Directory feature. What amateurs do is merely install Windows Server 2003 as member servers for their database and mail servers. This is a shame because it is only when you install Windows Server 2003 domain controllers that you get the full benefit of active directory services.
Professionals are planners, Amateurs are assemblers
Amateurs would merely assemble the CDs and kick off the installation, then fumble along as best they could. Professionals, on the other hand, would analyse the following factors and then plan their Windows Server 2003 active directory. 1. Decide on your overall strategy. a) Reformat the machines and build from scratch; I have heard this strategy called 'Wipe and Roll'. b) Go for an 'In Place' upgrade to the new system. c) Introduce the new Windows 2003 server in the existing Windows 2000 domain, then plan to Raise the Domain and Forest levels to Windows Server 2003. 2. Understand DNS. Design a naming system which embraces DNS and Active Directory. 3. Plan how many domains you really need, and how they will be linked? Same tree or multiple trees? 4. Take advantage of Organizational Units and delegation to manage your users and computers. 5. Develop a vision of your desktops, create that lockdown through Group Policy. 6. Calculate the best distribution of physical sites. Consider upgrading network connections. 7. Understand the role of the Schema because it defines all the objects in Active Directory. 8. Upgrade the desktops first. The reasons for this tactic are practical rather than logical - users need the benefits of XP Professional quickly.
Summary: Pros plan the whole strategy before they implement Active Directory.
Page 48 of 83 Computerperformance.co.uk Guy’s Litmus Tests
22) FSMO (Flexible Single Master Operations)
Guy's Litmus Test: Can you find the FSMO roles?
Professionals can find and control the Flexible Single Master Operations
Amateurs think FSMO is a fizzy drink!
22) Introduction to FSMO
For most operations Windows Server 2003 uses the multiple master model. For example if you have three domain controllers, you can physically create a new user in the NTDS.dit database on any of the three. 30 seconds later, the new user object will be replicated to the other domain controllers in the same site.
Unlike NT 4.0, there are no primary and backup domain controllers in Windows Server 2003. However, a few operations are so critical that only one domain controller can carry out critical operations. These operations are called Flexible Single Master Operations (FSMO); creating a new child domain would be one example of a single master operation.
I have to confess a hidden agenda with FSMO. If I want to instantly know how well someone knows active directory, I introduce FSMO into the conversation and watch their reaction. Professionals will know what FSMO means and its significance, amateurs just frown.
The five FSMO roles are
1. PDC Emulator - For NT 4.0 BDC's. But also for synchronizing time and creating group policies. 2. RID Master - Each object must have a globally unique number. The RID master makes sure each domain controller issues unique numbers when you create objects such as users. 3. Infrastructure Master - Responsible for checking Universal group membership in multiple domain forests. 4. Domain Naming Master - Ensures that each child domain has a unique name. 5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2000 adds the mailbox property to users.
Three of the FSMO roles (1-3) are held in each domain, whilst two (4-5) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.
To see the Domain Naming Master (4), check out Active Directory Domains and Trusts.
Page 49 of 83 Computerperformance.co.uk Guy’s Litmus Tests
The Schema Master (5) is most difficult to find, first you need to register the Schema Snap with this command: regsvr32 schmmgmt.dll; then check the Administrative Tools, Active Directory Schema, Properties.
Here is how you can see and configure the FSMO roles:
Troubleshooting FSMO
DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also provides information on Active Directory replication. As ever with troubleshooting, you want to get to the root cause not merely treat one of the symptoms.
NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the answer partly depends on whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support tools.
From the command line type netdom query fsmo. You should see a list of the of the 5 roles with the corresponding Domain Controller.
With FSMO problems check that the underlying problems is not related to DNS.
Page 50 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Seizing a FSMO Role
If you need to switch the Operation Master then you have two choices. Either click on the Change button in the diagram below, or by Seizing the role using NTDSUTIL. This latter method is difficult but you should practice because it will be the only method available if your server crashes or is stolen.
Summary: Pros understand FSMO and can change the roles when needed
Page 51 of 83 Computerperformance.co.uk Guy’s Litmus Tests
23) Group Policy and GPMC
Guy's Litmus Test: How do you apply Group Policies?
Professionals use Group Policies to configure the desktop
Amateurs use mandatory profiles to control the users
23) Group Policy
In Windows Server 2003, understanding Group Policy is second in importance only to understanding Active Directory. The key thinking behind Group Policies is 'prevention is better than cure'. Restrict users’ settings and so prevent them from causing problems. Group Policies are like putting blinkers on the users. Policies make people concentrate on their job tasks, while stopping them from being distracted by all the extra settings that have no business case. As a result of a good group policy the users are more productive and you get less support calls to the help desk.
Professionals master Group Policies. Amateurs either ignore them or get into a mess because they do not appreciate the intricacies of setting a good policy.
Page 52 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Group Policies are fun. With Group Policies not only can you be Mr Nasty (screwing down the desktop), but you can also be Mr Nice. Mr Nice provides just the programs users need, but no extras. So when an accountant logs on they get MS Office XP and accountant software. When ordinary users log on they get only the Office suite. What is more, if the program breaks then the intellimirror software automatically restores the original settings.
Having established the need, the next problem with setting up System Policy is - time. You need a week experimenting with a group of test machines before you think of rolling out to the production network.
Policies can be applied at the Domain, OU and Site level. My advice is to set your security at the domain level, but control the desktop at the OUs. Avoid setting policies at the Site level, it is not necessary and only adds an extra layer of complexity.
Tips to make you a Group Policy expert
When you experiment with Group Policies, create and use a special test user account Create a special OU (Organisation Unit) for testing Group Policies Take the time to investigate all the Group Policy settings Consider mastering the Group Policy templates to apply your settings at the Domain level Use 'No Override' and 'Block Inheritance' to isolate a problem Create a 'VISION' of the perfect desktop
Bonus Litmus Test - GPMC
Professionals Download GPMC (Group Policy Management Console) from Microsoft's site.
Amateurs try and find GPMC on the support disk then give up.
One the pros install GPMC they use the interface for planning, reporting and modeling their policies. In addition, professionals refresh their Group Policies with gpupdate, amateurs persevere with secedit.
Summary: Pros use GPMC to configure Group Policy settings and thus control the desktop
Page 53 of 83 Computerperformance.co.uk Guy’s Litmus Tests
24) Installing Windows Server 2003 or W2K3
Guy's Litmus Test: How big is your C:\ drive?
Professionals install Windows Server 2003 on a 20GB partition
Amateurs stick with a small 2GB system partition
4) Installing Windows Server 2003
Make sure you have a big enough partition
This test fulfils all the requirements of a good litmus test; the test can be easily measured and the answer is likely to be conclusive. A small installation partition indicates: trouble, lack of planning and an amateur at work.
The problem is compounded because, whilst other NTFS partitions can be extended the partition containing \Windows cannot easily be increased. So plan for at least 5GB for the \Windows partition. If you choose a miserly 2GB you will soon find it inadequate.
If you get stuck do not despair; investigate Mount Points as a method of increasing the partition. (Try Windows Server 2003 Help)
More Installation Advice
Before you build a server, you need a plan, think like a general thinks when he plans a military campaign; a list, as in a shopping list, is not good enough to install a Windows Server 2003 server.
Refer to the HCL Avoid Pacific time (in the UK!) Learn about RIS
Litmus test: Professionals always refer to the HCL
Step 0 (zero) before you order ANY equipment for Windows Server 2003 or W2K3 check Microsoft's HCL (hardware compatibility list). One of the reasons for studying history is to learn from others mistakes. Those of us who remember the early days of NT 4.0 learned that only kit that is on the HCL worked properly. Those who do not heed the lessons of history are destined to repeat the mistakes.
I also use HCL as a litmus tests when dealing with suppliers in general and salesmen in particular. Basically if they do not know what HCL is, they are amateurs.
Page 54 of 83 Computerperformance.co.uk Guy’s Litmus Tests
If you are doubtful of your kit's ability to run Windows Server 2003, try winnt \checkupgradeonly or get a program called Chkupgrd.exe from Microsoft's site.
Litmus test: UK Amateurs, have Pacific time (in the UK!)
If you are in the UK, I assume you change the default Keyboard from US to UK. Also beware the -8:00 Pacific time. Windows Server 2003 domain controllers (DCs) run very slowly if their times are more than 5 minutes out of synch.
I was called out to a case where one DC was on Pacific time and the other on GMT. Now Windows can handle that, if the clocks are exactly 8hr different, in this case the clocks displayed the same time thus masking an 8hr difference. As a result, active directory would not synchronise. The solution was to adjust the Pacific Time to GMT and alter the clock 8hrs.
Install Remote Installation Service RIS
Litmus test: Professionals know what RIS is about
If you are convinced of the benefits of DHCP, and remember how long it took to gain acceptance, then I hope that you will give RIS a chance.
Imaging software like Ghost is very good for installing workstations. However RIS has a compelling extra feature - intellimirror. In a nutshell, if users delete or move an operating system file, Windows Server 2003's built- in intellisense automatically repairs the machine. RIS, and intellimirror and intellisense work together to detect the missing file and copy it automatically from RIS image. The result less down time and reduced support costs.
Summary: Pros always plan and test and a server installation
Page 55 of 83 Computerperformance.co.uk Guy’s Litmus Tests
25) Logon Scripts
Guy's Litmus Test: Where do you configure Logon Scripts?
Professionals apply Logon Scripts through Group Policies
Amateurs set Logon Scripts individually on users' property sheets
5) Professionals apply logon scripts via Group Policies
The benefit of assigning logon scripts via Group Policies is that you can change the logon script in a central location. In Windows Server 2003 you can no longer use the control key and change multiple users' property sheets. (This limitation is overcome on Windows Server 2003)
The technique I recommend is : Go to Active Directory Users and Computers; now select the path:- \(Domain) \ Properties, \ Group Policy; from there, \ Default Group Policy, \ Edit, \ Computer (or User) configuration, \ Windows settings.
As a bonus you can also apply LogOff scripts to help users tidy up when they logoff their machines. If you apply Logon Scripts via Group Policies, then
Page 56 of 83 Computerperformance.co.uk Guy’s Litmus Tests
you can also write scripts which apply to the computer no matter who logs on.
Homily
At first, the motor car was called a horseless carriage. The driver was on the outside because he had been there from the stage coach days. One day someone said 'Why don't we put the driver inside with the passengers?' So it is with Windows Server 2003, there are many new and better ways of doing old tasks. So move the logon scripts inside the Group Policies, and abandon the old DOS commands in favour of Visual basic scripts.
Group Policies v Logon Script Strategy
In my opinion logon scripts are gradually being replaced by system policies. For example, mapping home drives via a logon script, can now be replaced by policy which redirects the 'My Documents' to a server. However, it is often a case that there is more than one way to achieve the desktop that you want. If a logon script gets it done then fine, but if not, then do consider a policy. Group policies are here to stay, Windows Server 2003 has about 400 and XP has an extra 200 policies. Many large companies write their own policies, once you remember that policies control either the USER or HKLM part of the registry, then you can see that virtually any registry setting can be written into a policy.
There will always be a place for scripting, and compared with NT 4.0, Windows Server 2003 has transformed scripting. All you need to get started is Notepad because the latest generation of Windows operating systems has a scripting host built-in. The result is your logon scripts will execute automatically, just save the script with a .VBS extension.
Example Script - MapNetworkDrive with extra VBScript code
Our objective remains to map a drive, but this time the J:. My share name and server are the same as example 1, '\home' and '\\alan'.
Pre-requisites.
1. On Line 10 change the server name from '\\alan' to your server name. 2. Make sure that your server has a share called '\home'.
Instructions to MapNetworkDrive
1. Copy and paste the script below into notepad. 2. Check strPath, your server is unlikely to be called "\\alan, so amend to the name of your server. 3. Save the file with .vbs extension e.g. MapNetworkDrive.vbs. 4. Double click your script and check in your Windows Explorer for a new drive called : home on 'alan' (J:)
'
Page 57 of 83 Computerperformance.co.uk Guy’s Litmus Tests
' MapNetworkDrive.vbs ' VBScript to map a network drive to a UNC Path. ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.4 - May 2006 ' ------' Option Explicit Dim objNetwork Dim strDriveLetter, strRemotePath strDriveLetter = "J:" strRemotePath = "\\alan\home"
' Purpose of script to create a network object. (objNetwork) ' Then to apply the MapNetworkDrive method. Result J: drive Set objNetwork = CreateObject("WScript.Network") objNetwork.MapNetworkDrive strDriveLetter, strRemotePath WScript.Quit
' End of Example VBScript.
Learning Points
Note 1: At the top of the script is a heading section. The idea of the header is to explain what this VBScript will achieve. Some script writers feel that the Dim statements, which declare variables, are also part of the header section.
Note 2: Option Explicit is a VBScript command which forces me to declare variables. Not only is this 'best practice', but in my case, it alerts me to typos later in the script.
Note 3: See how this script declares the variables strDriveLetter and strRemotePath, then reuses them later in the script. If you stick with me, you will see that I love variables. In this example, MapNetworkDrive employs just two arguments, drive letter and UNC path.
Note 4: Once we declare strDriveLetter, then we can assign it a value, in this case "J:". One perennial problem I have with scripting is paying attention to detail, especially the syntax. Even with a simple letter - J, we must be careful. For the script to succeed we need precisely "J:". Neither "J:\", nor "J\:" will work.
Getting Started
Once your script works copy the MapNetworkDrive.vbs into memory, next go to this path: - Active Directory Users and Computers, select (Domain), Properties, Group Policy; from there, Default Group Policy, Edit, Computer (or User) configuration, Windows settings, Scripts, then Paste your script from the clipboard.
Summary: Pros apply logon scripts through group policies
Page 58 of 83 Computerperformance.co.uk Guy’s Litmus Tests
26) Raise Domain Levels (Mixed v Native Mode)
Guy's Litmus Test: When will you Raise your Domain Level?
Professionals set a date to Raise their Domain Level
Amateurs think Mixed mode means Windows 98 clients
26) Raise Domain and Forest Levels (Mixed v Native Mode)
Windows Server 2003 domain mode
Domain Function Levels - (Mixed and Native)
There are now four domain 'Levels' that a Windows Server 2003 can operate in. Whilst it is easy to understand what each level means, it takes time to learn how Microsoft's terminology has changed from Windows 2000. Formerly we only had Mixed and Native modes, now their are four possible settings, and the jargon is 'Raise Level'.
1. Windows Server 2003. All Server 2003, no other domain controllers. However, even in this level, the whole range of clients and member servers can still join the domain. 2. Windows Server 2003 Interim. NT4.0 servers and Window Server 2003 (no Windows 2000). This level arises when you upgrade an NT 4.0 PDC to Server 2003. Interim mode is important where you have NT 4.0 groups with more than 5000 members. Windows 2000 does no allow you to create groups with more than 5000 users. 3. Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000 and 2003 servers (no NT 4.0). 4. Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs and Window 2000. Naturally Windows 2000 mixed is the default function level because it supports all types of domain controllers.
When you decommission the last NT 4 BDC, raise the domain level at least to Windows 2000 Native mode, this will give you access to:
Universal groups available Nesting Global groups Logon with User Principle Name (UPN) e.g. [email protected] RAS Policies - control dial-in users through policies USMT (User Settings Migration Tool)
Page 59 of 83 Computerperformance.co.uk Guy’s Litmus Tests
N.B. If you switch to native mode you can NOT reverse, there is no path back to mixed mode. How do you make the switch? Answer a job for Active Directory Users and Computers, Properties.
Amateurs think that mixed mode refers to the clients not to the legacy servers. They think that you must stay in mixed mode until you upgrade all the Windows 9x clients. They are wrong!
Note: In addition to Raise Domain level, there is also the concept of Raise Forest level, however that is not covered here.
Summary: Pros plan to Raise Level to Windows 2003 Native Mode.
Page 60 of 83 Computerperformance.co.uk Guy’s Litmus Tests
27) Organizational Units and Delegation
Guy's Litmus Test: Do your OUs reflect your company structure?
Professionals plan an Active Directory Domain with lots of Organizational Units
Amateurs create all new objects in the Users folder
27) Organizational Units (OUs)
Windows Server 2003 supports Organization units, this allows you to classify users by department or site. In addition to good housekeeping, there are two advantages of this arrangement, you can delegate within units, and you can create different Group Policies for each OU.
If you do not create OUs, all your users will be born in the default container, and so you lose a valuable chance to categorize people by department or site.
Page 61 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Delegation and OUs
Delegation is an item that has been high on administrator's wish list for many years. The problem in NT 4.0 is that if you wanted help desk staff to be able to change user's passwords, then you had to make them members of the Account operator's group. There was no half way house, they either had full rights over the users or none at all.
With Windows Server 2003 you can achieve fine control through delegation. For example, help desk staff can reset passwords of the sales OU. Human resources can be delegated to create new users in the manufacturing OU. Neither group would be allowed to view the audit logs or reset the administrator's password.
To configure, got to \ Active Directory Users and Computer \
Summary: Pros plan an OU hierarchy bearing in mind delegation and policies
Page 62 of 83 Computerperformance.co.uk Guy’s Litmus Tests
28) Printer Location
Guy's Litmus Test: Can you configure Printer Locations for your Active Directory domain?
Professionals: Have both the vision of what Printer Locations can achieve and the technical expertise to configure the necessary settings.
Amateurs: Either cannot see the advantages of Printer Locations, or else cannot find the four different places you need to visit before the job is complete.
Printer Location
Everyone that I have shown this Printer Location plan have expressed a satisfied glow when they completed their tasks and they see the printers pre-populated in the Add printer wizard. Therefore I lay down a gauntlet and challenge you to master Printer Locations, I guarantee this is mission that you will enjoy accomplishing.
Printer Location Vision
Before we start, here is the most fantastic vision that I can think of for Printer Locations. Imagine that you are sitting in your office and urgently, you need to send a hard copy of a document to manager in one of your faraway offices in Australia, Paris or Toronto. You know from bitter experience that if you send an email, the attachment will be gobbled by an over jealous filter; even if the document gets through the technophobe at the other end wont open it. Yet you want them to attend to your document urgently. The good news is you know, because they complained to you about it, that they have a LaserJet 2420 printer right by their desk.
What if you could open the Printers and Faxes folder, Select: New printer, Network, Find, Location and then select Australia, Paris or wherever the manager operates? Lo and behold, there is their LaserJet 2420, you click OK. Once the printer object arrives in your folder then you can print the urgent document from your workstation and direct the output to that distant LaserJet. In a minute or two, it will churn out the printed page in the tray of that faraway office. Now this is not pure fantasy, with a little expertise, the above scenario could become reality.
A more mundane reason for configuring printer locations is for pampering reps or other mobile workers who need to print out documents in whichever of your offices they find themselves. For these users, when they select New printer, Network, the Location box is already pre-populated with printers on their subnet. Clever.
Printer Location Configuration
Page 63 of 83 Computerperformance.co.uk Guy’s Litmus Tests
These are the four stages in configuring Printer Locations in your Active Directory domain.
1. Subnet Location - Fiendishly difficult to understand, find and configure. 2. Printer Properties - Easy place to find, some use on its own account. 3. Group Policy - Tricky, unless you are a minor expert on Group Policies. Bonus you investigate other interesting Printer Policies. 4. Add Printer Wizard - Client side
1) Subnet Location
To find this tricky setting, open Active Directory Sites and Services, not repeat not, ADUC. Next drill down to Sites and then Subnets. If no suitable subnets appear in the leaf object, then create a New subnet by right clicking on the yellow Subnets folder.
Once you have a Subnet object with and IP address and CIDR notation for the Subnet mask, then you are ready to create the location. Right click the IP address (192.168.0.0/24 in my example) and select Properties now seek the Location tab. Type a suitable name in the dialog box. In truth, any sensible name will suffice, I choose MD_Office.
2) Printer Properties
Let us assume for testing, that you have printer shared on a local server. HPLaserJet2420 in my example. Open the properties of that printer.
It easy to find the Location dialog box (General Tab), however the knack is to browse and assign a location from Active Directory (Entire Directory). Browsing has two advantages, apart from avoiding typos, it confirms that the Subnet location has been created successfully. If you remember, in my example this value is MD_Office.
Page 64 of 83 Computerperformance.co.uk Guy’s Litmus Tests
3) Group Policy
Here is another tricky path, yet with attention to detail, you will soon find the correct Group Policy. Pre-Populate printer search location text. To be sure of success, I would start by editing the Default Domain Policy. Once you have opened the policy, the crucial choice is Computer Configuration. Now expand Administrative Templates and you will see the Printers folder. Eureka! There is Pre-Populate printer search location text, make sure you remember to enable the policy.
4) Add Printer Wizard (Train the users who need Printer Locations)
We are now all set to put my plan into action. If possible choose a different machine from the one where the printer is shared. Open the Printers and Fax folder. Select Add Printer, Network, Find a printer in the directory, here is the magic moment, the Location dialog box should be pre-populated with your printer.
The killer feature or missing link for Printer Locations is intelligent users. If your users are not computer savvy train them with one page sheet explaining how to find the printer once you have played your part by configuring Active Directory and the print servers.
Summary of Printer Locations
Spend half an hour setting up printer locations, not only will it be one of the most satisfying printer tasks, but also it will benefit your roaming users. Your mission is to enable users to find printers near them, the key field is Printer Location.
Summary: Pros set up printers so that users always find a 'printer near them'.
Page 65 of 83 Computerperformance.co.uk Guy’s Litmus Tests
29) Site Links
Guy's Litmus Test: Do you deploy Site Links Bridges?
Professionals have a completely routed network and no Bridges
Amateurs think Site Link Bridges are better than Site Links
29) Site Links v Site Link Bridges
In a nutshell, professionals avoid Site Link Bridges by having all sites connected to all other sites through permanent connections.
Background
Undoubtedly, the logical side of Active Directory will occupy most of your configuration time, however, remember there is a physical side to Active Directory and most of the configuration is under the Sites snap-in.
The default situation is that all Domain Controllers will be in the Default- First-Site-Name. A good reason to create a second and third Sites is to schedule replication traffic. Over the LAN the default is a matter of seconds and can only be altered by editing the replication settings in the registry. In contrast, LAN replication defaults to 3 hours and easily adjusted.
The Site Link Configuration Test
With a fully routed WAN network, professionals realize that all you need is Site Links. Amateurs go into 'over think' and configure Site Link Bridges; after all Site Link Bridges sound more advanced and superior. The truth is that Site Link Bridges are only needed if your networks are not completely routed.
Page 66 of 83 Computerperformance.co.uk Guy’s Litmus Tests
With a completely routed network, just make a Site Link as shown in the diagram below:
Summary: Pros use routed networks with Site Links
Page 67 of 83 Computerperformance.co.uk Guy’s Litmus Tests
30) Universal Groups
Guy's Litmus Test: What's in your Universal Groups?
Professionals only have Global groups as members of Universal Groups
Amateurs keep adding individual users to Universal Groups
30) Universal Groups
This is a Litmus Test for large organizations, because it is only multi- nationals that need more than one domain. My point: Universal Groups only come into play if you have several domains. To digress, the only good reasons to have multiple domains are:
1. Need for distinct security boundaries. 2. Desire to reduce domain controller replication traffic.
The secret of using Universal Groups in Windows Server 2003 is to only include members who will only rarely change. Best would be to use only global groups, worst would be constantly adding individuals. The trap is to continually change the Universal group membership and so cause excessive replication traffic between Global Catalog servers. (This aberration where the whole group is replicated if you add one user is corrected in Window Server 2003.)
Question: What does it mean if you tried to create a Universal Group, and the radio button was 'greyed out'? Answer: See test 6)
Domain Local Groups (These used to be called plain Local groups).
Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.
Best practice is to use local groups to assign permissions to resources like databases and printers.
Page 68 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Global Groups
These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.
Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups
Another question for you; why is the radio button next to create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC's would not understand them). You need to 'raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.
Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Global Catalog Implications
As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.
Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.
In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.
Summary: Pros use Universal groups sparingly and then to add only Global groups.
Page 69 of 83 Computerperformance.co.uk Guy’s Litmus Tests
31) CMD.exe
Guy's Litmus Test: Do you use CMD.exe or Command.com?
Professionals use CMD.exe
Amateurs use Command.com
31) CMD
CMD.exe is the best program to use for the 'dos' interface. Why is it better than command.com? Because CMD supports doskey (up and down arrows) which remembers your last commands. Technically CMD.exe is a 32 bit program that emulates DOS whereas command.com is a 16 bit program that runs under NTVDM.
The 'Dos Box' is just a start for so many other tools, that is why it is worth spending a few minutes getting it to your satisfaction.
Page 70 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Configure the properties, increase the Width to about 100 and the Height to about 50.
Guy's 'hall of fame' utilities that run from the CMD.exe
Ping, Ipconfig, NSLookup, NTDSUTIL and Tracert
Bonus CMDHere.inf
CMDHere allows you to open up the DOS Box from any Explorer folder; I find it particularly useful for running scripts. You can get CMDHere from the Windows Server 2003 Resource Kit or click here and try now.
Summary: Pros use CMD.exe to launch their 'DOS Box' utilities
Page 71 of 83 Computerperformance.co.uk Guy’s Litmus Tests
32) First impressions
Guy's Litmus Test: What first impression would your network create?
Professionals would say 'Here is a diagram of our network'
Amateurs are struggling to fix old machines
32) First Impressions
In the course of my work as consultant and trainer I have the privilege of visiting many customer sites. Whilst I would never divulge company secrets or name names, I would like to share my first impressions with you. In my line of work a quick assessment of customer needs is essential. On the one hand it is vital not to tell professionals things they already know; on the other hand I want to avoid talking over the head of those less experienced.
Dare I say that some 'amateurs' are amongst my best and most appreciative customers.
First impressions - indicators of professionals
As I sit down and they say: - 'Guy, here is a diagram of our network'. As I enter the server room, someone says: - 'That SMS package worked a treat last night'. On the screen I see a techie just finishing a terminal server session to a remote server.
First impressions - indicators of amateurs
As the client and I walk through a site, we pass some users. One looks up and says: - 'My file share is not working on this Windows for Workgroups machine.' (This is 2003 and I think shares should be on the servers; also WfW??) I say: - 'Could you show me the application log in the event viewer'. They say: - 'Where do you find the event viewer?' When we arrive in the server room, the first thing I notice is the 3-D screen saver on the domain controller. (3-D Screen savers are fine on clients, but they drain valuable processor power on servers.
Summary: Pros quickly show their knowledge and come to the point
Page 72 of 83 Computerperformance.co.uk Guy’s Litmus Tests
33) Luddites
Guy's Litmus Test: What Luddite tendencies do you have?
Professionals use the MMC and Explorer
Amateurs (Luddites) use Progman and File Manger
33) Luddites
Luddites were named after Ned Lud. Back in 1811 new knitting frames were introduced which produced more garments with less people. Ned Lud and his friends did not see this as progress and started smashing up the machines. Needless to say the revolt did not stop industrialization. I must say that hanging the Luddites was a trifle harsh.
When training I find that old timers and those with a fixed mind set, insist on doing things the way they have always done them. When Windows 95 first arrived, people would not use Explorer, preferring to copy files with the File Manger - just as they had always done in Windows for Workgroups. It is a real advantage in training to get people when they are new to the product and before they get into bad habits.
Other examples of Luddite tendencies
Keep the Explorer setting - Do not show Hidden Files and Folders Clinging on to NetBEUI instead of TCP/IP Preferring WINS to DNS Formatting the C: \drive with FAT32 Mapping network drives instead of using the UNC path Using Windows Server 2003 in Mixed mode rather than native Refuse to covert to Dynamic disk Decline DHCP, preferring manual IP settings for clients
Summary: Pros identify Luddite practices and avoid them
Page 73 of 83 Computerperformance.co.uk Guy’s Litmus Tests
34) Problem solving characteristics
Guy's Litmus Test: How do you solve problems?
Professionals approach a problem methodically
Amateurs panic and try three solutions at once
How to solve problems?
Some people are green fingered, plants just grow for them. Others can play sport effortlessly. Turning to computers, I have noticed that some people's machines run perfectly whilst others are permanently in a cycle of crash and reboot.
What makes people gifted techies? Green fingers? I doubt it. A muscular physique? It may actually be a disadvantage, think about the difficulty of getting those big hands into small server spaces. No, what you need is something different - a logical mind with a disciplined approach.
One characteristic of success that surprises is me is, that top techies appear slow, but actually get there quicker and when they fix a job it stays fixed. How do they do it? Their golden rule is to change only one factor at a time and to actually write down changes they make. I know it sounds simple and it is hard to put into practice in the heat of a crisis, but to try and be disciplined.
Here are more ideas that have helped me solve computer problems.
Believe in yourself - get into troubleshooting 'state' Collect information - ask what has changed on your computer Narrow the search - Hardware or Software Assemble your software tools - Event Viewer and TechNet Develop a theory - think of the most likely cause of the problem Phone a friend! - call in favours
Summary: Professionals appear lucky, but underneath there is a method
Page 74 of 83 Computerperformance.co.uk Guy’s Litmus Tests
35) Protocols
Guy's Litmus Test: How many protocols does your LAN use?
Professionals use TCP/IP as their only protocol
Amateurs find reasons to use NetBEUI
5) How many Protocols does your LAN use?
Professionals realize that you only need to install TCP/IP, adding other protocols is only duplication. TCP/IP is wonderful, it does everything you would ever need a protocol do to. Moreover the more protocols you have the more network traffic there will be. In particular avoid protocols like NetBEUI that broadcast.
Some network managers get upset when I suggest they remove NetBEUI. What is fascinating is their reasoning. They say: 'It is so much faster. We have applications that only work with NetBEUI'. I say: 'What about all that broadcasting?' Then I challenge them to just run TCP/IP on their network.
There are always exceptions to any rule, and I would allow NWLINK if you have old Netware servers. Also, I did once see a convincing case for using a second protocol for RAS. The client wanted a fix to secure and isolate clients dialling into his network. However, I would have preferred to : a) Decommission those Netware servers b) Implement a firewall as a RAS solution.
Summary: Pros make it their reflex to use only TCP/IP
Page 75 of 83 Computerperformance.co.uk Guy’s Litmus Tests
36) Readme files
Guy's Litmus Test: Professionals use the Readme files
Professionals check out the readme files - they may even write them!
Amateurs ignore readme files
36) Readme files
The readme files Litmus test works on two levels.
1. If the software you buy has a readme file it is likely to be professionally written. 2. Those who examine the readme files are professional users.
Readme files are a mine of useful information, from late breaking information, to a helpful list of know errors. I particularly use the readme files when installing drivers. Other uses would be to check incompatibilities, for example, the program has not been compiled for an Apple Mac and will only work on the Windows platform.
One variation of the Readme file is the relnotes.htm file as used by XP. These files contain information on system requirements and product support web URL.
Summary: Pros study the Readme file.
Page 76 of 83 Computerperformance.co.uk Guy’s Litmus Tests
37) Screen Savers
Guy's Litmus Test: Do you run 3D Screen savers on the servers?
Professionals run the blank screen saver because it does not consume memory
Amateurs run 3D screen saves because the think their are cool
37) Screen Savers
Pros are constantly looking for ways of maximising performance on servers. 3D screen savers consume a surprising amount of memory which drain the server's CPU. The processing power could be better used by clients connecting to the server.
Note the effect of turning the 3-D screen saver 3/4 way along the CPU Usage History timeline.
Page 77 of 83 Computerperformance.co.uk Guy’s Litmus Tests
More Quick Litmus Tests
Professionals:
Optimize Performance for Background Applications - System Icon, Advanced Regularly Defrag the hard disk to speed up file access
Amateurs
Use ISA network cards - Always use PCI cards
Summary: Pros are always looking for ways of getting the most from their servers
Page 78 of 83 Computerperformance.co.uk Guy’s Litmus Tests
38) Tool kit
Guy's Litmus Test: How many of these tools can you find and use?
Professionals master even the most difficult tools
Amateurs cannot even find the right tool
38) Tool Kit
Top techies always have the habit of knowing just the right tool for that awkward job. Follow their lead and take the time to practice with these utilities.
Ten utilities for Windows Server 2003
1. ADMT- Excellent tool to migrate user settings, also useful in Exchange 5.5 migrations. 2. ADSI* - Use it to learn LDAP and configure important, hidden away, active directory settings. 3. Active Directory Replication Monitor* - Use to Synchronise Domain Controllers and to trace their connection topology. 4. MMC# - Take 10 minutes to add all the snap-ins, you need for all the servers on your network. 5. Network Monitor# - Install from the Windows Components, Maintenance and Monitoring. 6. Ping# and Ipconfig# - I know they are basic, but do you know all the Ipconfig switches? Have you tried FreePing? 7. NTDSUTIL# - Powerful command line tool for an authoritative repair of active directory from backup. 8. System Monitor# (Performance Monitor) - Discover the bottleneck on your network, find out what is using all the resources. 9. Visio - You need to buy this program, but its worth it to plan your active directory domain, trees and OUs. 10. Windows Server 2003 Resource kit has over 120 additional utilities - well worth the money.
* Can be found on the \support folder on the Windows Server 2003 Server CD
# Built-in to Windows Server 2003
Summary: Pros take the time to check out the right tool for the right job
Page 79 of 83 Computerperformance.co.uk Guy’s Litmus Tests
39) TCP/IP protocol suite
Guy's Litmus Test: How many TCP/IP protocols can you name?
Professionals can name twenty TCP/IP protocols
Amateurs think that there are only 2 protocols in the TCP/IP suite
39) TCP/IP protocol suite
TCP, UDP, IP, Hostname
FTP, TFTP, HTTP, NNTP, Telnet
Ping (ICMP), Tracert, Ipconfig, Route, NSLookup
ARP, RARP, NBTSTAT, NETSTAT
IGMP
SMTP, SNTP, SNMP
Rexec, lpq, finger
If you are interested in analysing these protocols, then install the Network Monitor from the Control Panel, Add remove programs, Windows Components, Management and Monitoring tools.
The reason for learning these protocols is not so much academic, but practical. Professionals regularly use Ping, Ipconfig /all in connectivity troubleshooting. They can also call upon Tracert, NETSTAT, NSLookup and Telnet if the situation requires further investigation.
Summary: Pros know the full TCP/IP suite of protocols.
Page 80 of 83 Computerperformance.co.uk Guy’s Litmus Tests
Bonus Litmus Test NSLookup (Name Server lookup)
Professionals master interactive mode
Amateurs just use the non-interactive mode
This command line utility will give you valuable information about DNS servers. To begin with you can use NSLookup to discover the name of a server when you know its IP address. For instance you can ping the machine, but what is its hostname? NSLookup will tell you that name.
NSLOOKUP has two modes, the first mode will simply to tell you the hostname when you type the IP address. Example: NSLOOKUP 192.168.0.15. This will return the hostname registered in DNS - a server called ron in the example below.
Interactive Mode (advanced)
To access the more comprehensive mode type just NSLOOKUP (on its own). Now you are in the interactive mode and can begin to interrogate the DNS server. See Example below: > ls nwtraders.msft You get a list of all the DNS records for nwtraders.msft. When you try, substitute your domain for nwtraders.msft.
Note use the 'exit' command to break out of NSLookup.
Type HELP, check out the list, then choose which other command you need.
Prerequisites: NSLookup will not work until you configure the DNS server with a reverse lookup zone. Then you will need to create the PTRs (Pointer records) that maps the IP address to the hostname.
Page 81 of 83 Computerperformance.co.uk Guy’s Litmus Tests
40) What next?
Guy's Litmus Test: How many Litmus tests did you apply today?
Professionals regularly spot every day uses for Litmus Tests
Amateurs can only see the test when it is pointed out to them
40) What Next?
Learning is meant to be fun. Learning certainly does not stop when you leave school. Look for opportunities to apply and learn from Guy's litmus tests in everyday life. Here are three examples to explain what I have in mind.
Two Hairdressers
You find yourself in a one horse town which has only one hairdressing shop. When you go in there are two assistants cutting away. The first assistant has a great, sharp haircut but is loud and all action. The second hairdresser has a very average hair cut but quiet and attentive to their client. Which do you choose and why.
When your turn for a haircut comes, you realise that the assistant with the stylish cut must have been coiffured by the other quiet hairdresser. So you choose the second quiet assistant. Also you do not like people shouting down your ear when you are having a haircut!
Restaurants
Eating in a new town can be one of the last great discovery experiences. These days restaurants are plentiful, but great eating experiences are rare. Restaurants offer a great possibility for Litmus Tests, and you do need an instant indication because if its no good you want to walk out quickly before you place an order.
The first litmus test is are they full? If they are empty, check there if there is a full restaurant around the corner. When you go in is there an attentive waiter to see you to your seat. A maitre'de, who is dutifully overseeing the waiters, is a guarantee that the service will be good. However it will be expensive, but if this a special occasion you will not be disappointed.
On the other hand, I take the Chef who mingles with the guests as sign the food will be overcooked, the Chef should be giving the kitchen 100% of his attention!
Page 82 of 83 Computerperformance.co.uk Guy’s Litmus Tests
You peruse the Wine list and say to the waiter 'A bottle of your number 61 please'. If the waiter puts you down by saying loudly 'Do you mean the Wehlener Sonnenhur', watch out for more surly behaviour. Of course if you were to pronounce Wehlener Sonnenhur in immaculate German, the no-good waiter would but you down with - ' Do mean the number 61 sir?'
Fangio - Grand Prix Racing Cars
At Monte Carlo in the 1950 grand prix, Fangio was leading on the second lap. When he came out of the tunnel he had the awareness to glance up at the crowd. His radar detected something odd - they were not looking at him!
Fangio braked before the left turn. Previously hidden from his view by the balustrade, were nine crashed cars. While the road seemed blocked, Fangio spotted a gap, but he still had to push the tyre of one of the stricken cars to clear space for his Alfa. From that double manoeuvre he sped on to a famous victory.
Fangio's test gained him the race, I hope that applying YOUR litmus tests will you many races in the game of life.
Summary: Have fun with my Litmus Test concept and look for every opportunity to create a new test.
Page 83 of 83 Computerperformance.co.uk