List of Commands

List of Commands

Ping “ip address/name”

Ipconfig

Machine network details

· /flushdns = flush cache

· /displaydns = shows cache details

· /registerdns = refresh dhcp leases/dns related details

· /release, /renew = ip address renewal

Routing

· Netstat –r = show routing table

· Pathping ip address = route info to target (cross between ping and tracert)

· Tracert “ip address/name” = shows route to target

DNS

Previous versions of DNS were separate from DHCP = static hosts file list. Can now integrate DNS function with DHCP = Dynamic DNS.

Root servers. Are used when local DNS cannot resolve query. It starts a hierarchical search.

Forwarding. Can specify a forwarding DNS server to use to solve DNS queries. Saves on bandwidth and normally quicker. Use Forwarding server FIRST, and if it cannot solve query, it will then perform hierarchical search via root servers.

DNS sever contains data for a domain. This is called a zone. If the DNS server has ALL the domain data it is Authoritative for that zone. Secondary severs are used for redundancy and load balancing. It performs a zone transfer. It reloads data when zone data changes.

Recursion = DNS server queries other servers on behalf of the client.

Iteration = Client queries other servers directly.

If it is not a domain on an intranet, but a domain on the internet, you need to register the domain with an authority such as InterNIC.

· A Record = specifies IP address for a name/record.

· Cname = links an alias to actual domain name. ?

· PTR = used for reverse zones. If supply an IP address it will return the domain name.

*Static/dynamic zones. If you need to manually update/change a dynamic zone you MUST stop it first or there will be replication errors. Might be worth having a static zone AND a dynamic zone in such cases.

Nslookup

App for examining DNS servers

· Ls –d domainname = zone transfer data = see if dns responds to client.

· Server ip address/name = direct queries to the specified server from this point.

· (type server to confirm default/new server)

If you type ‘set type=any followed by domain = dns config data ie ttl, wins, # of dns servers, etc.

By default it looks at first dns server via its ip address, so reverse lookup zone is used. If no reverse lookup zone is used = problems. Should at least have rvuz contain dns server addresses.

Can often get ‘query refused’ = lessen Zone Transfer security for testing.

Ntdsutil

AD cleanup (config/seize FSMO roles, clean up metadata left behind by DC’s not removed cleanly from network. Is a hierarchical app, use Help to see list of commands at each step, and use Quit to go back a step.

ANOTHER way to use NSLOOKUP

1. nslookup

2. Use current DNS server or change server using ‘SERVER servername’ command.

3. 127.0.0.1

4. If working correctly it should return the name/ip of server queried AND say Local Host ans 127.0.0.1

SIMPLE METHOD to Use NSLOOKUP

In fact, using this second method lead me to a simple way of using Nslookup. Invoke Nslookup, either use default DNS server or choose another if you want to examine a specific server (server ‘servername’). Then just type in a pc name (forward lookup) or IP address (reverse lookup) and check to see if it is resolved.

Can even check names not in local domain to see if they are cached.

Net

· Netdiag = Detailed network config data, inc: pc name, domain, list of hotfixes, ipconfig data, afterwhich a series of tests are performed. inc, netbt, wins, domain membership, loopback, default gateway, winsock, dns, browser, dc discovery, ldap, kerberos, bindings, remote access sessions, etc (Servers ONLY)

· Netstat = shows connections to/from pc (detailed)

· Netstat –e = shows packets sent/received/discarded and ERRORS!

· Net config workstation = shows basic info, inc: domain, pc name, user name, os installed, etc.

· Net config server = similar to above, but gives option to HIDE pc from browse list (not recommended).

· Net file = Shows list of files CURRENTLY open and SHARED/connected to over network. Also shows user connected to relevant file.

· Net share = shows all SHARES on pc, whether currently connected to or not. They are listed by SHARENAME, and also shows resource details (filename/disk) and remarks (offline cache enabled? Default share? Etc)

· Net view = browse list.

· Net view ip address/pc name = shows shares on that pc.

· Net group = shows all groups in domain. Does not show OU’s. (on DC’s only).

· Net help OR/AND Net help ‘cmd’ = net help shows all cmd’s in net app, and net help shows specific details for each cmd.

· Net name = the name of the current pc and user

· Net send (ip address, user name, /DOMAIN) MESSAGE = send message to one of the options. The /domain switch is useful as it sends a message to ALL pc’s/users in domain, instantly. Sometimes the /DOMAIN switch doesn’t broadcast to all pc’s on subnet – a surefire way to successfully broadcast to subnet is NET SEND * MESSAGE HERE

· Net time = app to config clock. Ideally, PDC synchs with itself or internet time source, BDC off the PDC (default), and clients off DC’s (default).

· Net use \\servername\sharename \ = maps shared network drive. But I cannot get it to represent itself in os, so I’d rather map via the os gui and not the cmd line. The os gui mapping shows itself in ‘my computer’, and I can choose it to be persistent, or disconnect via the pull down menu (can also see all mappings via the pull down windows explorer menu too)

Got it to work! net use driveletteryouwantlocal: \\servername\sharename Use quotes from \\ to end of sharename if any part of the path has a space. Use net use on it’s own to view network connections on your pc. Use net view pcname to see shares on that pc that you can use net view with. Use net use driveletterspecifiedforconnection: /d to del all connections. To use dir, rmdir, etc, you must spec the LOCAL disk drive name you used/mapped to the share: dir driverletter:\ rmdir driveletter:\dir etc.

· Net user = shows all user accounts on that machine. Seems to show accounts that ORIGINATED on that machine, and not domain acc’s. If I want to see domain acc’s, I should run net user on a DC. Clients show local acc’s such as administrator acc for that machine, and not the domain administrator account.

· Netdom query fsmo = shows which DCs hold which fsmo roles. Useful tool, but only runs on DCs themselves.

System Restore Point

XP lets you go back to a restore point before significant changes were made, a bit like ‘undo’. To create a SR point: Help and Support Centre -> Undo Changes to your Computer with System Restore. Can create/restore from here.

Note: SR does not uninstall a program. You still need to manually uninstall troublesome application.

C$, Admin$ and Print$ Shares

$ = indicates a hidden share. If admin types location of this share, ie, \\servername\admin$ or \\servername\C$ he will be taken to relevant dir.

Only admins can access these shares.

· C$ = Root of C:

· Admin$ = Gives access to system root hierarchy over nw.

· Print$ = Used to remotely administer printers. When tested personally, I found this share to be unuseful – it has dll’s etc, - not much that can be config easily. There is another printer share for each machine, which is not hidden – much more useful to use! Just drill down to machine over nw, ot type \\servername and public ‘PRINTERS’ share is there. In it is each printer attached to that machine, you can add new ones, change props, etc.

These shares can be deleted, but are recreated on next reboot.

Dcdiag (Domain Controller Diagnostic)

Dcdiag is a cmd line tool which analysis the state of a dc. It performs a battery of useful tests which highlight any problems. Useful for tracking down AD replication, sysvol replication, group policy, FSMO, etc problems.

Dcdiag.exe is downloadable from MS. Also included with some SP’s.

Different version available – some more exhaustive ethan others, ie, 2003 has more tests than 2000.

Troubleshooting

· Perfmon = invokes gui app. Add counters etc to test hatdware resources.

· Msconfig = invokes gui app. Can launch sys restore. Select different start up modes, config BOOT.INI, and select different services to start up at boot. When turning off services with msconfig, they are not truly disabled, but rather it is a temp measure/test for safety.. To turn them off properly, use SERVICES. (XP/98 only)

· Chkdsk = check disk. /F (fixes errors), /R (find bad sectors and recover data). Some error messages seem to not be present when pc is not booted into a domain environment (handles?)

Policies

Gpedit.msc

Group policy editor. Enables the policy the current user/machine are subject to, to be changed. It will propagate to ou, group etc. In a workgroup environment however, you need to implement group policies on each machine individually. (It is for this reason we use AD!)

Secpol.msc

Local SECURITY policy editor. This enables the security settings to be set locally. The settings are the same as those found in the group policy, but are only a subset – the security settings only.

Secedit

Every 60-90 minutes machines query DC's for updates. To force this:

· secedit /refreshpolicy machine_policy

· secedit /refreshpolicy user_policy

(DC’s = refresh pol every 5 mins. Clients = refresh pol every 60-90 mins)

When updating the policy, it updates the LOCAL policy with the current policy held on the DC.

Can use /enforce switch to ensure machine updates all policies regardless if they are different to updated version on DC.

The above is for win2k machines. For win2k3/XP: Use gpupdate. It does both machine and user polices. Can use /force with same effect as /enforce on w2k machines.

Gpupdate

Same as the now obsolete secedit /refreshpolicy cmd, it refreshes policy settings that have changed since last refresh. If you use the /force switch all policies (user and machine) are refreshed, regardless if they have changed or not since last refresh. XP ONLY. When Secedit is run on XP machines, it starts an app that lets you config templates, security settings, etc – but it does NOT refresh policy settings.

Policy Replication and DC to DC Replication (Different)

The above is to configure clients refreshing their policies from the DC. To configure DC's replicating to EACH OTHER:

· AD Sites & Services - Sites - Your Site - Your Server - ntds - Properties of Connection. Can configure replication to what you want.

BUT the default value for DC's replicating within a site is 5 minutes. But the default shown above is once every hour.

UPDATE. Replication takes place at several levels:

1. Within a site. (automatic, every 5 minutes)

2. Intrasite. (using AD, sites & services as outlined above)

3. Between Sites

Gpresult

See what policies the user and machine are subject to. Also shows which DC the policy came from in a multi DC environment.

Shutdown.exe

Shutdown, but it needs to be placed into sysvol to work (win 2k, XP seems to have it there by default). Can be scheduled so pc’s shut down at a given time.

F8 during boot

Recovery/boot options

TEMP Files

Emptying IE Temp Folder

Temp Internet Files

Cache of IE. (speed up browsing, allow offline browsing, but lack of privacy).

Note: a file called index.dat CANNOT be manually del! In fact, there are several of these files, containing date on cookies, history, etc.

Location:

· In XP/2K: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\

In 98/NT/ME:

· C:\Windows\Temporary Internet Files\
C:\Windows\Profiles\<username>\Temporary Internet Files\ (if using PROFILES)

To del: IE -> Tools -> Internet Ooptions -> Del all Offline Content

Cookies:

· XP/2K: C:\Documents and Settings\<username>\Cookies\

98/NT/ME:

· C:\Windows\Cookies\
C:\Windows\Profiles\<username>\Cookies\ (if using PROFILES)

Del using Del Cookies option in IE -> Tools ->Del Cookies

History:

There are several historys, inc, sites visited, drop down address bar, autocomplete, windows search, etc. Hard to manually del all of these. Use apps such as ‘Del History’ in IE.

To reliably del all of these items, use 3^rd party del/scrubber app.

Windows TEMP folder:

Windows uses a TEMP folder to store tempt data (from proc such as indexing, installations, etc). To empty this, type %TEMP% to open folder, and del all content. Note: .tmp = temporary folder.

Scattered Temp Files:

Windows scatters temp files elsewhere too. Find them using search -> *.tmp, *.chk, ~*.* Once all these files are found del them. Any that cant be del, they are assoc with currently running app. Reboot and del first thing.You can save this Search Process on to desktop and run again whenever needed.

Concept Reminders

· Workgroup vs Ad

· Search AD or Browse entire network

Applications

Invoke certain apps via cmd:

Explorer

Windows explorer

Active Directory Domains & Trusts

Change mixed/native mode, and other domains that trust (to/from/transitive).

Active Directory Sites & Services

Ntds, global catalogue, see which servers current server replicates from, change replication schedule, define sites in the site and their replication link schedule.

Active Directory Users & Computers = centralise dir of all domain resources. Can impose policies to impose security, structure it via groups/ou’s, etc. Printers/published folders are also in AD but not apparent via ADUC application.

Publish a Shared Folder

Firstly, make and share a folder. Then go to ADUC and create new OU, the ‘new – shared folder’ To get to it = drill down: entire nw – entire contents – directory – choose ou and drill down. Search: entire nw – entire contents – rc domain – find – shared folders

Delete explicitly from AD when you want to get rid of it – don’t just del the folder itself. Remains in AD.

Component Services

Contains 3 parts: Component Services, Event Viewer, Services. Event Viewer and Services are as per normal. (Event Viewer and Services also in Admin Tools as separate apps.)

Computer Management

Contains 3 parts: System Tools, Storage, Services & Applications. Can also send console message via Services – rc – all tasks.

Configure your Server

Wizards for AD, File Server, Print Server, Web Server, Networking, Application Server, etc.

DHCP

Configure pool of ip addresses.

Distributed File System

Logically looks like 1 tree of folders – but can be scattered across different servers. Can take server off line, point dfs to new server, and users need never know. Good for load balancing.

2 types: Stand Alone or Domain Based.

· Dfs host server is (if) AD integrated, therefore dfs topology is synchronised across all host servers.

· Dfs links are added to root.

· Dfs links can refer to shared folders.

· DFS Root = Specify a shared folder as dfs root. Root is to be hosted on a member server in a domain, and replicated via AD. For 2 replicated roots = 2 shared (root) folders.

· DFS Link = Refers to element under the root. Can be on different server to root. If it links to a folder it can have further folders within it. IT is this LINK NAME that users see when they navigate the DFS hierarchy, and not the names of the members of the replica set.

· DFS Shared Folders = First folder a link points to is linked via dfs. Further folders within this set, from the same link, are added via the consoles New Shared Folder dialogue box. To have folders replicate to each other: make new empty shared folder, and in dfs add new replica. 2 or more folders which repliate to each other are a REPLICA SET.

· DFS Client = Refers to dfs root/link. 9.x = download. 2k = inc.

· Check Replication = To replicate root to other member servers: DFS Root – >New Root Share

· Can publish the root into AD to make it viewable via ad.

· Can map to dfs share.

· Can cmd connect to dfs share ie \\servername\dfsshare (explorer).

· Can view dfs tree via windows explorer: ‘explorer’ at cmd

The resulting logical tree diagram is the logical dfs view of network shares. The scattered and replicated nature is hidden.

DNS

Allows client to map a dns name to an ip address thus making network naming more ‘human’.

· A record = maps host to ip. (A record is same as Host record)

· Cname/canonical = makes 1 domain an alias of another. It gets all the subdomains and dns records of the original. Cname and Alias are same. Used when you want a host to respond to more than 1 name. Record will show the alias name and the name of the machine it refers to.

· Ptr record = maps the hostname to the canonical name for that host. Used in reverse look up zones instead of Host/A records.

· Name server record = maps a domain name to a list of dns servers for that domain. Delegations use this. Ip addresses aren’t used here, rather names are. You enter the name of the domain down one level in the hierarchy. If same domain, the default values of ‘same as parent folder’ is auto used.

· Soa record = Is the record of the PRIMARY dns server for that domain, not secondary.

· Authoritative servers = are the servers referred TO by the dns servers up one level in the hierarchy. Provides dns server that is authoritative for that domain.

· Srv record = Is a record of services on servers in the domain, ie, it is used to refer to web servers, ftp servers, etc,

Using NSLookup to query DNS

See above in CMD’s

Event Viewer

Errors, warnings, etc. Use www to solve.

Internet Services Manager

Inetpub -> wwwroot -> publish as ‘Default’ = simple intranet site (indepth!)

Licensing

Licensing details are not replicated among all servers, rather they replicate UPWARDS to the enterprise server, which is the licensing server by default.

Any info on any other server shows local info only – to get complete picture use the licensing (enterprise) server.

Per seat licenses can be entered/bought on any server running the licensing app, but will only show up on the enterprise/licensing server. It is on this pc that the per seat CAL’s are ‘handed out’ and monitored.

The per server licenses can also be entered on any server running the licensing app, but due to nature of server CAL’s you can choose which server to view/config the licenses for from any server. Just drill down to relevant server in licensing – server browser.

Gui is confusing. Remember: Purchase History viewed on enterprise/licensing server. Products View shows local Server/Seat/Backoffice, but view it on enterprise/license server to see whole domain licensing. Server Browser can be viewed on any server - just pick server in app to view and config. Can add/remove licenses here and change mode (server or seat).

Local Security Policy

Local security shows the result of domain + local policies. Domain policies will over ride local so there is a resulting ‘effective’ setting. Exact order: Local, Domain, OU, OU’s inside OU’s.

Local security is a subset of a policy (Computer Config -> Windows Settings -> Security Settings).

Performance

Performance in Admin Tools and Perfmon are the same app! Can add specific counters (there are various entries for items such as Processor, Memory, Hard Disk, etc) Data can be viewed in real time as a graph, histogram, etc. And can be saved as a log and viewed later for comparison.

Logs of pc/nw activity can be scheduled, used for baseline measurements, find bottlenecks, etc.

To create a log: Counter logs -> right hand pane -> New log settings : name, etc.

To view a precreated log: Sys monitor -> View log file data -> select relevant .blg file -> Step2. Select counters. The log is created by preset counters, but to view it you need to select these counters again. Why? You could create a log with loads of counters, but might want to only view certain elements = filter the activity. The list of counters to use are taken from the precreated log – so there is no danger of you adding counters that were never initially used when making the trace.

To match the log with the precreated log settings the name of the Log given in ‘To create a log’ will also have a ‘Log file name’. This is what you look for when viewing a precreated log.

Routing and Remote Access

You config the server at several ‘levels’ in RRAS.

The Server level: Props -> Router (Lan routing only, Lan and Demand Dial routing), Remote Access Server. Can choose authentication method. In IP you config how to use IP addresses. If DHCP = the RRAS ‘takes’ IP add’s from the dhcp server and allocates them. If Static = you config a range of IP add’s the RRAS ITSELF allocates to clients, rather than the DHCP server. If you want a user to use 1 specific IP add you need to = 1. Config remote access policies to allow users to request 1 IP add. 2. Config the dial in props on the user acc with 1 static IP add (not if domain is mixed mode). PPP = compression and multi link connections. Event Logging = config event viewer logging and RRAS own logging in \systemroot\tracing folder.

Routing Interfaces: Here you add/del interfaces, inc: internal, loopback, Lan. You can also add IP tunnels and Demand Dial interface.

Ports: Config wanmini ports (pptp, l2tp) to allow vpn connections. Will also list dial up connections if they’re present. Config info inc: how many of each type of port there are, and what type of request they should handle, ie, remote access inbound, inbound or outbound for demand dial, device phone no, etc

Number pf ports corresponds to number of connections. Can in/decrease the number of ports available, therefore the number of connections available.

IP Routing = has several sections.

· General = Indepth - readup. Briefly…Add new router interfaces and protocols. For each interface you can config routes, show routing tables, ip details, connections, multicast details, etc. Default connections inc: Loopback, Internal, Local Area Connection.

· Static Routes = Show IP Routing Table, New Static Route,

· DHCP Relay Agent = new interface, add addresses of new dhcp servers. The dhcp relay agent sends messages to the dhcp servers listed here.

· IGMP = ?

· Remote Access Policy = Configure what conditions need to be met to allow/refuse connections (ie, phone no dialled by user, group user belongs to, phone no from which call originated, etc). Also includes a PROFILE for each policy. Profile = HOW the connection is handled, ie, disconnect if idle for, restrict to following days/times, ip address assignment policy, multilink settings, authentication, encryption, etc.

· Remote Access Logging = The third type of logging can be config here. It is for authentication and accounting requests received by the server. (The other 2 are errors reported in Event Viewer, and PPP details reported in Sysroot/tracing).

RRAS Concepts:

· Dial Up Networking = Client makes a dial up, non permanent connection to a physical port on the RRAS server, by using phone line, ISDN or X.25. It is a DIRECT physical link, you can encrypt data but it is not required.

· VPN = is the creation of a point to point connection across a private or public network (internet). Is makes a virtual call to a virtual port to a VPN server with tunnelling protocols. It is a INDIRECT, logical connection that needs encryption.

Dial UP Server uses a modem, bank of modems, ISDN connection, X.25, infra red, null modem cable.

Dial UP client must have modem and remote access software.

VPN can be either a user connecting to a network, or a router connecting to a another router to form a router to router VPN connection. VPN server use permanent WAN connections such as T1, etc. Clients can use the same, or dial up to an ISP.

VPN server must have a separate nic for connection to internal network. Remember, it is a ROUTER and as such can be used without an off the shelf ‘black box’ router. Accepted way is to have:

Internet---cable modem---firewall---vpn server---hub/switch

Firewall is to filter out everything except vpn traffic.

However, it seems you can use a vpn server with only 1 nic if you configure the nat router/firewall to do port forwarding (VPN PASSTHROUGH) to the vpn server. The confusion here is that MS seem to want you to use the server as a router and vpn and DNCP and everything. If you have a router on the lan you don’t need a vpn server with 2 nics!

Protocols = Dial up uses versions of Chap, Pap, etc. VPN uses L2TP, PPTP.

What I did: 1 vpn server with 1 nic. Put it in DMZ, (not rec – only testing). Only used PPTP. Gave account dial in permission. Worked! Cannot browse (common fault). But CAN map drives to network shares or access all shares on a pc by ‘run -> \\servername’.

Services

Stop/start/auto config services. Can test stop services in msconfig, and if want to permanently stop them – use services. Can also specify which services start/stop in different hardware profiles! Some of the services inc: Auto Update, DHCP Client/Server, FTP Publishing Service, Network Connections, etc.

Telnet Server Administrator

If you run a telnet server this is where you can disconnect users, List current users, start/stop, etc.

Terminal Services Client Creator

Lets you create floppy disks (4) with the terminal services client app on them. Can also install from nw share…

On Term Server, share: /systemroot/system32/clients/tsclient/net. In here are 2 folders, for 16/32 bit systems. Drill to Disk1 and install from there. TO avoid confusion for which to install, set perms, share individually, etc.

Terminal Services Configuration = Connections and Server Settings

Connections (for each protocol ?): Encryption, Logon Settings (always prompt for pw, etc), Active Session Time Limit, End Inactive Session in Spec Time, Env (disable wall paper), Remote Control Settings (view session, interact with session, require users perm, Client Settings (spec printer, clipboard mapping, network adaptor (match with spec protocol), perms.

Server Settings: Terminal Server Mode (change Remote Admin or App Server. Changed via Add/Remove Progs), Delete Temp Folders on Exit, Use Temp Folders per Session, Active Desktop, etc.

Terminal Services Manager = Admins can see all sessions, users and processes for each terminal server. Can also Disconnect users, Send Message, Reset, Logoff, etc. Can also Remote Control a session from here.

To Set Up Remote Assistance

On User’s Target PC: Need to enable pc user to ask for Remote Assistance/Control via ADU&C ->choose individual user -> Props -> Remote Control: Enable, Require Users Perm, View Session, Interact with the Session.

You can config user perms on a policy/domain wide basis but you need to do it via an extension/2003.

To Initiate Session: User requests admin help via email, messenger, nw share folder containing requests.

Therefore you need Remote Desktop/Assistance and Terminal Services.

Remote Assistance uses Remote Desktop (Terminal Services) technology.

Remote Assistance and Term Services are included in XP. But for 2000 and older you will need to install RA from either XP cd or download from MS site. Term Services is included in 2000 cd.

Remote Desktop

Two types. 1: Remote Desktop via client connection (inc in xp, or installed from 2k cd), OR Remote Desktop via browser.

Remote Desktop does not need a connection license as it is designed for 1 user – whether they are remote or local. Hence why the desktop locks when the user connects remotely.

To setup via client:

· In XP: My Computer -> Props -> Remote -> Remote Desktop.

· In 2K: In 2K RD is known as Terminal Services. Install it via Add/Remove Progs. Can install Terminal Services AND Client Creator flies too! TS also includes TS Configuration and TS Manager apps too.

· To connect to a 2k system running TS, you can do it via www interface (/tsweb), RD connection app in xp, or create TS client with client creator files and enable a 2k system to connect. Can also install RD software from XP onto 2k system.

· Browser = ‘Remote Desktop Web Connection’, = Ipaddress/tsweb

To setup via browser:

· Host = Add/Remove Progs -> IIS _> Details -> WWW Service -> Details -> Remote Desktop Connection.

· Stop service = net stop w3svc

· Check for updates

· Start service = net start w3svc

· Configure RD: RC My Computer -> Props -> Remote Tab -> Allow Users to Connect Remotely to this Computer. Add Users.

· Ensure Users have correct permissions in their props in Remote Tab.

· To connect from client: ipaddress/tsweb Can also connect over internet – can use ip address or register and use a domain name.

Win 2K

· Need to download app from MS (google ‘Set Up Remote Desktop Web Connection with Windows 200’ to find it), works for NT too.

· Install it. When it asks where to install sample web pages, specify: C:\Windows\Web\TSWeb

· Rest of procedure: As above? Update, configure RD, Ensure user permissions.

· To connect: Same as above.

Wins

Is a dynamic replicated database that matches NetBios names to IP adds on the network. Serves WINS enabled clients – described as NetBios over Tcp/ip. All OS’s before 2k need NetBios. Even modern OS’s might be running services/apps that need WINS. WINS registrations are done auto – whenever a client joins a network, or dhcp issues a new address, etc.

Domain Controller Security Policy

Is the security settings found in AD/U&C -> Domain Controllers -> Windows Settings -> Security Settings.

Domain Security Policy

As above, but for the domain level, ie, the very top of the AD/U&C tree. AD/U&C -> top of tree.

Network Monitor

Analyze network data traffic to find problems, ie, which pc makes most traffic, id unauthorised users on network, see patterns, etc.

Need to capture frames/packets, then display/filter/save them.

In-depth! Read up.

Connection Manager Administration Kit

Lets you make a self installing exe which you distribute to users (cd, nw share, etc). You configure a set of settings to connect to your network/servise for a users/group. It is this series of settings that you configure and convert into a exe. Read up.

Internet Authentication Service

Centralised authentication, authorisation and accounting of users who connect to a nw using vpn or dial up. Uses Radius. Needs to be registered in AD.

Not used before. Read up.

Profiles

Profiles consist of desktop settings, shortcuts, icons, application settings, outlook express contents, etc.

1. Local Profiles

2. Preconfigured Local Profiles

3. Preconfigured Default Local Profiles

4. Roaming Profiles

5. Preconfigured Roaming Profiles

6. Network Default User Profiles

7. Mandatory Profiles

· Documents and Settings: create/contains profiles for every user.

· All Users: Contains shortcuts and icons available to all users on that machine.

· Default User: (Hidden by default) OS uses it as a template to create new profiles.

So a profile is a mix of their own folder contents and All Users.

A new profile is made using the Default User as a template, and the All Users for common settings, and all this is copied into a folder named after the new user’s account name.

Roaming Profiles

Admin creates a nw share, and specifies a path (\\servername\profiles (sharename)\ %USERNAME% to it in the users account in ADU&C. %USERNAME% means OS will create folder auto according to username.

Local (offline/existing) profiles are matched with nw profiles using timestamps.

How to Preconfigure a Default User Profile

Make a bogus user account, and set it up as you wish. Copy it to the default user profile. (lof off bogus acc and logon as local admin). Must unhide default user acc first.

You can even copy this acc to a server location to serve as a preconfigured roaming profile!

Use the SYTEM APPLET to do this copying. It will do the above and assign appropriate perms as well! It will also let the OS know we are dealing with profiles and not ordinary folders/files. Remember to change the Permitted To Use value = to Everyone or the relevant group/user.

Note – Setup preconfig roaming profiles by copying the profile to the SAME UNC path you specified in the account properties, ie, \\machinename\profiles\user acc name, and also use that path as the user prfile for user’s DOMAIN acc.

How to Precreate a Default Roaming User Profile

To precreate a roaming profile for a lot of users you don’t want to copy a precreated profile into each users dir. Instead you can copy the profile to the NETLOGON share on a DC to setup a domain wide default user profile.

When logging onto a domain the pc first looks for a Default User dir in the NETLOGON share (\winnt\sysvol\sysvol\domainname\scripts\) of the authenticating dc. Only if no Defaul User profile is NOT found in the NETLOGON dir does the machine use the local Default User profile. If a Default User profile IS found in the NETLOGON share (where logon scripts and sys policies are also stored) all new domain user’s with NT pc’s will use this dir as the domain wide Default User template. Specify the path as \\machinename\sysvol\domainname\scripts\Default. User (must name the dir Default User), and grant perms to Everyone, or what ever. Alt if you are part of admin group you can save it to \\machinename\netlogon\defaultuser

Restrictions on Default User

If you want to place RESTRICTIONS on the default user profile you will need a registry editing tool (edit ntuser.dat hive file in nt4). You cannot log in as Default User and change that and think that restrictions placed on it will be saved – they won’t. The OS gets confused. In depth – read up.

If you need to restrict what user’s can do – use system and group policies.

Problems with Roaming Profiles (default or otherwise)

Video settings on different machines, ALWAYS use default installation dirs when installing apps – or shortcut will firstly try to resolve via Absolute Path (local machine specific), then netwotk path (but uses hidden admin shares ($) so asks for perms), then lastly attempts to resolve itself via ‘search’.

Each machine a roaming users uses stores a cached local copy. These can take space, so can delete via System app, or policy (computer config – admin templates – sys – log on – del cached copies of roaming profiles)

Lastly – roaming profiles over a wan link not recommended. Slow link causes numerous probs when synchronising profiles.

Cached Profile Problem

If delete an account from AD, the local cached copy could still let a user log on if not connected to nw (no dc found, etc). To avoid this, use System Policies (read up).

Mandatory Profiles

Involves changing users profile/dir name to include .man extension. Also involves changing ntuser.dat to ntuser.man (found in the profile/dir) so that this can be assigned to groups of users – they all share the same mandatory profile.

Te set it up configure your desktop etc, and then copy it to nw share. Set appropriate perms. Change the copied ntuser.man to .dat. Change the account to point to this profile/dir.

The .man instructs the OS to not save changes made.

Not in-depth –> on p729 & 730, but is isn’t the recommended way to do it. Much better to use policies to lock down and control desktops!

Setting Up a Group Template Profile

To assign a shared profile to users be aware that it should be a mandatory profile. If not, when 2 users log off BOTH their changes will be saved!

If you want a template profile for a group/user it will serve as a departure point only.

Create a bogus account and logon and configure it as you see fit.

Open the system app, and copy the template profile to a shared dir, renaming it after the user you are about to create.

Then create the user, specifying his profile path as \\machine\profile share name\user name.

This profile isn’t complicated, but you do need to remember to copy a new profile to the shared dir and assign the profile to that specific user each time you create a new user acc.

Win 98

Isn’t compatible with 2k/xp, so better not to use roaming profiles.

RIP

Is the protocol that routers use.Routers use it to exchange information about routes so that they keep their routing tables up to date. It is an alogithm, in this case it represents each network (not router itself) as 1 hop. Therefore to send a datagram within the same nw = 1 hop. To cross over 1 router = 2 hops. To cross over 2 routers = 3 hops, etc. Highest number of hops = 16.

On a regular basis each router will send out it’s routing table entries to other routers about the networks and hosts it know how to reach. The routing tables have their hop count adjusted (+1) as it goes through routers. In this way if a router receives an update for a route the version with the lowest hop count is used. The routing tables, as they propagate through routers, have the current routers routing tables added, and hop counts adjusted.

In this way all routers are eventually updated with optimal routes.

In some cases it is not advantageous for every nw in a large interconnected nw to be fully specified. In this case a Default Route is used. An example of this is when a network connects to the in through 1 router. Except for that router the rest of the nw doesn’t need to know how to access the in. The default route in this case is 0.0.0.0, which is a ‘dummy’ addy used to represent the in. All machines know it represents the in.

V1 and V2 differences: V1 is a classful protocol, and v2 understands CIDR or VLSM (variable length subnet masks), (when you subnet a subnet!), v1 does not support route update authentication, it’s broadcast packets generate sig overhead, and it has slow convergence (self healing when there are nw outages).

Outlook Addresses and Messages

To backup outlook there are 2 parts you need to do this to: the Contacts, and the Messages.

Contacts:

· On local machine: \Windows\application data\microsoft\outlook\outlook.pst

· If several users: I found addy book here:\Documents and Settings\user name\application data\microsoft\address book

· If profiles: \profiles shared folder\user name\application data\microsoft\address book

· Most of these are in ‘address book format’. (.wab)

· In Outlook Express: Addresses (top menu) –> file –> import/export

Messages:

· In Outlook Express: Import/Export

· Location of messages is NOT on nw, and I cannot find a way to do this (no browse nw option, etc), but if you DO need to backup to a nw location, the folders are here:

· Documents and settings\user name\local settings (hidden folder)\application data\identities\sid no\microsoft\Outlook Express\ and here are different .dbx files (inbox, outbox, deleted, etc)

How to Make Groups on Outlook Express

Addresses on menu bar -> New -> New Group. Displays all contaqcts, from here select the ones you want in the new group. Click on group -> Props = select contacts to put in group. They are also in the main contacts list so be aware they appear more than once. If group is del the contacts therefore still remain the main contact list.

Import Pol

3 elements to be aware of:

· 1.Can IMPORT pol’s in ADUC.

· 2 & 3: Need to use MMC and 2 snap ins: Security Config & Analysis, and Templates

In SCA you need to create new database (Type name of a database when you want a NEW database in ‘Open…’). The database contains the results of the template comparison (Analyse Now) with existing security config.

The database therefore contains a template, and any difference made to it. You need a database because it is the process of compiling an ascii file to a binary file containing security settings!

So you can create a new security template from scratch, or import one, or import one and change it.

You can compare any changes you make, or a template, with your existing pc SCA and Analyse Computer Now. The output can be text (log) or a security display showing those parts which are the same/differ.

· Default = Setup Security.inf, is default on workstations. Should NEVER be applied using gpo - rather it is used for disaster recovery.

· Compatible = Compatws.inf, takes everyone out of power users group, and relaxes users group to give them more rights. By doing this users aren’t put into power users group to give them elevated privileges.

Others include different levels of security.

Templates are incremental!

Templates

Contains all the included default security templates and any that you make as well.

Templates can be modified DIRECTLY if you use the Templates app instead of importing into a database in SCA.

Thus far…. Need a database file to work in and cannot work on templates directly. Templates can be imported, altered. Templates are then compared to existing pc via Analyse Now. PC can be changed via Configure Computer. Templates can be imported into policies via Import under Security Settings in relevant policy.

When importing TP use ‘clear this database before importing’ to ensure you aren’t merging templates.

Save TP via Export Template.

What is Sysvol, Netlogon, Ntds, Global Catalog, Winnt, etc?

Sysvol (and Netlogon) (Profiles, Policies, etc)

In NT4 a lot of important info (user config and control info, including system policy files, default profiles, and login scripts) was stored in Netlogon on PCD. But BDC's need access to this too. In Win2k all DC's have Sysvol replicated among them automatically and in Sysvol is the Netlogon folder!

Therefore AD and Sysvol are different. But both are replicated among all DC's in a domain.

When referring to System State data (ie when backing up), this includes a copy of the AD and the Sysvol, in addition to other data such as System Boot files, COM+ database, System Config info, etc. When restoring a DC, you need to start the DC in 'Directory Services Restore' mode.

Ntds (New Technology Dir Services) (Naming Context inc Config and Schema, User Accounts, Links (member of), Groups, Application Specific data, etc)

The active directory itself is a database, and like most databases it has 2 parts, the database itself and a transaction log. Both are normally stored in c:\winnt\ntds\. You can put them on 2 separate hard disks for noticeable performance gain, but need 2 scsi.

The NTDS.DIT file is the 'main' part, or heart, of the AD database, and is located in winnt\ntds\

NTDS Settings in ADS&S is the replication to and from servers, etc, of the AD database.

Global Catalog

All dc's know about their own domain, but not about the entire forest. Only the DC with the GC knows about all the objects (but not all it's attributes. It DOES know about universal memberships, and some other attribs, but not all) in the forest. Why only 1 DC? Replication issues. But you can manually change this. Therefore GC's are used to deduce UNIVERSAL GROUP memberships in a forest.

Winnt

Used to install windows from a cmd/dos prompt. Can use Setup but if not in gui environment can use winnt. Go to i368 folder -> and either winnt.exe or winnt32.exe.

· winnt.exe = for when you are in dos or Win3.x or booting from a boot disk. For a FULL CLEAN install.

· winnt32.exe = for when you are in win9.x or NT (cmd prompt). It UPGRADES or FULL CLEAN install.

Can add the recovery console in winnt32 only = /cmdcons

So broadly, winnt32 for higher level (windows cmd) and upgrades = winnt 32 for UPGRADING in a 32 BIT environment. Winnt for low level (dos, win3.x or boot disk).

Various switches can be added, to invoke unattended installs, answer files, cmd's to be followed, etc. Use internet for details.

RIS

Need DHCP, DNS and AD running on nw.

RIS can do 3 types of install:

1. Simple i386 based install. Similar to a cd install, but over a network and started automatically.

2. Scripted i386 install. Can add a script to make the install an unattended installation.

3. Complete system image with minimal setup interaction. You build an entire prototype machine with apps etc, and use this to create an image.

Installing RIS

Add/Remove Remote Installation Services. Type risetup.exe = wizard. Where to install RIS files = NOT system or boot drive. Must be NTFS. Initial RIS file will be a copy of the cd so ensure at least 800mb.

Authorise RIS server in AD = DHCP -> Manage Authorised Servers -> Add IP address -> Authorise.

To configure/turn on/off/ configure pc names etc the RIS server you need to get to the Remote Install -> Props in AD,U&C. But you can ONLY do this on the RIS server itself – you can’t do it on a DC unless that DC is the RIS server. On RIS server type DSA.MSC to invoke the AD,U&C console and RC the relevant pc and drill down from there.

Updates for XP

RIS can also image/store/riprep XP images, but you need to update/patch it first.

· To RIS XP: See Knowledge Base Article 308508 ‘Unable to Create a Windows Serer Image on a RIS Server’.

· To Riprep XP: See Knowledge Base article 313069 ‘Update for the Riprep tool’.

Setting Required User Perms

AD, U&C -> RC domain name -> Delegate Control -> Add (users who can add computers) -> ‘Join a Computer to a Domain’ -> Next/Finish.

OR Create Installers Group. (In depth, see page 129 for info)

Installing Clients by Using RIS

Use boot floppy or PXE. F12 = download client installation wizard = user name, password, domain name. Product ID.

To make boot floppy = on cd, \remoteinstall\admin\i386, use RBFG.exe

Can enter product ID in .SIF file to avoid this step.

RIS Extras

If you have a server with several different images, but you only wanted certain users to see/access certain images, then the only way to do this is via permissions.

Can only image the C drive.

RIS Server needs two drives. C (which contains system files and is unused by RIS), and D, which RIS will use to store images.

When there are multiple images of the same os, the SIS (Single Instance Store) will ensure that duplicate files aren’t made and therefore 2^nd image onwards will use much less disk space.

The first time of setting up RIS will invoke a process to make an image on that server – therefore you need a cd. This will be the first image on the server and will be a simple i386 installation.

Each image gets a folder in the Remote-Install folder.

Setup Manager

Used to create Installation scripts. Can be used to create scripts to aid unattended installations, ie tailored cd rom. The answer file can be used with RIS and Riprep images. The script can be further enhanced manually. In depth script language for this.

Can also manually alter script to add SPs, hotfixes, even other apps. Also in-depth. Need to know/use $OEM$ for this.

To INSTALL Setup Manager: On W2K cd, drill down to \support\tools\deploy, and COPY/PASTE all the files to a local folder that you make.

To RUN the Setup Manager: Click on the setupmgr icon.

However, the password for the local admin account is not encrypted!

Can create answer files using Setup Manager, and associate different answer files with different images in dsa.msc in Ris server properties. In this way you can have 1 image with several answer files, and when the client remote installs, they will be presented with several choices, each of which is a different answer file.

If you make an answer file with Setup Manager and it is a .txt file, but you need to turn it into a .sif file for it to be recognised by dsa.msc to associate it with an image, just change the name of the ext from .txt to .sif. However in Notepad, the default is to ALWAYS include the .txt AS WELL as the .sif, ie filename.sif.txt. To get around this when you save put the name and the extension you want in QUOTES, ie “filename.sif”.

You can also get around this restriction of including the .txt extension in Windows Explorer. Tools -> Folder Options ->View -> turn OFF ‘Hide File Extensions for Known File Types’. Thenyou can RENAME the filename AND the extension properly.

When you rename the file to .sif and associate it with an image via dsa.msc, the file will appear in the relevant ‘templates’ dir belonging to that image. .Sif files in a given images’ templates dir are the ones that are presented to the client upon booting via PXE.

RIPREP

Riprep is used when you want to deploy an os and some apps. Obviously you can only image c. Set up machine as you see fit, with all updates, apps, etc. This is the prototype machine.

Run Riprep, which strips all SIDs off the machine. To Riprep the prototype machine, you nedd an active RIS server running (see above). Using domain admin account, navigate to RIS server and the share called REMINST. Open it, and \admin\i386\ and a file named riprep.exe. This will start the riprep wizard. You can sent the result to any RIS server.

Once image is on server it is available for remote installations.

After you have run Riprep on the prototype machine you will go through a mini setup to restore the original information.

Delivering a Riprep Image to Target PC

Now that there is more than 1 image on the RIS server, there will be multiple options/images. If you choose the ripreped image (as opposed to the first, ‘simple i386’ cd based image) the entire install will be hands off.

Enabling Users to Start RIS Transfers:

Users need to be able to create a MACHINE ACCOUNT, so you need to give them the correct perms. You could add them to ACCOUNT OPERATORS group, but that is a lot of power just to kick off an image transfer.

So instead we create an INSTALLERS GROUP. (Lengthy procedure, p129).

‘I think’ we could also delegate permissions. (See above for info).

Restricting Image Choices

The RIS server has a lot of dirs in \RemoteInstall\Setup\English\Images. So a simple i386 os would be \RemoteInstall\Setup\English\ImagesWin2000.pro. Each Ris image has a dir in the Images dir.

Each Image contains a folder called TEMPLATES, and in that folder is a file with the extension .sif. This is an answer file used to install without user intervention.

The way to control which groups see what os choices there are is to DENY READ ACCESS to the relevant .sif file in Templates.

Scripts. Editing the Answer File to Get What you Want

Using the above you will get an unattended install, except for the Product ID! To get around this you can edit the .sif file.

In the [User Date] section, ProductKey – 1234-5678, (For XP), or ProductID – 1233-45678 (For 2000).

Un[attend]

UnattendMode = FullUnattend

The dea=fault naming convention is ti use the server name as a guide, so Server would produce Server1, Server2, etc.

You can also change the naming convention FROM THE SERVER. AD,U&C -> RC Ris server -> Props -> Remote Install -> Advanced -> New Clients -> Options include:

· %#username = Username

· #%first = First name

· %#last = Last name

· %# = Increment by 1

However, this is at RIS server level so I don’t know if it will affect both i386 cd images and Riprep Images.

Note: You can use Setup Manager to create multiple answer files for a given image!

Riprep Extras

Target PC disk size will be same as prototype machine.

Cannot easily associate different riprep .sif files with different images (unlike scripted installs (i386)).

So just change .sif file to configure product id, machine name, etc. (I think? Test this)

NTOSKRNL Issue: When applying kb835732 hotfix to prototype, Riprep won’t work, This is due to the NTOSKRNL being different between the prototype and the existing image on the server. To fix -> copy the NTOSKRNL from the client/prototype to the image on the server. Ensure you REPLACE the original (in the I386 dir of the flat image).

Stopping Services. During Riprep you will be asked to stop services. Do this via Computer Management (the computer management name will be presented during the Riprep alert). Those services without a Computer Management alias can be stopped via Ctrl, Alt, Del.

Qmqr0.dat Issue: When running Riprep, Qmqro.dat and Qmgr1.dat won’t copy to the image. To fix: edit the .sif file to skip these:

Reminst\admin\i386\riprep.inf (governs running of Riprep).

· [Files to Copy]

· At bottom type:

· %16419%\microsoft\network\downloader\=2,dat

· And save.

Or it seems you can ignore error messages. Seems to work for me!

Password Encryption Issue: Password not always encrypted in Answer files with RIS images. But with Riprep images password is always encrypted!

Remember, i386 and scripted installs are cd based, Riprep is image based (but can use some form of script/answer file with it). Hence why you can’t associate different Riprep answer files with different images.

Riprep images will NOT include 3^rd party drivers for the NIC in the image! So if you have 3^rd party NIC drivers you need to use, you need to go through the hassle of using the $OEM$ folder structure. Much better to ensure the NIC on the prototype pc and the drivers in the os are compatible. AND, it also seems that you might have to add the drivers to the first/primary flat RIS image as well!

Image Based Installs Using SYSPREP

Sysprep is used to prepare a disk to be copied/cloned by a third party app such as Ghost, etc. It strips off the SIDS from the original os.

Download the latest sysprep from Microsoft.

Sysprep cannot be used on DCs.

GPO to Deliver Apps and Updates

Using GPO to install is a major tool for managing software in an org.

User does NOT need admin privileges to install software add/remove programs when they have been added here by the admin!

The components of delivering apps via GPO:

1. Software installation in GP.

You use GP to control and manage apps, called PACKAGES.

2. The Windows Installer Service.

3. The Add/Remove applet.

2 and 3 are used to install/remove the apps based on what you have set up in GP.

Assign

Assign an application when you want a group to have an application on his computer. Software can be assigned to Users or Machines. The software is assigned on first reboot or when user first logs on.

Publish

Publish when you want to software available to install by users. They can install it if they decide to. You can only publish software to users. Users install packages via Add/Remove applet.

Only publish or assign to EITHER users or machines, both = conflicts.

Packages

Packages are .MSI apps. Some vendors have .MSI apps on their cd/site – these can be used. Alternatively if you need to make an .MSI out of a program, you can install and use Veritas’ WinInstall (more later).

To Install Software Through a GPO

Using adminpak.MSI as an example of Publishing a Package to Users…

1. Create a nw share and copy the .msi app to it.

2. Create a GPO.

RC the domain name -> Props -> -> Policy tab ->New ->type Adminpak -> Enter

3. Filter the GPO.

Filtering lets you choose users to which the GPO applies to. Props -> Security ->Ensure Apply Group Policy perm is UNCHECKED for all groups except the one/s you want. As for further perms, it seems prudent to just have Read, so total perms = Apply Group Policy and Read.

4. Add the package to the GPO.

Next click the edit button. This will launch the GP snap in. Either Assign or Publish. (Publish in this case). Packages are added to the GPO in Software Settings\Software Installation in either Computer Config or User Config (in this case User Config). New -> Package, drill down to .msi on nw (\\servername\sharename). You can RC the package and choose/change Publish/Assign.

When testing the Publish .MSI installation, LOG OFF/ON first and Add/Remove Progs.

Filtering lets you apply the .msi to anyone in the org – be it 1 person, or everyone, or a group. Any group or user in the SECURITY tab of the GPO will get the policy (and therefore the .MSI) ONLY if the Apply Group Policy option is checked.

The gist is to create a separate policy just for the .msi installation, and filter it via Security to let select people install the .msi.

We can uninstall apps via the ‘Uninstall Applications When they Fall Out of the Range…’ option in Software Installation.

Using OUs

You can also use OUs (and therefore ignore filtering) directly to roll out apps. It is a good idea to have a Beta group of users in an OU to test the roll out process. You can then ADD the GPO to other OUs in the org, or to the domain directly. This is a useful, step by step process.

Assigning a Package to Users or Computers

Assigning a package means the app gets INSTALLED. If you assign the app to a computer it gets installed at boot time, prior to logon. If you assign to a user it gets installed at logon.

If a user tries to uninstall it, it gets repaired/reinstalled next time!

In actuality the app only gets partly installed (files are copied, shortcuts are installed, file assoc etc are done. But the app is completely installed upon FIRST USE, whether a file assoc with it is clicked, or the app is opened directly.

In this way assigned apps ‘roam’, much like roaming profiles.

To assign an app, using Office as an example, the steps to follow are:

1. Run the Administrative Setup

Why admin setup? Admin setup allows you to manage the app files centrally. It allows you to create a CUSTOMISED version that users will install (see paragraph below). Allows you to config options such as ‘install on first use’ OR ‘run from nw’. It also allows you to manage updates by patching just the 1 Office image. To do admin install: Drive:\setup /a (on Win2K you need SP3 >).

Need to create a TRANSFORM and modify the Setup.ini file to customize the Office installation for clients – indeed you can create multiple configurations for the same CD based Office image. However, doing a plain admin install without later customising it will let users have all the options normally present during a cd install minus the need for a product key.

2. Create a GPO called Whatever

3. Add the package to the GPO

4. Customize the Package Props

Removing a Package

Simply check the ‘Uninstall Software From Users and Computers’ in Software Settings -> Name (of installation).

Redeploying a Package

Useful if you have added modifications to a package, etc.

Creating Your Own MSI

Two third party progs on the Win2K Server cd are used when you need to create your own msi files Drive:\Valueadd\3rdparty\Mgmt\Winstle\Swiadmle.msi (For some reason I couldn’t install this locally, I had to share the cd drine on another pc and install it to the machine I want to run Veritas from (and not ON, which would be the clean pc)). So 3 pcs, 1 with shared drive, 1 to install it to and run from, and a third which is the clean pc!

Veritas Software Console allows you to view and edit and msi, and WinSTALL Discover allows you to create an msi package from an old style install/setup prog.

Broadly speaking, you are taking a BEFORE and AFTER snapshot of a computer.

Might be worth making another admin account and use this. If not you could get icons following the main admin account if using roaming profiles.

1. Create a Clean Computer

Only has os and service packs installed. The differences between the before and after snapshots are used to create the msi, so they all need to be correct and accounted for. It should also NOT have the Veritas/Winstall Discover software installed.

2. Take the Before Snapshot (using c$ and wininstall)

Go to clean pc and run Winstall Discover. It is best to run it via the Run prompt, and not by mapping a drive to it. Therefore the command will look something like \\servername\c$\program files\veritas software\winstall\DiscoZ.exe. When wizard asks what files to exclude – accept the defaults. You can choose where to store the .msi, the default is to store it on the server you’re running Discover FROM, in the Winstall dir.

3. Install the Application and Reboot

Install app as you want the .msi to install it. And REBOOT!

4. Test the Application

Keep in mind any changes made probably will not end up in the .msi.

5. Take the After Snapshot and Compare

Log on to what was the clean pc and run Winstall Discover again to take the after snapshot. Again it is a good idea to run it across the nw using the notation in Step 2. If you need to make another/the .msi again you need to ensue the pc is clean again – which means you might need to reinstall the os. Very often the wizard produces a list of warnings – check for red flags and test the app.

6. Make any Customizations

Now check the msi and possibly modify it. Use the Veritas Software Console: \Winconsole\Seasw OR from the start menu on the server that has the msi choose the Veritas Software Console and Open the .msi. You can also check >miss from off the shelf packages. Can edit what dlls to use, etc. In depth (p 884 for details).

7. Test the Application Installed by the MSI

This is the most time consuming part of the process. Need to install it on test pcs, inc clean and unclean ones to ensure no conflicts with other apps, etc. This is where conflict errors (dlls, etc) crop up and can be sorted by using Veritas Software Console.

Zap Files

Zap files are simple text file which can be published to users (not assigned, and not to machines). The text file is a direction to the real/actual installation prog, which does not have to be an .msi file!

It will appear in Add/Remove progs, or it can be installed by clicking on a file associated with the prog – also spec in the text file.

Good way of publishing setup/install progs on the nw for selected users.

1. Create a Zap File

· [application]

· FriendlyName = “Winzip Version 72”

· SetupCommand = \\Servername\packages\winzip\winzip70.exe

· DisplayVersion = 7.0

· [ext]

· ZIP =

· Application = is the name seen for the package description in the GPO editor and the users will see when they install the package. SetupCommand = This is the actual installation prog run when the package is selected in Add/Remove or double clicks the associated file. DisplayVersion = Is displayed with the package in the GPO editor. Ext = is the next section and must include any file ext you want associated with the prog. Ensure you name the extension .ZAP.

2. Share the Zap file and Installation Files

Create a dir in the packages shared dir on the server. Both the Zap file and the Installation prog should be in this dir. The path in both cases is: = \\Servername\packages\winzip\ but the installation path ends with winzip70.exe and the Zap file path ends with, for example, Winzip.zap. When you copy the installation prog (ie setup.exe) into the dir, ensure you copy ALL the files over – which could be a cds worth of data.

3. Add a package to the GPO

You can create a new GPO or add a new package to an existing GPO. Now we must add (cannot assign) the package to UserConfig/Software Settings/Software Installation. New Package and drill down using the path above as an example.

I did this but when it cam to testing the installation failed. It found the package, but when installing it couldn’t follow the nw path. It included spaces and brackets (new folder (3)). I changed the location to a path with normal chars and it worked perfectly.

Lastly, test!

Customising Off the Shelf Apps

Using Veritas Software Console you can customise the .msi packages from 3^rd parties. Useful for dll conflicts, etc. In depth (p888).

You can also provide TRANSFORMS to .msi packages. These don’t modify the .msi directly but rather use the official .msi process and apply differences to that. But to do this you need an MST tool provided by the software manufacturer.

Upgrading Applications

The upgrade package must be .msi format. And we treat it like other .msi packages. We put the package in the correct shared folder. And we use AD,U&C to assign/publish it like any other package. In the case of filtering you use the same GPO, and add the package to it, using the perms to control who accesses it. Or we can use a GPO directly if that is how the original package was deployed.

In either case, once we have the correct GPO, we use the Software Settings -> Choose the UPGRADE .msi -> Props, and choose Upgrades. Here you select the current/other GPO and its associated .msi packages to which you want to apply the upgrade. You can upgrade existing package, or uninstall current package and replace with newer version.

To summarise, you have upgrade package in .msi format, publish it via GPO, and from here link it to an existing package which it will upgrade/replace.

In this way you can have users choose to upgrade/replace software, or force it (ie, when they click on the associated file it could invoke an upgrade if config in Deployment for the upgrade .msi package).

Recovery Chart

Slow System?

Ctrl/alt/del and/or Perfmon

Problems?

Msconfig (disable services, boot.ini, system restore. If disabled services, it is a temp/test, do it properly via Services)

Need To Recover AD?

Via backup (system state), or multiple DC’s replication.

F8 Options:

· Safe Mode = Use this to fix network problems if cannot get onto network.

· Safe Mode With Network Support = Use this to fix problems if you know network is NOT the problem, and you need network services.

· Safe Mode With Command Prompt = Cmd shell, but can still invoke gui apps.

· Enable VGA Mode = Can help sort display problems that prevent Windows from loading.

· Last Known Good Config = Do this FIRST! Any logons after problem has manifested itself will LOSE setup data needed for successful boot. Unless you create more than 1 hardware profile. LKGC will use drivers etc used in last successful logon/alternative profile.

Emergency Repair Disk

ERD is made via Backup. It includes the option Repair Installation, which can be run from Setup/boot floppies or Installation CD.

ERD contains copy of setup data, services, drivers, ntldr, etc. these can be replaced (repaired) when ERD mode is chosen.

ERD modes/Choices:

Manual Repair ----- allows more control i.e, choose:

· Inspect start-up environment (corrupted Windows files?)

· Verify Windows system files.

· Inspect boot sector.

Fast Repair ----- inexperienced admin doesn’t need all these. However, can only fix REGISTRY with fat repair, not manual repair.

Recovery Console

RC can be run from Setup/boot floppies, installation CD, or installed on pc (via \i386\winnt32 /cmdcons typed into start – run. Available as boot option).

Can’t access non system partitions! But can do stuff if you’re familiar with it. Need to log in as local admin.

Can replace missing system files, can FIXMBR, FIXBOOT, (but check for viruses first). Do boot first, THEN mbr, (use book for guidance when using RC)

Boot Floppies

Made via app cd, which can be run on ANY W2K machine = drive:\bootdisk\makeboot on install cd. It will produce 4 floppies, which have the same initial process as installing W2K from cd, but doesn’t install, rather it leads you to the repair W2K via:

· Recovery Console

· ERD

Therefore good when the PC won’t boot at all, either from hard disk or cd.