Windows Tips &amp Tricks UPDATE, July 18, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add Windows_TipsandTricks_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems
http://www.windowsitpro.com/whitepapers/raritan/integratedkvm/index.cfm?code=tipstop_718

Security Management in a Multi-platform World
http://www.windowsitpro.com/Whitepapers/bindview/securitymanagement/index.cfm?code=tipsmid_718


Sponsor: A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems

In this free white paper, learn about the many benefits of integrated KVM and serial solutions, which include reduced downtime, mean-time-to-repair, lower costs and improved ROI. You'll discover how today's KVM and serial console control tools have evolved to aggregate access to KVM, serial console, and power control under one platform, presenting physical and logical views of all controlled assets. Find out how browser-based access allows administrators to be effective from any Internet-connected PC.
http://www.windowsitpro.com/whitepapers/raritan/integratedkvm/index.cfm?code=tipstop_718


FAQs

  • Q. How can I delegate authority for a DNS zone under Windows NT 4.0?
  • Q. How can I use a Group Policy Object (GPO) to set the default logon domain?
  • Q. I installed Group Policy Management Console (GPMC). How can I undo the changes it makes to the Group Policy tab of my Site, Domain, and Organizational Unit (OU) Properties dialog boxes.
  • Q. What's Microsoft Baseline Security Analyzer (MBSA) 2.0?
  • Q. How can I lock down the remote procedure call (RPC) ports that Microsoft Exchange 2000 Server and later use?

Commentary
by John Savill, FAQ Editor, jsavill@windowsitpro.com

In this issue, I tell you how to delegate authority for a DNS zone under Windows NT 4.0 and how to use a Group Policy Object (GPO) to set the default logon domain. I also explain how to undo the changes that Group Policy Management Console (GPMC) makes to the Group Policy tab of the Site, Domain, and Organizational Unit (OU) Properties dialog boxes. Finally, I discuss Microsoft Baseline Security Analyzer (MBSA) 2.0, and tell you how to lock down the remote procedure call (RPC) ports that Microsoft Exchange 2000 Server and later use.


Sponsor: Security Management in a Multi-platform World

In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms such as Windows, UNIX, Linux and NetWare, and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments.
http://www.windowsitpro.com/Whitepapers/bindview/securitymanagement/index.cfm?code=tipsmid_718


FAQs

Q. How can I delegate authority for a DNS zone under Windows NT 4.0?

A. Windows 2000 and later DNS interfaces have a simple New Delegation option. However, in some situations you might want to delegate zones under NT 4.0 DNS. For example, I recently had a client running a Windows Server 2003 environment, whose principal DNS server was running on NT 4.0, and we needed to use one of the server's zones for Active Directory (AD). However, because of the company's particular business and technology situation, we couldn't migrate the zone to Windows 2003 yet, which meant that the required service record (SRV RR) and desirable DDNS functionality wouldn't be available. The resolution was to leave the zone under NT 4.0 but delegate the subzones that AD uses to Windows 2003 DNS servers.

Although you can use the NT 4.0 Service Manager application to perform the delegation, it's easier to simply edit the DNS zone file. To do so, perform these steps:

  1. Stop the DNS service on the NT 4.0 server by entering the command
    net stop dns
  2. Locate and open in Notepad the zone file for the DNS domain for which you want to delegate a subzone. For example, if my zone is migrate.test, I would open the file migrate.test.dns, which by default is in the C:\winnt\system32\dns folder.
  3. Scroll to the bottom of the file and add a host record for the server to which you're delegating part of the namespace. For example, my Windows 2003 DNS server is vpcdc01, so I add the line vpcdc01 A 192.168.2.100
  4. Next you need to add the delegation entries, which essentially are just nameserver records for each subzone, as this example shows:
    ; Delegate the _msdcs, _sites, _tcp, _udp, DomainDnsZones and ForestDnsZones
    ; to the Windows 2003 server.

    _msdcs                NS      vpcdc01.migrate.test.
    _sites                NS      vpcdc01.migrate.test.
    _tcp                  NS      vpcdc01.migrate.test.
    _udp                  NS      vpcdc01.migrate.test.
    DomainDnsZones        NS      vpcdc01.migrate.test.
    ForestDnsZones        NS      vpcdc01.migrate.test.
    Note that you need to include a trailing period (.) after the full DNS name of the server that you're delegating subzones to. You also need to leave a blank line at the end of the file. In the previous example, replace the name of the destination server for the zone and the zones you want to delegate, according to your requirements.
  5. Save the updated DNS zone file.
  6. Start DNS by typing
    net start dns
The delegation will now be visible in the NT 4.0 Domain Name Service Manager application, as the figure shows. Clients that use the NT 4.0 server can now resolve the service records required for AD to function. After the zone delegation, you can run the Nslookup command to see how the service records are resolved, as the following example shows.
nslookup
Default Server: nt4mas01.migrate.test
Address: 192.168.2.1

> set q=srv
> _ldap._tcp.gc._msdcs.migrate.test
Server: nt4mas01.migrate.test
Address: 192.168.2.1
Non-authoritative answer: _ldap._tcp.gc._msdcs.migrate.test SRV service location: priority = 0 weight = 100 port = 3268 svr hostname = vpcdc01.migrate.test vpcdc01.migrate.test internet address = 192.168.2.100 > Note that the answer is a nonauthoritative answer because it receives the answer from the delegated DNS server.

Q. How can I use a Group Policy Object (GPO) to set the default logon domain?

A. The default domain name is stored in the DefaultDomainName registry value, but no built-in Group Policy setting to control its value. You can easily create a custom .adm file that will let you configure the default domain for computers that have the GPO applied. To do so, save this code as defaultdomain.adm in the C:\windows\inf folder.

CATEGORY "Logon Settings"
  KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    POLICY "Default Domain"
      PART "Default Domain" EDITTEXT
        VALUENAME "DefaultDomainName"
      END PART
    END POLICY
END CATEGORY

You can then add this template to an existing or new GPO's Computer Configuration section. To do so, select Add/Remove Templates. Click Add and select the defaultdomain.adm file. Because this registry subkey isn't in a standard, managed portion of the registry, you won't see it until you select Filtering under the View menu and clear the "Only show policy settings that can be fully managed" check box, as the figure shows.

The new policy will be available under Computer Configuration, Administrative Templates, Logon Settings, Default Domain. The policy sets the specified domain on computers that receive the policy, as the figure shows. During migrations between domains, this policy saves users from having to select a new domain from the drop-down list.

Q. I installed Group Policy Management Console (GPMC). How can I undo the changes it makes to the Group Policy tab of my Site, Domain, and Organizational Unit (OU) Properties dialog boxes.

A. When you install GPMC, it replaces the Group Policy tab within the Microsoft Management Console (MMC) Active Directory Users and Computers and Active Directory Sites and Services snap-ins with a button that starts the GPMC, as the figure shows. You can't direct Group Policy management as you could before you installed GPMC.

If you want to continue to be able to change Group Policy from within the standard MMC snap-ins, perform the following steps. (However, I stress that GPMC is a superior interface, and in Windows Server 2003 Release Candidate 2 (R2) and later, GPMC will be built into the OS.)

  1. Start the registry editor (regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\\{19195a5b-6da0-11d0-afd3-00c04fd930c9\}\Extensions\PropertySheet.
  3. Delete the value \{789D9216-FDF0-476e-9D73-058C6A7375C3\}, which has a data name of Group Policy Management.
  4. From the Edit menu, select New, String value.
  5. Set the value to \{D70A2BEA-A63E-11D1-A7D4-0000F87571E3\} and press Enter, as the figure shows.
  6. Double-click the new value and click Group Policy.
  7. Close the registry editor.
  8. Restart the Active Directory Users and Computers snap-in.
These steps change the tab for the Domains Group Policy tab but not for the OU or Site property dialog boxes. To change these, perform the previous steps but change the registry key according to the values shown in the Table shows.

Note that you don't need to delete the old value that GPMC added; you can have both values, and the property dialog box will display two Group Policy tabs--one that points to GPMC and one that has the old built-in Group Policy management functionality.

To add the old-style Group Policy tab, save the following registry file as restoregp.reg and execute it.

\[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\\{19195a5b-6da0-11d0-afd3-00c04fd930c9\}\Extensions\PropertySheet\]
"\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3\}"="Group Policy"
\[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\\{bf967aa5-0de6-11d0-a285-00aa003049e2\}\Extensions\PropertySheet\]
"\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3\}"="Group Policy"
\[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\\{bf967ab3-0de6-11d0-a285-00aa003049e2\}\Extensions\PropertySheet\]
"\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3\}"="Group Policy"

Q. What's Microsoft Baseline Security Analyzer (MBSA) 2.0?

A. Microsoft has released the second major version of the MBSA tool, which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=4b4aba06-b5f9-4dad-be9d-7b51ec2e5ac9&DisplayLang=en. MBSA 2.0 is supported on Windows Server 2003, Windows XP, and Windows 2000. The tool scans various machine configurations including

  • the base OS
  • Microsoft Internet Information Server (IIS) 5.0 and later
  • Microsoft Internet Explorer (IE) 5.01 and later
  • missing security updates, update rollups, and service packs that have been published to Microsoft Update
  • Microsoft SQL Server 7.0 and later
  • Microsoft Office 2000 and later

MBSA can scan local or remote computers and can simultaneously scan multiple computers, depending on domain membership or IP range. MBSA runs in a friendly, intuitive interface that guides you though its use. The tool connects to Microsoft servers to download information about the latest available fixes, then scans the selected computers to determine whether they comply with company policy. If MBSA finds a problem, it provides information about how to resolve the problem. To run MBSA in command-line mode, use the mbsacli.exe command instead of the standard mbsa.exe command.

Q. How can I lock down the remote procedure call (RPC) ports that Microsoft Exchange 2000 Server and later use?

A. Usually the Exchange RPC protocol dynamically assigns a port between 1024 and 65535 for its System Attendant, Information Store, and Name Service Provider Interface (NSPI) services. Opening up such a port range on a firewall isn't desirable, so you can set the three mentioned services to use a specific port by making a registry change on each back-end Exchange server.

To set the System Attendant to a static port, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters registry subkey and set the TCP/IP Port value to the required port. Also under this key, set the TCP/IP NSPI Port to the required static port (different from the TCP/IP Port) for the Exchange Directory NSPI Proxy Interface.

Finally, configure the Information Store static port by setting the TCP/IP Port value to the required port under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem subkey. Microsoft recommends you use ports in the 5000 to 65535 range for these values.

Additionally, when Microsoft Outlook 2000 and later clients request address book content from the Exchange server, the Exchange DSProxy service initially passes back address book information based on Global Catalog (GC) information for the first query. However, it subsequently refers address book queries to a GC to avoid making the Exchange DSProxy service perform additional tasks.

To avoid having the Outlook clients talk directly to a domain controller (DC) and thus avoid having to open additional firewall ports, you can stop the Exchange server from referring clients to DCs by setting the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters\No RFR Service registry subkey value to 1.

It's important to note that turning on the No RFR Service will also cause the Exchange server to authenticate the client, which means that during the entire Outlook client connection no Active Directory (AD) communication is required. Ordinarily, the Exchange server would instruct the Outlook client to authenticate to a DC. You can find more information about these settings in the Microsoft article "Exchange 2000 and Exchange 2003 static port mappings" (http://support.microsoft.com/?kbid=270836 ).

Here's the registry file you can use to set these values for the test Exchange environment. In our example, we used ports 40000, 40002, and 40004.

\[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\]
"No RFR Service"=dword:00000001
"TCP/IP Port"=dword:00009c40
"TCP/IP NSPI Port"=dword:00009c42

\[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\]
"TCP/IP Port"=dword:00009c44
After you make these configuration changes, you need to restart the Exchange server. Now the only ports that you need to open on the firewall between the clients and the server are ports 135 (the RPC end point mapper) and 40000, 40002, and 40004.

Note that if you're using Microsoft Office Outlook 2003 on Windows XP Service Pack 1 (SP1) or later with Exchange Server 2003, you can use RPC over HTTP functionality, which means you would need to open only port 443 for HTTP Secure (HTTPS) communication.

Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • Sort Through Sarbanes-Oxley, HIPPA, and More Legislation Quicker and Easier!

  • In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost-effective solutions. Register now!
    http://www.windowsitpro.com/seminars/regulatorycompliance/index.cfm?code=0720emailannc

  • All High-Availability Solutions Are not Created Equal--How Does Yours Measure Up?

  • In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high-availability and disaster-recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server.
    http://www.windowsitpro.com/seminars/truehighavailability/index.cfm?code=0720emailannc

  • Antispam product not working?

  • Many email administrators are experiencing increased frustration with their current antispam products as they battle new and more dangerous email threats. In-house software, appliances, and even some services may no longer work effectively, require too much IT staff time to update and maintain or satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users.
    http://www.windowsitpro.com/seminars/antispamsolutions/index.cfm?code=0720emailannc

  • Integrate Fax Services with Business Applications for Big ROI

  • In this free eBook, you'll discover all you need to know about fax technology! You'll learn how to improve business processes by minimizing manual faxing and integrating faxing into your business workflow for improved ROI. The eBook will also look at the how-to of the desktop fax client, fax automation, faxing hardware and software technologies, and the future of faxing. Let this important guide help you stay on top of fax server technology within your business environment.
    http://www.windowsitlibrary.com/Ebooks/faxservers/Index.cfm?code=0720emailannc

  • Ensuring Protection and Availability for Microsoft Exchange

  • Given the heightened awareness around national security and protecting important human and physical assets, having data protection solutions that are cost-effective, hardware independent, and scalable is something every IT manager should seriously consider. In this free white paper, discover how you can ensure that your Exchange environment is always protected.
    http://www.windowsitpro.com/Whitepapers/nsisoftware/exchangeprotection/index.cfm?code=0720emailannc

    Featured White Paper
    (from Windows IT Pro and its partners)

  • Ensuring Protection and Availability for Microsoft Exchange

  • Given the heightened awareness around national security and protecting important human and physical assets, having data protection solutions that are cost-effective, hardware independent, and scalable is something every IT manager should seriously consider. In this free white paper, discover how you can ensure that your Exchange environment is always protected.
    http://www.windowsitpro.com/Whitepapers/nsisoftware/exchangeprotection/index.cfm?code=0720emailannc

    Announcements
    (from Windows IT Pro and its partners)

  • July Special--Get Windows IT Pro at 44% Off!

  • Get Windows IT Pro and get answers! Act now to get an entire year for just $39.95--that's 44% off the cover price! You'll also gain exclusive access to the entire Windows IT Pro article database (over 9000 articles). Bonus: The Top 50 Windows Tips handbook. This is a limited-time, risk-free offer, so click here now:
    http://www.windowsitpro.com/rd.cfm?code=wfeu2057wu

  • Vote for the Next MCP Hall of Famer

  • Help decide who the most valuable member of the MCP community is. Take the time to reward excellence to those that deserve it and to make yourself a part of the first ever MCP Hall of Fame. Voting only takes a few seconds, so cast your vote now for Round 5. Click here:
    http://www.windowsitpro.com/mcphalloffame

    Sponsored Link

  • Argent versus MOM 2005

  • Experts Pick the Best Windows Monitoring Solution
    http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_July05_NLSplink_116194/1x1.gif/1

    This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
    http://www.windowsitpro.com/rd.cfm?code=00eu205xeb