Microsoft Application Compatibility Toolkit v4.0 is finally released

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Over the last few months I’ve been critical of the time its taken for Microsoft to ship an SP2-aware update to their application compatibility toolkit. Last week, one of the consultants from Microsoft UK e-mailed me to let me know that the Microsoft application compatibility toolkit v4.0 is now available for Windows XP (including SP2) and Windows Server 2003.

The application compatibility toolkit contains tools and documentation to evaluate and mitigate application compatibility issues including the latest versions of the Microsoft Application Analyzer that simplifies application inventory and compatibility reporting, the Internet Explorer Compatibility Evaluator that assists testers in locating compatibility issues with Internet Explorer on Windows XP SP2, and the Compatibility Administrator that provides access to the necessary compatibility fixes to support legacy applications in Windows.

New features of Windows Server 2003 Active Directory

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of weeks back, I was at a Microsoft TechNet UK event, where the topic was New features of Windows Server 2003 Active Directory, presented by John Howard, IT Pro Evangelist, Microsoft UK.

I’ve been working with Active Directory (AD) since the early days of Windows 2000 (windows NT 5.0 as it was then), and to be perfectly honest wondered how much there could be that’s new with the latest version. Whilst the session was possibly a little lightweight, I was surprised to learn just how many new features there are, as my previous view of Windows Server 2003 was that much of the improved functionality comes in the form of new services.

The new AD features fall into in four main areas:

  • Simplified management.
  • Connecting forests.
  • Connecting small offices.
  • Managing group policies.

The rest of this post will discuss each of these in turn.

Simplified management
Simplified management is about improving the user experience for administrators. For example, within the AD User and Computers and AD Sites and Services Active Directory management tools, users can now drag and drop users into new containers, OUs or groups, e.g. when adding user(s) or group(s) to a group, or moving a server to a new site.

Tip: Within AD users and computers it helps if the option to view users, groups and computers as containers is selected.

Improvements have also been made in locating objects, with new functionality such as saved queries in AD users and computers, accessed like a folder, e.g. queries based on a user or group name or description, or the number of days since the last logon). The queries are LDAP-based and can have their own root (i.e. do not have to be relative to the whole domain). It should also be noted that saved queries are local to the computer and can be exported – e.g. űbergeek queries can be created and exported to a help desk machine.

Tip: To see exactly where an object exists in the directory, turn on advanced features and look in the object page of the item properties.

There are also a whole head of new tools, which can be called from the command line or from within custom scripts, allowing for repetitive tasks to be automated and complex commands to be simplified. Back in September 2004, I posted further information on new commands in recent Windows releases and Microsoft knowledge base article 322684 discusses using the directory service command-line tools to manage Active Directory objects in Windows Server 2003.

Connecting forests
It is now possible to connect forests using trusts (e.g. following a merger or acquisition, of under some business partnership scenarios), simplifying access to resources in both forests, and facilitating single sign-on.

Forest trusts can be one- or two-way and create a transitive trust between the domains in each forest, but not between forests. With a forest trust, UPN suffixes are used to publish namespaces, which in turn are used to establish where a logon originates from. Each forest is trusted to be authoritative for the namespace(s) which it publishes.

In order to support forest trusts, both forests must be running at Windows Server 2003 forest functional level.

Connecting small offices
Small or branch offices are often characterised by low speed wide area network links and may not have a local global catalog server, leading to slow logons. Windows Server 2003 includes a new option in the Active Directory Installation Wizard (dcpromo) to create a domain controller from a replica. It works by backing up the system state from an existing domain controller to removable media, then restoring that data on a remote server and running dcpromo /adv. In this way, the initial synchronisation time is reduced, as all the new domain controller needs to synchronise is the changes since the backup was taken. There is one gotcha through – the backup cannot be older than the tombstone lifetime (60 days by default).

Another useful new feature when connecting small offices is universal group membership caching. Because universal groups may span multiple domains, a global catalog server is required to query the membership (non-global catalog-enabled domain controllers only hold full details for objects in their own domain).

By caching the membership lists for universal groups, global catalog lookups only need to occur once for each universal group. The membership list is held indefinitely, but is refreshed every 8 hours. Universal group membership caching is enabled at the site level, within the NTDS Site Settings.

One alternative to universal group membership caching is to make each branch office domain controller a global catalog server, but this has a cost in increased domain replication traffic.

Managing group policies
One of the major criticisms of Active Directory group policy objects (GPOs) is that they are is difficult to administer. Microsoft does provide tools, but until recently, they have been limited in their capabilities. Shortly after Windows Server 2003 was released, Microsoft made the Group Policy Management Console (GPMC) available for download. Since then, GPMC with service pack 1 has been released which includes a number of bug fixes, revised licensing (to allow GPMC to be run against Windows 2000 domain controllers), support for more languages and a revised XML engine.

The GPMC is a new administrative tool for centralised management of GPOs, together with a collection of scriptable objects and associated scripts, which use a combination of Windows Management Instrumentation (WMI), Active Directory Services Interfaces (ADSI) and the GPMC object model.

Surprisingly, although in almost every organisation which uses Active Directory, GPOs affect every user within the business, many organisations do not think about backing up and restoring GPOs. Whilst they can be restored with an authoritative AD restore, that is not a simple process, and the scripts provided with the GPMC allow policies to be backed up and restored, as well as exported and imported (e.g. between test and production domains/forests).

Tip: Beware (as I found out with one of my clients), that if naming standards allow the use of non-standard characters (e.g. & and ‘) the GPMC scripts may not work as intended. For further information, refer to the September 2004 post which discusses recommendations for Active Directory object naming.

The GPMC also allows modelling of group policies in a similar manner to the previous Resultant Set of Policy (RSoP) tool. This is particularly useful for its ability to highlight the winning GPO for a policy setting, as well as the ability to view (and save) reports in HTML, or XML format (e.g. for intranet publishing and reference by IT support staff). Note that some settings (e.g. WMI, loopback, IPSec, Wireless, and disk quotas) may be estimates. Also, if a client PC used for modelling is running Windows XP service pack 2 with the default Windows Firewall settings and the original version of GPMC is used (i.e. without service pack 1), it will fail as described in Microsoft knowledge base article 883611.

Other useful group policy management tools include Group Policy Monitor (gpmonitor), which is used to create and display reports when policy settings are refreshed and the Group Policy Verification Tool (gpotool), which allows administrators to check GPO stability and monitor policy replication including checking for consistency within and across domains. This tool also displays information about GPOs, including properties that cannot be accessed through the Group Policy Object Editor such as the functionality version number and extension globally unique identifiers (GUIDs). Other diagnostic tools (also available in Windows XP) include Group Policy Results (gpresult) and the Group Policy Refresh Utility (gpupdate).

When diagnosing issues with GPOs, it is also worth checking DNS, as at the event I attended, Microsoft commented that 50% of GPO-related support calls are actually DNS issues.

Another new feature of Windows Server 2003 group policy is software restriction policies, which can be used to confront the problem of regulating unknown or untrusted code. Software restriction policy rules create one or more exceptions to the default security level, defined by software restriction policies.

The following types of software restriction policy rules can be created:

  • Certificate rules, which recognise software that is digitally signed by an authenticode software publisher certificate.
  • Hash rules, which recognise specific software based on a hash of the software.
  • Path rules, which recognise software based on the location in which the software is stored.
  • Registry path rules, which recognise software based on the location of the software as it is stored in the registry.
  • Internet zone rules, which recognise software based on the zone of the Internet from which the software is downloaded.

Troubleshooting an MS-DOS application which hangs the NTVDM subsystem in Windows XP and Windows Server 2003

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve been working on an intriguing (and frustrating) issue for a few weeks now and a couple of days back we finally resolved the issue.

My client has an MS-DOS (FoxPro 2.6a database) application running within an NTVDM on Windows XP. Every now and then, the application will hang – seemingly randomly. Windows XP did have service pack 2 applied, but the issue also occurs on service pack 1 PCs (I didn’t try the RTM version). Only the application hangs – it is possible to terminate the NTVDM process and carry on working as normally.

Normal actions for troubleshooting MS-DOS applications in Windows XP were not helping to resolve the issue, but the software vendor managed to narrow the issue down to FoxPro waiting for input. Occasionally, the input does not timeout and return control to the calling program – it seems that this is the root cause of the NTVDM hang. Identifying this allowed them to construct a test program which polled for input, timing out every few seconds and would reliably hang an NTVDM at a seemingly random time, but always within an hour.

Using their test program on a variety of PCs, the software vendor found that the problem was related to the Intel hyper-threading technology (my client has standardised on a version of the IBM ThinkCentre M50 which includes a single 3GHz Intel Pentium 4 processor with HT technology). Whilst disabling hyper-threading is unlikely to result in any significant performance degradation (hyper-threading only provides an average 10-20% performance gain as most applications do not fit completely with the hyper-threading model), it was still considered by IBM, Microsoft, my client and myself as a tactical workaround, rather than a strategic fix.

After seeking advice from Microsoft, I ran the test program on a Compaq ProLiant DL380 G2 server with two Pentium III 1.26GHz processors and found that the issue is not limited to Windows XP and hyper-threading, but to both Windows XP and Windows Server 2003 when running with an ACPI Multiprocessor PC HAL. Turning off hyper-threading on the PCs was no longer good enough as we can expect to see multiple processor cores constructed on a single die in the near future, leading to a rise in the use of multi-threaded applications (the logical processor provided by the hyper-threading technology in the Intel Pentium 4 processor is simply a precursor to this).

So why does an MS-DOS application running within an NTVDM on a 32-bit version of Windows use multiple processors? The answer it seems is that although the MS-DOS application is not multi-threaded, modern versions of Windows are, and can allocate parts of the NTVDM process to any available processor. With that in mind we re-ran the test program with processor affinity set to use only CPU0 in Task Manager. The results were the same as disabling hyper-threading – no NTVDM hang! Obviously, setting processor affinity manually is not sustainable outside the test environment, and short of running the application on Windows Server 2003 Enterprise Edition (with the Windows System Resource Monitor to control processor affinity) we needed to find an alternative solution.

That solution came in the form of the imagecfg.exe tool provided with the Microsoft Windows 2000 Resource Kit (supplement one). This can be used to edit an executable file and permanently set the processor affinity for a given application:

Using the imagecfg -a 0x1 c:\windows\system32\ntvdm.exe command did the trick, although Windows File Protection/System File Checker quickly restored the original ntvdm.exe file so I needed to perform this on a copy of ntvdm.exe in a temporary folder, and then overwrite both c:\windows\system32\ntvdm.exe and c:\windows\system32\dllcache\ntvdm.exe.

Once updated, the NTVDM process runs on CPU0. Of course, this limits all programs under the control of the NTVDM subsystem but it is far more preferable to disabling logical or physical processors in the BIOS; however, as this is a change to an operating system file, it must be considered alongside the implementation of any service packs and/or hotfixes from now on. Reversing the change is simply a case of restoring the original ntvdm.exe file.

Windows Server 2003 SP1 RC1 has been released

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Back in July, I reported that Microsoft Windows Server 2003 Service Pack 1 (SP1) had been delayed until 2005.

I’ve just read that, a couple of days back, Microsoft released the first release candidate (RC) build of Windows Server 2003 SP1. Windows 2003 SP1 RC1, is available to the public as a 316Mb download for 32-bit x86-based systems or as a 396Mb download for 64-bit Itanium systems.

According to the Windows IT Pro magazine network WinInfo Daily Update, Microsoft expects to ship the final version of Windows 2003 SP1 in early 2005, reporting that:

“Windows Server 2003 SP1 isn’t the huge architectural leap that Windows XP SP2 was [but it] includes an enhanced security infrastructure that borrows the pertinent low-level security features from XP SP2, including the data execution prevention (DEP) technology and Distributed COM (DCOM) restrictions; a new roles-based Security Configuration Wizard (SCW) that makes it easy to close unneeded services and ports given the tasks a server is assigned to perform; Windows Firewall, which provides boot-time and setup-based protection against electronic attacks; and the post-setup Security Update Wizard, which prevents client network access to the server until it’s properly configured.”

Passed Microsoft Certified Professional exam 70-299

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This morning I passed the Microsoft Certified Professional exam 70-299: Implementing and administering security in a Microsoft Windows Server 2003 network. Not my best pass rate but it was the first exam I’ve taken for over three years and not a particularly easy one at that.

Microsoft’s non-disclosure agreement prevents me from saying too much about the exam but I can say it involved cramming like crazy (on top of an already busy week at work) to use a voucher that lets me take the exam for free and expires tomorrow.

I’m going to enjoy that extra hour of sleep as British Summer Time ends tonight and the clocks go back an hour!

Script to disable password expiry for local Windows accounts

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the shortcomings of the net user command in Windows is the inability to set the password never expires flag on an account (account expiry options can be set, but not password expiry and the full syntax is described in Microsoft knowledge base article 251394).

There are 13 flags on an NT SAM/Active Directory user account which may be manipulated using VBScript (for further details of the 13 flags, see Microsoft’s sample scripts or there is some useful information about the object model at the Motobit Software website).

This script can be used to set the password never expires flag on a specified account. I’ve tested it against the local SAM database on a Windows XP PC, but in theory it should work on all versions of Windows NT (2000, XP, 2003 Server, etc.) and also against Active Directory accounts if you run it on a domain controller.

Command line alternative to the Windows device manager

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the Microsoft consultants that I have been working with sent me a link to a handy tool today – devcon.exe is a command line alternative to the Windows device manager and full details (including a download link) may be found in Microsoft knowledge base article 311272.

Windows Server 2003 time service not updating from Internet

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

The Windows Time service (W32Time) uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the algorithms necessary for synchronizing clocks and is required by the Kerberos authentication protocol in order to ensure that all computers within an enterprise use a common time.

NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000. NTP uses UDP port 123 for communications. Further details of the Windows Server 2003 implementation may be found in the Windows Server 2003 Technical Reference.

Within an Active Directory forest, the domain controller holding the PDC emulator operations master role in the forest root domain is the head of a hierarchical structure for time synchronisation throughout the forest, and would typically be configured to synchronise with a known time source – either a hardware device, or an Internet time server (in the past I have used the United States Naval Observatory servers tick.usno.navy.mil and tock.usno.navy.mil). This configuration may be established using the following command syntax:

net time /setsntp[:ntp server list]

Best practice would indicate that multiple time sources be configured, by DNS name (rather than IP address); however even when correctly configured W32Time errors may be exhibited in the event logs. Microsoft has confirmed this as a problem in Windows Server 2003 and Microsoft knowledge base article 830092 discusses the problem. A hotfix is available from Microsoft Product Support Services (PSS).

Microsoft Windows Server 2003 SP1 delayed

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Its probably not real news to anyone but Windows XP SP2 has been slipping for a while now and so will Windows Server 2003 Service Pack 1 (SP1).

In last week’s post (Windows Update Services slips into 2005), I reported that the WUS slippage was as a result of using technology from Windows XP SP2, and as can be expected, the first service pack for Windows Server 2003 is closely related to the XP client service pack, with many common features and fixes.

Windows 2003 SP1, like XP SP2, will include multiple security-oriented changes, such as a Security Configuration Wizard that will use the roles-based infrastructure in Windows 2003 to automatically shut down unnecessary ports and services. It will also include any relevant security changes from XP SP2.

Microsoft confirmed that the company will delay Windows Server 2003 SP1 until the first half of 2005 as development can take place in earnest only after XP SP2 is completed.

According to Microsoft:

“We now anticipate that Windows Server 2003 SP1 and Windows Server 2003 for 64-bit Extended Systems will ship in the first half of 2005, whereas we previously estimated the release timing for both to be the end of 2004… As is the case with all Microsoft product schedules, the development cycle is driven by quality, with a focus on the needs of our customers rather than an arbitrary date.”

(Edited from the July 28 2004 WinInfo Daily Update, published by the Windows and .NET magazine network)

Returning the cluster service on a Windows Server 2003 server to an unconfigured state

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Over the last few weeks, I’ve been investigating some issues with a clustered server configuration. After having had to rebuild the servers on a number of occasions, I found the advice to return the cluster service to an unconfigured state in Microsoft knowledge base article 282227 extremely useful.