Creating the first Windows Server 2003 Domain Controller in a
domain
Preface:One of the greatest features of Windows Server 2003 is its ability to be a Domain Controller (DC). The features of a domain extend further than this tutorial ever could, but some of its most well known features are its ability to store user names and passwords on a central computer (the Domain Controller) or computers (several Domain Controllers). In this tutorial we will cover the "promoting" (or creating) of the first DC in a domain. This will include DNS installation, because without DNS the client computers wouldn't know who the DC is. You can host DNS on a different server, but we'll only deal with the basics.
Method:
Click Start -> Run...
Type "dcpromo" and click "OK"
You will see the first window of the wizard. As it suggests, I suggest reading the help associated with Active Directory. After this, click "Next"
Click "Next" on the compatibility window, and in the next window keep the default option of "Domain Controller for a new domain" selected, and click "Next"
In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected
Now we have to think of a name for our domain. If you own a web domain like "visualwin.com", you can use it, but it isn't suggested because computers inside of your domain may not be able to reach the company website. Active Directory domains don't need to be "real" domains like the one above - they can be anything you wish. So here I will create "visualwin.testdomain"
Now in order to keep things simple, we will use the first part of our domain ("visualwin"), which is the default selection, as the NetBIOS name of the domain
The next dialog suggests storing the AD database and log on separate hard disks, and so do I, but for this tutorial I'll just keep the defaults
The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages (as I said, AD has a lot of different features). Once again, I will keep the default selection but it can be changed if you wish to use the space of another drive
Now we will get a message that basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our "visualwin.testdomain" to be reachable). As I mentioned earlier, we will install the DNS server on this machine as well, but it can be installed elsewhere. So keep the default selection of "Install and configure", and click "Next"
Because, after all, this is a Windows Server 2003 tutorial website, we'll assume there are no pre-Windows 2000 servers that will be accessing this domain, so keep the default of "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" and click "Next"
The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server. Make sure it's easy to remember but difficult to guess
Now we will see a summary of what will happen. Make sure it's all correct because changing it afterwards can prove to be difficult
After the previous next was clicked, the actual process occurs. This can take several minutes. It's likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy
If your computer has a dynamically assigned address (from DHCP) you will be prompted to give it a static IP address. Click ok, and then in the Local Area Connection properties, click "Internet Protocol (TCP/IP)" and then "Properties"
In the next window select "Use the following IP address" and select the information that you will use for your domain (and 127.0.0.1 for the primary DNS, because your computer will host DNS. I still suggest setting up an alternate as well.) Click "OK" and then "Close" on the next window
And after a while you will see
And we're finished.
You may also want to see the other Active Directory tutorials on the main page, including adding users, and adding computers to the Active Directory, eithermanually into the domain, or from existing Windows XP and Windows 2000 computers.
<-- back="" go="" main="" page="" span="" the="" to="" tutorial="">
Copyright ©2002-2012 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding users to Active Directory
Preface:As you know, if you try to add AD users using lusrmgr.msc you will receive the following error:
And since I cover creating a local user (lusr) I thought it would only be right to cover creating an Active Directory user.
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Now, expand your domain name on the left side, and go to the bottom where it says "Users". Once you click on that, you will see all of the automatically created users, you will also see all of the users you made before you ran dcpromo - that's because they all stay through the promotion to DC. Anyway, to add a user, you can either right click the "Users" folder on the left side, or the blank area on the right side, and highlight "New" then click "User"
In the next dialog we can set the user's First name, Last name and various other pieces of information, including their log-on name, and domain to which we want to add them
After clicking "Next" you are presented with the password-settings screen. You can set the user's password and then have them change it on their first log-on by selecting "User must change password at next logon". But in this tutorial, I will set it as their password, and not allow them to ever change it without asking me (the administrator) to change it for them
In the next dialog, we get a summary of the user to be created. Click "Finish" and the user has been created
And we're finished!
You may also want to see the other Active Directory tutorials on the main page, including adding computers to the Active Directory, either manually into the domain, or from existing Windows XP and Windows 2000 computers.
<-- back="" go="" main="" page="" span="" the="" to="" tutorial="">
Copyright ©2002-2012 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a computer to Active Directory
Preface:Earlier, I showed you how to add users to your Active Directory domain. This tutorial will focus on how to add computers. This step is not "really" necessary for workstation computers - at least, I was able to add a Windows XP machine to my domain without adding the computer name first. This is section is really for looking at which computers join, and allow other servers to join as DC's, etc. I will show you how to add the computer using "Active Directory Users and Computers", then in other tutorials, I will demonstrate how to add a Windows 2000 computer and Windows XP computer to this domain.
Update:
Brian Desmond (Windows Server MVP) emailed me with the following information on why someone might want to add a computer to AD manually:
"By default a computer will get dumped in the Computers container, unless a Windows 2003 Native Mode Domain is inplace, and redircomp has been run to change this. Precreating computer accounts in OUs will ensure that when the unit is joined, it is in the correct OU, which guarantees policy consistency, and other administrative things. One can also specify who can reset the machine’s password. This will allow an admin to create an account for a computer, and let a normal user join the machine with their credentials."
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Expand your domain name, and right-click "Computers", highlight "New" then click "Computer"
In this dialog we have to type the name of the computer we want to add
In the next dialog just click "Next", then you will see a final report of what will be added, and you can click "Finish".
And, we're done!
You may also want to see the other Active Directory tutorials on the main page, including adding users, and existing Windows XP and Windows 2000 computers to the domain.
Adding a Windows XP computer to a Windows Server 2003 domain
Preface:This is basically the same procedure as the Windows 2000 tutorial. Some things to note about adding a Windows XP computer to a domain are the following:
·
You need Windows XP Professional to join a XP computer to a
domain. Home can't be used fully for this
·
You will loose the "fancy" log on screen and you
will receive the "classic" log on screen instead. This is for
security and cannot be changed, unless you revert to workgroup mode
·
You will loose the "Fast User Switching".
This cannot be restored, except by reverting back to workgroup mode.
Method:Click Start, right click "My Computer" and click "Properties"
Go to the "Computer Name" tab and click "Change..."
Select the "Domain" radio button then put in your domain name, not including the . extension (in my example I used the domain "hello.test" but when joining the computer to a domain, I will only type "hello")
Press "OK". Then you will be presented with a user name and password prompt. Enter the user name and password of a Domain Administrator
Press "OK" and after a minute or two you will receive a message welcoming you to the domain. Then you will receive a message telling you that a reboot is required, click "OK" to that, and the properties window. Then click "Yes" when you are prompted to reboot.
And we're finished. You have just learnt how to add a Windows XP computer to a Windows Server 2003 domain
Additive:
After the XP computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Adding a Windows 2000 computer to a Windows Server 2003 domain
Preface:I have already shown you how to add AD users and computers to a Windows Server 2003 Active Directory domain, in this tutorial I will show you how to add a Windows 2000 computer to the domain. The method for adding Windows XP is basically the same, but I have created another tutorial for XP which is availablehere.
Method:
On the Windows 2000 computer, go to the desktop and right click "My Computer" and select "Properties"
In the dialog that comes up, go to the "Network Identification" tab and press the "Properties" button
Under "Member of" click the "Domain" radio button, then type the name of your domain without the trialing extension (for example, my domain name is "hello.test" but I only typed in "hello"
Now you will be prompted to put in the user name and password of a Domain Administrator. Enter the correct information, and press "OK"
Now, wait for about a minute or two and you should receive this message welcoming you to the domain
That's it, press "OK" then "OK", then "OK" in the configuration dialog, and finally "Yes" to reboot and you will be able to log onto the domain using an AD user name and password (not the local 2000 password) to log on.
Additive:
After the 2000 computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Setting up Perl/CGI to work with Windows Server 2003
The
following things are assumed:
1.
You
are running Windows Server 2003
2.
IIS
6.0
3.
You
installed ActiveState ActivePerl (http://www.activestate.com)
to C:\Perl UPDATE: ActivePerl 5.8.2 Build
808 and higher should add the Web Service Extensions during install
4.
You
are using default (unmodified) ACLs/Permissions
Also,
all of my reasoning is explained after the step-by-step is done, at the bottom
of the page.
Load
IIS from the Administrative tools in the Control Panel by clicking Start ->
Administrative Tools -> IIS Manager (or loading the Control Panel, entering
the Administrative Tools folder, and double clicking IIS Manager).
Click
the name of your computer then click "Web Service Extensions", on the
left side of the main frame you will see a green arrow pointing to a link that
says "Add a new Web service extension...", click that link.
In
that window, where it asks for the extension name you can put anything, like
"CGI script" and under the "Required Files" section put the
following in (without the apostrophes) 'C:\Perl\bin\perl.exe "%s" %s'
click OK to the notification, click "Set status to allowed" and press
ok.
Now,
load up a command prompt (Start->Run... type cmd) and type (without the
quotes) "md c:\inetpub\cgi-bin"
Back
in the IIS Manager right click Default Web Site highlight "New" in
the pop-up menu and click "Virtual Directory..." in the new menu
Click
next to the first dialog in the wizard, then as a the alias put
"cgi-bin" and click next then as a path for the next dialog put in
"c:\inetpub\cgi-bin". On the next dialog leave everything
checked and check execute and click next
Click
Finish to end the wizard.
Now
right-click cgi-bin and click properties
Click
Configuration in the lower right-hand area of the dialog and make sure .pl is
there (if it isn't, add it the way you see it)
Making your scripts work
To
make your scripts work the shebang line (#!/usr/bin/perl) should now be
#!C:\Perl\bin\perl.exe . Any reference to any files should be changed
from /home/user etc, to c:/home/user or c:\\home\\users - note the double
back-slashes.
Also,
renaming your .cgi scripts to .pl is highly recommended - it's what I do myself
;-)
Assuming
this is all done correctly, you should now be able to run your Perl scripts
successfully using Windows Server 2003, and IIS 6.0
My reasoning
Q:
Why do you make cgi-bin in \inetpub and not in \inetpub\wwwroot even though
you're going to be making a Virtual Directory there anyway?
A:
The reason I go through these extra few steps are (1) To bring in a Command
shell (open one of those and you immediately look smart, plus it makes things
go wwaaayyy quicker) (2) I got it from the *nix world, what can I say, back
when I hosted on Linux that's the way the directories were set up, so it stayed
with mebottom line is, you don't need it like that, it's just the way I
prefer.
Q:
Why do you have a cgi-bin folder at all?
A:
It is always better to keep your scripts separate from your regular files.
Q:
If you know that ActivePerl 5.8.2 Build 808 and higher automagically add the
service extensions, why do you still have this tutorial?
A:
Many reasons. First, this tutorial isn't only for Perl, but for anything
similar. Second, just in case :-)
Setting up PHP to work on Windows Server 2003
The
following things are pre-assumed:
1.
You
are running Windows Server 2003
2.
IIS
6.0
3.
You
have installed PHP (http://www.php.net) to C:\PHP (installation issues are at
the bottom of this page)
4.
You
are using default (unmodified) ACLs/Permissions
Update: Tom McDermid has
brought to my attention that in the PHP 5 line, the EXE name is
"php-cgi.exe" instead of "php.exe", so when installing PHP
5, remember to replace "php.exe" in this tutorial with
"php-cgi.exe"
Load
IIS from the Administrative tools in the Control Panel by clicking Start ->
Administrative Tools -> IIS Manager (or loading the Control Panel, entering
the Administrative Tools folder, and double clicking IIS Manager).
Click
the name of your computer then click "Web Service Extensions", on the
left side of the main frame you will see a green arrow pointing to a link that
says "Add a new Web service extension...", click that link.
For
the Extension name put something like "PHP" in and for the Required Files
put "C:\PHP\php.exe", also check to set it to allowed
Now
load a command prompt (Start->Run... type cmd) and type "md
c:\inetpub\wwwroot\phpscript"
Back
in the IIS Manager double-click "Web Sites", click "Default Web
Site", right-click the directory "phpscript" and click
properties
In
the new dialog click Create then Configuration (Configuration will only become
enabled after you click Create). If you don't see .php listed then add it
by clicking Add... and setting the following
Click
OK and OK and you should be set to run your PHP scripts
Installation issues
Q:
I tried installing PHP and got some error about there not being an OCX or
something, either way, now I can't execute my scripts :-(
A:
The error you received was stating that an OCX control (ActiveX) that the PHP
installer uses wasn't found, don't worry, that's the reason I wrote this
tutorial :-)
My reasoning
Q:
Why do you use the Command prompt to make directories when you can just load
Explorer and make it that way?
A:
I find it quicker to do by command line, but any method will work.
Setting up PHP-ISAPI on Windows Server 2003
Preface:I showed you here how to set up PHP using the CGI executable. Since then I've learnt that the ISAPI DLL may be faster and more secure, so this tutorial will show you how to set up the ISAPI DLL instead. Credit and thanks goes to Keith W. McCammon for setting this up on his website,http://mccammon.org/php/iis6_install.php . Made visual with permission from Keith. Something to note is that these directions had in mind default (unmodified) ACLs/Permissions.
Method:
Unzip the latest PHP ZIP file to C:\PHP, and copy php.ini-recommended from that folder to C:\windows\php.ini, then copy php4ts.dll to C:\Windows\System32
Load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager).
Click the name of your computer then click "Web Service Extensions", on the left side of the main frame you will see a green arrow pointing to a link that says "Add a new Web service extension...", click that link.
Set the extension name to anything you'd like, put C:\PHP\sapi\php4isapi.dll as the Required file, also check "Set status to allowed"
Go to the directory you'd like to configure PHP for in the IIS Manager, right click it, and select properties
Click the Create button, set the Execute permissions to "Scripts only", then click the Configuration button
Click Add. For the Executable put - C:\PHP\sapi\php4isapi.dll for the Extension put ".php", set the verbs to all, and make sure the bottom check boxes are checked
Click OK and OK
Enabling ASP
Preface:ASP and ASP.NET are NOT! the same thing. Some people enable ASP.NET hoping that ASP will work also, this is just not the case. IIS 6.0 comes with ASP disabled by default, and this will show you how to enable it.
Method:
Load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager).
Go to the Web Service Extensions tab, click Active Server Pages, then press the "Allow" button on the left
Your ASP pages should now work :-)
<-- back="" go="" main="" page="" span="" the="" to="" tutorial="">
Copyright ©2002-2012 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting Host Headers in IIS 6.0
Preface:Many people would like to have several web sites hosted on their own computer, maybe they want something like hello.domain.com and goodbye.domain.com both on the same computer. IIS can use host headers to see what the end user tried viewing, and it will show the correct web page based on that.
Method:
Load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager).
On the left side, expand your computer name, then click "Web Sites", right click in the right side, put your mouse over "New" and select "Web Site..."
Click Next in the dialog, then put in a description of the new web site you are creating (can be anything)
Now here's the important part. Go to the last text box and put in what you want the new Host Header to be
Now put in the path to your new site and make sure you keep "Allow anonymous access" checked
For added security, if you don't plan on using ASP or anything similar, then uncheck "Run scripts". You can always enable it at another time
Click Finish on the next dialog and you're done!
Questions:
Q: How do I add a host header for a site already made?
A: Go back to where we were before. Click on "Web Sites" and right click the website and select "Properties"
In that dialog click the Advanced button
Now click Add
Put in the TCP port 80 (port 80 is the default website port, so people can type http://some.site instead of having to type http://some.site:port) and your new header below it
Now click OK and OK and you're done!
Q: Do I need to set anything in DNS or my website's Name Servers if I have a top level domain?
A: The answer is yes, you need to add an (A) name, but since all programs are different, I will not display how.
Backing up your IIS 6.0 Metabase
Preface:In previous versions of Internet Information Services (IIS) configurations were stored in the registry. Part of IIS 6.0's rebuilding was changing where the configuration is stored, which is now a file named MetaBase.xml in your \WINDOWS\system32\inetsrv directory. Sure, you can copy that file (and possibly MBSchema.bin.00000000h) to a separate directory, but a smarter way to do this is to use IIS 6.0's built-in back-up mechanism. There are 2 ways to do this, but I'll only be showing you the graphical one at the moment.
Method:
Load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager).
Right click your computer name, put your mouse over "All tasks" and click "Backup/Restore Configuration"
Click Create Backup
Now you can make up any name you want, not including dots (.) You can also password protect the back up if you choose
That's it, you're done! To restore the backup you can now select the backup you just made and press the Restore button
Your backup is stored in C:\WINDOWS\system32\inetsrv\MetaBack under the name you gave it. Actually, it will be 2 files. In the example I gave above 2 files were created:
visualwin backup.MD0
visualwin backup.SC0
I recommend the copying of these files to another folder, just in case.
Setting up SSL with a SelfSSL certificate on Windows Server 2003
Preface:This tutorial will demonstrate how to install SelfSSL from the IIS Resource Kit ( http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en ) and set up the certificate in IIS 6. I will assume you have already downloaded the kit (linked to above) and IIS.
Update:
Poul Bak emailed the following information about these certificates:
"If you set a host header in IIS and you specify that name in SelfSSL you will NEVER see a security warning (because the name of the certificate and the server matches).
Now if you try to access the site from another computer, you WILL get a security warning (not from a trusted authority). This can be avoided if you export the certificate to a file and then import it on the computer from which you want to access the site.
In fact, using self-signed certificates is a great way to ensure your intranet is just as safe as using a 'paid for' certificate - what can be more safe than a certificate that has never left the building - it's guaranteed, that no one has changed it on its way."
Method:
Run iis60rkt.exe. You will see the welcome screen - click Next
In the next dialog, read over the EULA and select "I agree" and press Next. In the next dialog, you can usually just press "Next" because your information is usually entered already.
Now in this next dialog, select "Custom" and press "Next"
Here you can change the path of where it installs, just click Next. In the next dialog we have an option of what we can install. In this tutorial I will only be installing "SelfSSL" so I will unselect everything else. You can install whatever looks interesting, if you wish.
Now you will be presented with an overview, you can click "Next" and the install will copy the selected files. When that's done, click "Finish"
Now we will create a certificate. Click Start -> All Programs -> IIS Resources -> SelfSSL -> SelfSSL
Type "selfssl /T", without the quotes and press "y" when prompted. Rocky reported that if you type "selfssl /T /N:CN=
Now load "https://localhost" in Internet Explorer, and click "Yes" to view a secure site. You will be presented with the following warning:
That is because SelfSSL makes a certificate only meant to be used in testing. The connection will still be a secured one, but every time you load it you will get that message.
That's all! I hope you found this information useful.
Enabling ASP.NET
Preface:ASP and ASP.NET are NOT! the same thing. Some people enable ASP hoping that ASP.NET will work also, this is just not the case. IIS 6.0 comes with ASP.NET disabled by default, and this will show you how to enable it.
Method:
Click Start, put your mouse over Control Panel, and click Add/Remove Programs
Now click Add/Remove Windows Components
Click on "Application Server" and click "Details"
In this window, select "ASP.NET" (which will put a checkmark next to it) and click "OK", then "Next" and "Finish"
At this point your ASP.NET pages should work, and we're just going to make sure that the Web Service Extension is enabled in the IIS Manager. Now, load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager)
Expand your computer name and click on "Web Service Extensions". Make sure "ASP.NET" has a checkmark next to it, and that means that it's enabled
And that's all! Your ASP.NET pages should now work
Shell (GUI)
Disabling Internet Explorer Enhanced Security Configuration
Looking
for the Windows Server 2008 version of this tutorial? Click here.Preface:
Windows Server 2003 shipped with security locked down by default. Part of this locking down is Internet Explorer Enhanced Security which is an extra layer of protection when surfing the internet using Internet Explorer (more information can be found by going here on a Windows Server 2003 [test] machine). Some people want to uninstall it. That's OK, Microsoft allows that, and that's what this will show you how to do.
Before we start, understand the way the uninstaller works. You can uninstall the entire Configuration, or just for users, or just for Administrators. The un-installer is set up like this:
Enhanced Security
->For Administrators
->For Users
If you have just random users connecting via Remote Desktop or Terminal Services, you may want to leave the Users configuration installed. This tutorial will be removing all of it.
Method:
Click Start, put your mouse over Control Panel, and click Add/Remove Programs
Now click Add/Remove Windows Components
After a few seconds a window will pop-up. Click the check mark next to Internet Explorer Enhanced Security Configuration (to make it unchecked). If you'd like to only disable it for Administrators or only for Users you can click Details and do so.
Press Next, let it finish, and it's complete!
Questions:
Q: How do I know if it is enabled?
A: When you open Internet Explorer up you will see this dialog
Q: How do I know if it's disabled?
A: When you load up Internet Explorer Internet Explorer will tell you:
Caution: Internet Explorer Enhanced Security Configuration is not enabled
Disabling Internet Explorer Enhanced Security Configuration on
Windows Server 2008
Looking
for the Windows Server 2003 version of this tutorial? Click
here.Preface:
Windows Server 2003 and, subsequently, Windows Server 2008 shipped with security locked down by default. Part of this locking down is Internet Explorer Enhanced Security, which is an extra layer of protection when surfing the internet using Internet Explorer (more information can be found by going here on a Windows Server 2008 [test] machine). Some people want to diable it. That's OK, Microsoft allows that, and that's what this tutorial will show you how to do. As we will soon see, we have the option to disable the Enhanced Security Configuration (ESC) for Administrators, Users, or both. In this tutorial, we will be disabling it for both types of user.
Method:
Click Start, move your cursor over Administrative Tools, and click Server Manager
Now, under "Security Information" on the main Server Manager pane, click Configure IE ESC
The Internet Explorer Enhanced Security Configuration will open, allowing you to choose whether to have it enabled for Administrator and/or User groups. Because in this tutorial we are disabling the configuration for all users, we set both radio buttons to "Off", and press "OK".
And that's all! From the next time Internet Explorer is loaded, IE ESC will not be enabled.
Questions:
Q: How do I know if it is enabled?
A: Upon loading Internet Explorer, the home page will tell you:
Internet Explorer Enhanced Security Configuration is enabled
Q: How do I know if it's disabled?
A: When you load up Internet Explorer Internet Explorer will tell you:
Caution: Internet Explorer Enhanced Security Configuration is not enabled
Enabling the Luna (Windows XP) theme on Windows Server 2003
Preface:Enabling themes is an unsupported and not recommended thing to do in Windows Server 2003 and CAN CAUSE INSTABILITY!!
The method:
First, click Start, highlight Administrative Tools, then click Services. (Also, remember how this Start Menu looks because it will be the last time you see it like this unless you go back to the Windows Standard theme :-)
Scroll down to "Themes" and double-click it, set the start-up type to Automatic, Apply, and then Click "Start" (Start will only become enabled after you set the Start-up to Automatic and !click Apply! [or manual, but you don't want that]) And press OK to leave the window
Now right-click your desktop, and click Properties
Under theme click Windows XP, then click Apply, and congratulations, you've enabled Luna
You may also want to refer to the Direct X how-to page for instructions on speeding up graphics, etc
Enabling DirectX and Graphics Acceleration on Windows Server
2003
Preface:You should NOT enable DirectX and Graphic Acceleration on this OS. It is a server, and is meant to be used as one.
Method:
Right-click on your desktop and select Properties
Go to the Settings tab and click Advanced
Go to the Troubleshoot tab and move the slider to Full
Press OK and OK.
Now go to Start->Run... and type dxdiag, after a little wait the progress indicator should disappear. Now go to the Display tab and make sure the 3 DirectX features are Enabled
You've just enabled DirectX and Graphics Acceleration
Disabling the Shut Down Tracker
Preface:The shut down tracker is used to...well...track the reasons a computer is going for shut down. As a server, a computer should not be shut down or rebooted manually very often, which is why this feature is in place. Some people, however, find it irritating so it can be disabled if you'd like.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Click the + sign next to Administrative Templates (the one in Computer Configuration under Local Computer Policy) then click System
Double click Display Shutdown Event Tracker (highlighted above) and select the Disabled radio button and press OK
Not Requiring Ctrl-ALT-DEL at logon
Preface:As a security feature of Windows NT based operating systems (NT 4, Windows 2000, Windows XP as a domain member or under certain settings and Windows Server 2003) you are required to press Ctrl-ALT-DEL before being prompted for a user name and password at log-in. Personally I like the feature but some people do not, so I'll show you how to disable it :o) Please note: This will not auto-login for you, it will only disable the C-A-D prompt and jump right to the login screen.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies then click on Security options
Double click Interactive Logon: Do not require CTRL+ALT+DEL and set it to Enabled, then press OK
General
Enabling sound on Windows Server 2003, Enterprise Edition
Preface:Windows Server 2003, Enterprise Edition comes with sound disabled. Windows Server 2003, Standard Edition comes with sound enabled. If sound doesn't work for you in Standard edition then check the drivers, etc. Once again, sound being disabled is not a problem for Standard users :-)
Method:
Click Start, Administrative Tools, then Services
Scroll down to Windows Audio, and double click it, set start-up to Automatic, click Apply, click OK, then click Start
Disabling Application Error Reporting on Windows Server 2003
(and XP, also)
Preface:There is absolutely no good reason to disable this service in pre-release, or released software. If a program or computer crashes, then once the computer recovers it makes a detailed report (with no personally identifiable information it) about how the crash happened and sends it off to Microsoft. They then look over it, and try to fix it, which makes a better OS for everyone. This is not a recommended procedure.
Method:
Click the Start button, and right-click My Computer and click Properties from the pop-up menu
In the System Properties dialog that has come up, click the Advanced tab, and then the Error Reporting button
In the next dialog click the Disable radio button, and optionally, so you don't get any notices of system failures at all, uncheck But notify me...
Now press OK, Apply, and OK, and Error Reporting has now been disabled.
Creating a New User on Windows Server 2003
Preface:Even if you will not be using Terminal Services or have any other users using your server it is ALWAYS recommended to create an additional two (2) users, apart from Administrator. These two users are - another member of the "Administrators" group (to avoid actually logging on with the Administrator account, but you have the same privileges) AND a regular user, who is part of the "Users" group. It is recommended to only log on with the regular user, and use the "runas" command when you need to run a program as an Administrator, and to only log on with the secondary Administrator user when it is absolutely needed. This will show you how to create a secondary Administrator.
Method:
Click the Start button, then Run...
Then type "lusrmgr.msc" without the quotes
In the window that opens, right click in the right panel and click "New User"
In the New User dialog, type in your preferences for a new user name and password (this will be our secondary Administrator account). Uncheck User must change password, and check Password never expires
Now, right click the new user and click Properties in the pop up menu
Go to the "Member of" tab and press the Add button
Type "Administrators" without the quotes, then press the Check Names button (to complete the name, it will add the name of your computer) and press OK when it is done, then press OK on the Local Users and Groups dialog
We now have a secondary Administrator account! To have a regular user (highly recommended) do the same as above, until the User properties.
My reasoning
Q: If I
already made a new Administrator account why do I have to make a user account?A: You don't have to, you never have to, but it is recommended in case you stay logged on, and someone gains control of the desktop (locally or remotely).
Q: Should I stay logged in with the Administrator account or the plain user account?
A: You should log out when you are not doing work on the server directly, however, if you have a program that requires you to be logged in for it to work (a good example is the bandwidth monitoring program, DU Meter) then you should stay logged in with the ordinary user account.
Enabling the CD-Burning Service on Windows Server 2003
Preface:In theory you should use a workstation to write CDs, but in the few situations you may find yourself with the need to burn CDs from within Windows Server 2003.
Method:
Click Start, Administrative Tools, then Services
Scroll down to the "IMAPI CD-Burning COM Service", right click it and click Properties
Set the Startup type to Manual, !Click Apply!, Then click Start.
Press OK and we've enabled the CD burning service, install a CD burning program, and you should be able to write CDs. When you reboot, the service won't be started at boot, but when you try to burn a CD it will start (and when you are finished with the CD the service will stop again).
Disabling Automatic Updates on Windows Server 2003, step-by-step
Preface:Windows comes with a built-in feature to keep your computer always up to date with windowsupdate by including a program called Automatic Updates. Personally,I want to know when I'm updating my server and not let some program do it for me, so in this case we would disable it.
Method:
Click the Start button, then right click My Computer and click Properties
Now, go to the Automatic Updates tab, and click the checkbox (to de-select) "Keep my computer up to date..." and click Apply then OK
Setting Account Lockout Durations
Preface:This will show you how to set up Windows Server 2003 to watch for invalid log-in attempts, and lock the account against more unsuccessful log-ins for a certain amount of time. This is extraordinarily helpful for remote logging in via Remote Desktop and the such.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy and click Account lockout
Double click on Account lockout threshold and put in a desired "max log-in attempt", I'll use 5 for the sake of this tutorial
When you click OK you will get a dialog box saying it will enable 2 other things with recommended settings, click OK, we'll be changing those anyway
Double click Account lockout duration. This will be the amount of time after 5 unsuccessful log-ins the account will be locked for. I will be locking the account for one hour (60 minutes). Put in the value you'd like and press OK
Double click Reset account lockout counter after: . This is how long you want Windows Server 2003 to remember invalid log-ins for lockout. For example, we will set it to be 60 minutes. That means, after 5 unsuccessful log-ins to a single account within 60 minutes time, the account will be locked for 60 minutes, per our previous settings
Done! We have now blocked against a certain amount of unsuccessful log-ins (5) that occur within a certain amount of time (60 minutes) and Windows Server 2003 will lock that account for a certain amount of time (60 minutes)
Uh oh, I locked myself out!
Don't worry, it happens to the best of us. Sure, you could wait the hour to log in, or you can log in with a user in the Administrator's group, click Start -> Run...
Type "lusrmgr.msc" and press OK
Click the users folder and then double click the locked out user. You will see a checkbox checked by "Account is locked out". Un-checking that will unlock the account
My reasoning
Q: Why
do you set the invalid log-in attempt to only 5? That could lock out more
users than I'm wishing to unlockA: It was merely for the sake of an example. I believe 5 should be more than enough to correct a mistyped letter or so in a password. If you start to see that it isn't enough, you can change it by going back, just as easy as it was set.
Q: I think I was locked out but I'm really not sure. What will the dialog look like at log on?
A: Well it basically says you've been locked out, here's a picture:
Setting a Minimum Password Length
Preface:Users can change their own passwords at anytime by pressing Ctrl-ALT-Del, clicking the Change Password button, typing their old one, and their new desired one. This isn't bad and it's a good habit for users to get into (don't want other people figuring out the users' passwords, do you? :-/). While setting passwords can be a good thing you don't want your users setting their passwords to, let's say, "h" or something way to easy to guess. Unfortunately, the way Windows Server 2003 ships, users can do this. In this tutorial we will set a minimum length, not difficult, but something that needs to be done, but gets over-looked a bit too much.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy, then Password Policy
Double click Minimum password length and set a good sized password. I will use 7 characters
That's it. Users trying to change their passwords to one under the minimum length will now be presented with this very odd looking error
Logging Failed Log-in Attempts
Preface:This will show you how to set up Windows Server 2003 to log failed attempts at logging into the system, along with the failed passwords, etc.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies, and click Audit Policy
Double click Audit account logon events, make sure success is checked, then check failure also
Do the same for Audit logon events
Now, any unsuccessful log-ins will be shown in the Security section of the Event Viewer. The following information about the log-in failure will be displayed:
Reason
User Name
Domain (or computer name if no domain is present)
Logon Type
Logon Process
Authentication Package
Workstation Name
Caller User Name
Caller Domain (or workgroup)
Caller Logon ID
Caller Process ID
Transited Services
Source Network Address
Source Port
If you notice this repeatedly from the same computer (it shows the workstation name and IP) then you can take appropriate actions.
Securing Security Options
Preface:I thought about making a separate page for each one of the settings I will be dealing with in this section of the Group Policy Management Console but instead, I've decided to put them into one page. If you do not want to mess with a particular setting, pressing the "next section" link will automatically bring you down to the next section.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies then click on Security options
Since we have already created a secondary administrator in the New User tutorial you may not want Administrator account enabled, therefore, we have the option to disable it. This may cause problems, so instead of disabling it, you may just want to make a really secure password (that you still remember!) for it and not use it.
Double click Accounts: Administrator account status and set the radio button to Disabled
If you are worried about people seeing the user name of the last person logged in (at the Ctrl-ALT-DEL log in screen) then you can disable the showing.
Double click Interactive Logon: Do not display last user name. Set the radio button to Enabled
Setting a
message to show up in a dialog box after users press Ctrl-ALT-DEL at the log-in
screen (next section)
Double
click Interactive Logon: Message text for users attempting to logon. Type
in the message you want displayed and press OK
Well, we have the message text to show up after pressing Ctrl-ALT-DEL at log-in. How about we set up a title to go with that.
Double click Interactive Logon: Message title for users attempting to logon. Now type in what you want to display at the title bar
That's all! Feel free to look around the other settings in this tree if you are curious. Most of the other settings are secure already.
Finding your new hard drive
Preface:Many people have 2 or more hard drives in their computers, then after the installation they load "My Computer" and to their surprise the hard drives aren't there! This tutorial helps you find out that your hard drive is OK and will assign a drive letter, so you can access it in "My Computer"
Method:
Start -> Run...
Type "compmgmt.msc" (without the quotes)
Under "Storage" click on "Disk Management" and while it is loading you will see
When it's done loading you should see something like the following
There it is! That's the drive's partition we've been looking for! Right click it, and click "Change Drive Letters and Paths..."
In the new dialog box you'll see and empty list box - that's where our drive letter will be. So Click the Add button
You now have the option of either making this hard drive show up in place of an empty folder on another NTFS drive (like if C:\imbored is an empty folder, we can mount the drive there, and all the contents of the drive will show up in C:\imbored) but in this tutorial we will use a drive letter, in my case, E:
Now you can close Computer Management and load "My Computer". You'll see that our new drive is now there!
Terminal Services
Enabling Audio Mapping for Remote Desktop/Terminal Services
Preface:When connecting to RD (Remote Desktop) or TS (Terminal Services) using the built-in Windows client (mstsc), even with "Remote computer sound" set to "Bring to this computer", you won't hear anything from the remote computer by default. Thanks to John Losey and his post to microsoft.public.windows.server.networking (mirrored here for download) this problem is solved.
Update January 19th, 2005: In addition to the instructions below, the server (as well as the client) must have a sound card, or this will not work
Method:
Start -> Run...
Type "tscc.msc" without the quotes, and press OK
On the left side you should see that "Connections" is selected, on the right side you should see, under the "Connection" tab, RDP-Tcp. Right click that, and press properties
Go to the Client Settings tab, and under "Disable the following:" you will see "Audio mapping" checked. Uncheck it. Now press OK and you should be set!
Special thanks to John Losey on the Windows Server groups for posting the original message (I was kind of wondering how to do it myself ;-)
Enabling Remote Desktop
Preface:Remote Desktop is a great way to work on your computer from basically anywhere (if you set up your internet connection sharing device properly). The port it runs on is 3389, forward that on your router to be available from anywhere in the world.
Method:
Click the Start button, and right-click My Computer and click Properties from the pop-up menu
Go to the "Remote" tab and check "Allow users to connect remotely to this machine"
At this point, only Administrators can access the machine. To allow more users, click "Select Remote Users..." and click the "Add" button in the new dialog
In the next dialog, type in the name of a regular user and press OK
And that's all! To connect to a virtual desktop (2 are allowed in Windows Server 2003) run "mstsc" from a Windows XP/2003 machine and type the address (for other systems you can download the RD client 5.2 from this address http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=a8255ffc-4b4a-40e7-a706-cde7e9b57e79 ). To connect to the console session, you must either have logged in locally to the machine, then try accessing it, or be an Administrator. You run either "mstsc /console" or connect to
At this point, you want to enable audio mapping for TS/RD, Check here for information on how to do so.
Volume Shadow
Service
Setting up and Using the Volume Shadow Copy Service
Setting up and Using the Volume Shadow Copy Service
Setting up Shared Folders (Part 1 of 3)
Preface:Here I will demonstrate how to share a folder, this is a very important part of VSS
Method:
Click Start then "My Computer"
Go to the directory above the one you wish to share. In this example I will share the folder "folder" on G:
Right click the folder and click "Sharing and Security"
Click "Share this folder" than if you would like, change the name of the desired share. After you do that, click the "Permissions" button
Now you can change who will have access to what on this shared resource, but for the sake of this tutorial, we will give "Everyone" "Full Control". After you select "Allow" for "Full Control", Click "OK" and "OK" on the Share window
Go back to the folder above the shared one in Explorer and you will see a hand under the folder icon which shows that the folder is now shared
And that's it for the sharing section. Continue on to part 2 for setting up VSS.
Setting up and Using the Volume Shadow Copy Service
Setting up the Volume Shadow Service
(Part 2 of 3)
Preface:Now we will configure VSS to take "snapshots" twice a day this way we can revert to files from those different times
Method:
Click Start then "My Computer"
In "My Computer" right click a drive (doesn't matter which) and click "Properties"
Go to the "Shadow Copies" tab, scroll down to the drive with the share(s) on it that you wish to have VSS'ed and click "Enable". The next process will take some time because it is making the first shadow copy. All other times it makes shadow copies will take about as long, and if more content is added, it will take even longer because it needs to copy that extra as well
Now we will move onto scheduling copies to be made. You can also change the amount of space devoted to shadow copies if you would like (if it ever exceeds that limit it will automatically delete the oldest copies first). Click "Settings" on the Shadow Copies window
On the next window, click "Schedule"
As you can see, some defaults have already been put into place but what if you don't like those? Well, click "Delete" to delete one of the existing (or both) defaults, then click "New" and it will put in one another default, which we can change to our likings. Now you can set it to your liking. Let's say your server's lowest load is at 4:37 AM, then you want to make it 4:37 AM everyday like so:
But wait a second - nobody's in the office on the weekends and very few people VPN in to do their work then also, so how about we make a 10:00 AM volume copy every Saturday and Sunday. Click "New" again, then select "Weekly" and check off Saturday and Sunday
Click "OK" 3 times and you're back to your desktop. For restoring from backups, continue on to part 3
Setting up and Using the Volume Shadow Copy Service
Restoring Previous Versions (Part 3 of
3)
Preface:This is part 3 of this 3 part tutorial. I will now show you how to restore the previous version of a file. Be sure to have another backup of the file(s) just in case! I won't be held responsible for this.
Method:
Browse to one of your VSS enabled shares over a network from another computer
Open a file in it's appropriate program. In this case I will open right-click-share.png in MSPAINT
Now erase everything in it and save the file
"WHAT?!?!?! You erased the contents of that file?!?!!?! I needed that to complete this tutorial!". We've all said some version of that to ourselves after making an enormous mistake. Lucky us, we'll just restore it to this morning's backup. Back in Explorer, right click the file and click "Properties"
Go to the "Previous Versions" tab and behold, there is that file in all of it's glory, not the version that was completely whited out! From here you can view, copy and/or restore it. We'll just restore it, so click the "Restore" button
In the warning, it tells you that you will loose any changes made to the file since that snapshot was taken, but that's ok, because that means we will get the file as it was this morning (in it's original form) and replace the empty one
Ready for the magic? Click the file in Explorer again and look at the preview
And that's it! It works the same for text documents, Word documents, and most other file formats. Now that we have the original file restored, we can finish this tutorial!
I hope you found this informational
FrontPage Server
Extensions
Setting up and using FrontPage Server Extensions
Installing FrontPage Server Extensions
(Part 1 of 4)
Preface:In this tutorial, I will show the simple task of installing FrontPage Server Extensions. Probably a good tutorial to start the FPSE "series".
Method:
Click Start, put your mouse over Control Panel, and click Add/Remove Programs
Now click Add/Remove Windows Components
Click on "Application Server" and click "Details"
Click on "IIS" and then "Details"
Put a checkmark next to "FrontPage 2002 Server Extensions" and then click "OK" twice, and then next on the original window
During the install you will be asked for your Windows installation CD, put it in and the install will continue
Click finish and that's all! But because we don't trust installation routines, let's go to the FPSE Administration site (we'll be going there a lot) and see if FPSE is reallythere. Because the port number that the new site takes on seems to be a little random, we'll use the Start Menu to show us the way. Click Start -> Administrative Tools -> Microsoft SharePoint Administrator
Looks good!
Continue on to part 2 for an overview of FrontPage Server Extensions, and basic configuration
Setting up and using FrontPage Server Extensions
Setting the default (global) settings in
FPSE (Part 2 of 4)
Preface:This tutorial will overview FPSE and show some of the basic settings. Thanks to Joseph Voldeck for providing most of the content in tutorials 2-4 of this set.
Method:
Still have the Administration site open from last tutorial? If not, open it again. Click Start -> Administrative Tools -> Microsoft SharePoint Administrator
Now let's set the available rights for this server. On the administration site, click "Set list of available rights"
Now we're presented with the list of available rights. This will vary based on what your server does, who accesses it, etc, but for the sake of this tutorial, we will keep the default "Select all" option to give you maximum control
Head back to the main website now and click "Set installation defaults". This will allow us to set things like the default SMTP server for any FP Virtual Server(s) on this machine
Next set your defaults like mail server and from/reply-to addresses. You may also want to "Allow authors to upload executables" because some types of CSS content fails without it. When entering the mail server, be sure you have relay rights! Without this most servers will not be able to send mail outside of their own domain (for example, mail.example.com won't be able to send to an @example2.com). It is for this reason that many people use an internal mail server where they have an open relay, but since it is not accessible by the rest of the world (be sure it's internal or you may have a spam problem) there is nothing major to worry about
And that's all for the default settings!
Continue on to part 3 to extend websites so they also have FPSE on them
Copyright ©2002-2012 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and using FrontPage Server Extensions
Extending a website for use with FPSE
(Part 3 of 4)
Preface:
This
tutorial will show the extending of a website so that FPSE can be used. A
website doesn't have the functionality that FPSE adds without being
"extended," even if it is on a server where FPSE has been
enabled. Thanks to Joseph Voldeck for providing most of the content in
tutorials 2-4 of this set.
Method:
To
extend a server, we need to load the "Extend virtual server with FrontPage
Server Extensions 2002" webpage. There are two ways to do this, and
both will be shown in this tutorial. Immediately below is the method that
uses the IIS Manager, and below is the method that
uses the Start Menu.
Load
IIS from the Administrative tools in the Control Panel by clicking Start ->
Administrative Tools -> IIS Manager (or loading the Control Panel, entering
the Administrative Tools folder, and double clicking IIS Manager).
Expand
the Computer Name and the "Web Sites" folder, then right click on the
website you want to extend, mouse over "All tasks" and click
"Configure Server Extensions 2002"
Click
Start -> Administrative Tools -> Microsoft SharePoint Administrator
On
the right-hand column next to the website you want to extend, click the
"Extend" link
Continue
below
Setting
it up:
Regardless
of the method used to get here, you will now be at this page. Click the
"Submit" button after optionally specifying an alternate
Administrator for the site
You
will see the change being applied
And
back to the main site, you will see the FPSE version listed next to the site,
which indicates that everything is successful
And
the site has been extended!
Setting up and using FrontPage Server Extensions
Extending a website for use with FPSE
(Part 3 of 4)
Preface:
This
tutorial will show the extending of a website so that FPSE can be used. A
website doesn't have the functionality that FPSE adds without being
"extended," even if it is on a server where FPSE has been
enabled. Thanks to Joseph Voldeck for providing most of the content in
tutorials 2-4 of this set.
Method:
To
extend a server, we need to load the "Extend virtual server with FrontPage
Server Extensions 2002" webpage. There are two ways to do this, and
both will be shown in this tutorial. Immediately below is the method that
uses the IIS Manager, and below is the method that
uses the Start Menu.
Load
IIS from the Administrative tools in the Control Panel by clicking Start ->
Administrative Tools -> IIS Manager (or loading the Control Panel, entering
the Administrative Tools folder, and double clicking IIS Manager).
Expand
the Computer Name and the "Web Sites" folder, then right click on the
website you want to extend, mouse over "All tasks" and click
"Configure Server Extensions 2002"
Click
Start -> Administrative Tools -> Microsoft SharePoint Administrator
On
the right-hand column next to the website you want to extend, click the
"Extend" link
Continue
below
Setting
it up:
Regardless
of the method used to get here, you will now be at this page. Click the
"Submit" button after optionally specifying an alternate
Administrator for the site
You
will see the change being applied
And
back to the main site, you will see the FPSE version listed next to the site,
which indicates that everything is successful
And
the site has been extended!
In
this article, you will learn to create additional domain controller in
existing domain using backup
media.
Before the creation of new Domain Controller, you first need to make sure:
1. The account you used to login and start the procedure must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
2. You must have back up the system state of an existing domain controller in the domain where the new server will be setup. You can backup using ntbackup from start => run => then type ntbackup
During the wizard, choose to backup the system state
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-1](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image180.gif)
Figure-1 DC System State Backup
Please note, If a domain controller that was backed up contained an application directory partition, the application directory partition will not be restored on the new domain controller.
To Create an additional domain controller for existing domain from backup follow below procedure:
1. Restore the files to an alternate location via your backup software or you can use NTBACKUP, but make sure not to their original location (Choose to use Advance Mode and choose to Restore Files to Alternate Location. Detail see below Figure-1)
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-2](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image182.jpg)
Figure-2 Use Ntbackup Advance Mode to restore file to alternate location
2. After file get restored, open Active Directory Installation Wizard by run dcpromo with /adv option from command prompt:
Dcpromo /adv
3. Next click Additional domain controller for an existing domain, and then click Next.
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-3](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image183.gif)
Figure-3 Domain Controller Type Selection
4. Under Copy Domain Information, select From these restored backup files, browse to the backup files you created in step 2, and click Next.
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-4](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image184.gif)
Figure-4 Copying Domain Information page
5. If the domain controller from which you restored the System State data was a global catalog, you will have the option to make this new domain controller a global catalog.
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-5](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image185.gif)
Figure-5 To configure this additional DC as a Global Catalog too
6. Enter credentials of a user who is part of the Domain Admins group in the domain you are promoting the domain controller into and click Next.
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-6](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image186.gif)
Figure-6 Enter Network Credentials
7. Choose the folders to store the Active Directory database and log files and click Next. We will use default path
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-7](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image187.gif)
Figure-7 Choose folder to store the AD database and log files
8. Choose the folder to store SYSVOL and click Next.
![[AD-Tutorial]-How-to-Create-an-additional-domain-controller-for-existing-domain-from-backup-8.gif](file:///C:/DOCUME~1/applmgr/LOCALS~1/Temp/msohtmlclip1/01/clip_image188.gif)
Figure-8 Choose location for SYSVOL folder
9. Enter a Restore Mode password and click Next.
10. Click Next to start the promotion.
Before the creation of new Domain Controller, you first need to make sure:
1. The account you used to login and start the procedure must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
2. You must have back up the system state of an existing domain controller in the domain where the new server will be setup. You can backup using ntbackup from start => run => then type ntbackup
During the wizard, choose to backup the system state
Figure-1 DC System State Backup
Please note, If a domain controller that was backed up contained an application directory partition, the application directory partition will not be restored on the new domain controller.
To Create an additional domain controller for existing domain from backup follow below procedure:
1. Restore the files to an alternate location via your backup software or you can use NTBACKUP, but make sure not to their original location (Choose to use Advance Mode and choose to Restore Files to Alternate Location. Detail see below Figure-1)
Figure-2 Use Ntbackup Advance Mode to restore file to alternate location
2. After file get restored, open Active Directory Installation Wizard by run dcpromo with /adv option from command prompt:
Dcpromo /adv
3. Next click Additional domain controller for an existing domain, and then click Next.
Figure-3 Domain Controller Type Selection
4. Under Copy Domain Information, select From these restored backup files, browse to the backup files you created in step 2, and click Next.
Figure-4 Copying Domain Information page
5. If the domain controller from which you restored the System State data was a global catalog, you will have the option to make this new domain controller a global catalog.
Figure-5 To configure this additional DC as a Global Catalog too
6. Enter credentials of a user who is part of the Domain Admins group in the domain you are promoting the domain controller into and click Next.
Figure-6 Enter Network Credentials
7. Choose the folders to store the Active Directory database and log files and click Next. We will use default path
Figure-7 Choose folder to store the AD database and log files
8. Choose the folder to store SYSVOL and click Next.
Figure-8 Choose location for SYSVOL folder
9. Enter a Restore Mode password and click Next.
10. Click Next to start the promotion.
Create A Child Domain In Windows Server 2003
Posted by Diana Huggins on May 11, 2005 | 17 Comments
If you are familiar with
Active Directory, you probably know that you can create multiple domains within
a single forest. Multiple domains form trees within a forest. A tree can be
defined as a hierarchical arrangement of Windows Server 2003 (or Windows 2000)
domains within a forest.
A tree is established when a child domain is added to the
hierarchy under an existing parent domain. When you add a new domain as a child
domain, it inherits a portion of its namespace from its parent. When you create
a new tree within a forest you are establishing a new namespace.
You can create a new child domain under Windows Server 2003 using the steps below:
You can create a new child domain under Windows Server 2003 using the steps below:
1. On
the member server, you want to turn into a domain controller, click Start, and
click Run.
2. Type
dcpromo and click OK. This launches the Active Directory Installation Wizard.
Click Next.
3. Click
Next.
4. Select
Domain controller for a new domain. Click Next.
5. Select
Child domain in an existing domain tree. Click Next.
6. Type
in the appropriate network credentials (must be a member of the domain
administrators in the parent domain). Click Next.
7. Type
in the domain name of the parent domain. Type in the new name of the child
domain. Click Next.
8. Click
Next to accept the suggested NetBIOS name for the new domain.
9. Click
Next to accept the default settings for the database and log locations.
10. Click
Next to accept the default settings for the shared system volume.
11. Click
Next.
12. Select
the permission level you want to use. Click Next.
13. Type
in a password for the Directory Services Restore Mode Administrator Password.
Click Next.
14. From
the Summary dialog box, click Next.
15. Click
Finish.
16. Click
Restart Now.
How to use Group Policy to
remotely install software in Windows Server 2003 and in Windows Server 2008
If you are a Small Business customer, find
additional troubleshooting and learning resources at the Support
for Small Business site.
For a
Microsoft Windows 2000 version of this article, see the following Knowledge
Base article:
314934 HOW TO: Use Group Policy to Remotely
Install Software in Windows 2000
This
step-by-step article describes how to use Group Policy to automatically
distribute programs to client computers or users. You can use Group Policy to
distribute computer programs by using the following methods:
·
Assigning Software
You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized.
You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized.
·
Publishing Software
You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.
You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.
Note Windows Server 2003 Group Policy automated-program installation
requires client computers that are running Microsoft Windows 2000 or later.
Create a Distribution Point
To
publish or assign a computer program, you must create a distribution point on
the publishing server:
1.
Log on to the server computer as an administrator.
2.
Create a shared network folder where you will put the Microsoft
Windows Installer package (.msi file) that you want to distribute.
3.
Set permissions on the share to allow access to the distribution
package.
4.
Copy or install the package to the distribution point. For example,
to distribute Microsoft Office XP, run the administrative installation (setup.exe /a) to copy the files to the
distribution point.
Create a Group Policy Object
To
create a Group Policy object (GPO) to use to distribute the software package:
1.
Start the Active Directory Users and Computers snap-in. To do
this, click Start, point toAdministrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, right-click your domain, and then click Properties.
3.
Click the Group Policy tab, and then click New.
4.
Type a name for this new policy (for example, Office XP
distribution), and then press ENTER.
5.
Click Properties, and
then click the Security tab.
6.
Click to clear the Apply Group Policy check box for the security groups that
you want to prevent from having this policy applied.
7.
Click to select the Apply Group Policy check box for the groups that you want
this policy to apply to.
8.
When you are finished, click OK.
Assign a Package
To
assign a program to computers that are running Windows Server 2003, Windows
2000, or Microsoft Windows XP Professional, or to users who are logging on to
one of these workstations:
1.
Start the Active Directory Users and Computers snap-in. To do
this, click Start, point toAdministrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, right-click your domain, and then click Properties.
3.
Click the Group Policy tab, select the group policy object
that you want, and then click Edit.
4.
Under Computer Configuration,
expand Software Settings.
5.
Right-click Software installation,
point to New, and then click Package.
6.
In the Open dialog box, type the full Universal
Naming Convention (UNC) path of the shared installer package that you want. For
example, \\file server\share\file
name.msi.
Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7.
Click Open.
8.
Click Assigned, and then
click OK. The package is
listed in the right pane of the Group Policywindow.
9.
Close the Group Policy snap-in, click OK,
and then quit the Active Directory Users and Computers snap-in.
10. When
the client computer starts, the managed software package is automatically
installed.
Publish a Package
To
publish a package to computer users and make it available for installation from
the Add or Remove Programs tool in Control
Panel:
1.
Start the Active Directory Users and Computers snap-in. To do
this, click Start, point toAdministrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, right-click your domain, and then click Properties.
3.
Click the Group Policy tab, click the group policy object
that you want, and then click Edit.
4.
Under User Configuration,
expand Software Settings.
5.
Right-click Software installation,
point to New, and then click Package.
6.
In the Open dialog box, type the full UNC path of
the shared installer package that you want. For example, \\file server\share\file
name.msi.
Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7.
Click Open.
8.
Click Publish, and then
click OK.
9.
The package is listed in the right pane of the Group
Policy window.
10. Close
the Group Policy snap-in, click OK, and then quit
the Active Directory Users and Computers snap-in.
11. Test
the package:
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
a.
Log on to a workstation that is running Windows 2000 Professional
or Windows XP Professional by using an account that you published the package
to.
b.
In Windows XP, click Start, and then
click Control Panel.
c.
Double-click Add or Remove Programs,
and then click Add New Programs.
d.
In the Add programs from your network list, click the program that you
published, and then click Add. The program is
installed.
e.
Click OK, and then click Close.
Redeploy a Package
In some
cases you may want to redeploy a software package. For example, if you upgrade
or modify the package. To redeploy a package:
1.
Start the Active Directory Users and Computers snap-in. To do
this, click Start, point toAdministrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, right-click your domain, and then click Properties.
3.
Click the Group Policy tab, click the Group Policy object
that you used to deploy the package, and then click Edit.
4.
Expand the Software Settings container that contains the software
installation item that you used to deploy the package.
5.
Click the software installation container that contains the
package.
6.
In the right pane of the Group Policy window, right-click the program, point
to All Tasks, and then
click Redeploy application.
You will receive the following message:
Redeploying this application will reinstall the application
everywhere it is already installed. Do you want to continue?
7.
Click Yes.
8.
Quit the Group Policy snap-in, click OK,
and then quit the Active Directory Users and Computers snap-in.
Remove a Package
To
remove a published or assigned package:
1.
Start the Active Directory Users and Computers snap-in. To do
this, click Start, point toAdministrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, right-click your domain, and then click Properties.
3.
Click the Group Policy tab, click the Group Policy object
that you used to deploy the package, and then click Edit.
4.
Expand the Software Settings container that contains the software
installation item that you used to deploy the package.
5.
Click the software installation container that contains the
package.
6.
In the right pane of the Group Policy window, right-click the program, point
to All Tasks, and then
click Remove.
7.
Do one of the following:
o Click Immediately
uninstall the software from users and computers, and then click OK.
o Click Allow
users to continue to use the software but prevent new installations,
and then click OK.
8.
Quit the Group Policy snap-in, click OK,
and then quit the Active Directory Users and Computers snap-in.
