Ask Dr. Bob Your NT Questions - 01 Dec 1997

Send us your tips and questions. You can also visit Bob Chronister'sonline Tricks & Traps at http://www.winntmag.com/ forums/index.html.

Q: I just started getting the message, "Not enough server storage is available to process this command." I have not done anything different. What's causing this message?

A common cause for this message has to do with the PagedPoolSize in theWindows NT Registry. If you receive this message, you might have a non-zeroPagedPoolSize entry in the Registry. Open the Registry and go to the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetControl Session ManagerMemory Management key. Set the PagedPoolSize value to 0. If you have to change this value, you will have to reboot your system.

Q: I have several servers with lots of RAM (at least 256MB in each machine), and I would like to optimize the file system performance. Can I speed up the file system activity on these machines?

Given the amount of RAM on these machines, you might want to change theIoPageLockLimit value in the Registry. You can usually speed up file systemactivity by increasing this value from its default setting of 512KB to 4096KB ormore. This value specifies the number of bytes that Windows NT can set aside forI/O operations. When this value is 0, the system uses the default setting(512KB). The maximum value is roughly the equivalent of physical memory minuspad (memory set aside for the file so the system can access the file frommemory), which is 7MB for a small system and grows as the amount of memorygrows. For a 64MB system, pad is about 16MB; for a 512MB system, pad is about64MB. Using your favorite Registry editor, go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management key. Find theIoPageLockLimit value, and increase the default limit (512KB). Screen 1, page226, shows the hex value for 4096 in this value.

Q: I have been getting access denied errors when I try to install software in Windows NT. I have one software package that refuses to install; otherwise, the problem is sporadic. Can you help?

A file with the read-only attribute can commonly cause such an installfailure. This file often resides in the %SystemRoot% directory and itssubdirectories. To display files in your NT directory that have the read-onlyattribute, type the following command at a Command Prompt:

Screen 2, page 226, shows this command's output: some printer files that areall read-only. You will want to write down the names of the files and use theProperties setting in NT Explorer to turn off the read value. If you prefer touse the Command Prompt, you can easily change one value of all files.Specifically, you can remove the read-only attribute from a file with the attribcommand. To remove the read-only attribute from all files in the NT directoryand subdirectories, type

However, for security reasons, I don't recommend taking this approach.

Q: I am running Windows NT 4.0 Workstation and want to replace my hard disk and upgrade my computer from a Pentium 166MHz to a Pentium II 266MHz. Will this upgrade cause problems for NT? Will I have to reinstall NT?

Assuming you are installing the same type of hard disk (i.e., SCSI or IDE),the upgrade is simple. Do a tape backup of the original hard disk (including theNT Registry). Put together the new system, and install NT (you have to installNT on the new hard disk before you can restore the NT backup). After you installNT, simply restore the tape and reboot. If the system fails to boot properly,you will have to reinstall NT (but only as an upgrade). I have upgradedsuccessfully from Service Pack (SP) 3 to SP1 and then immediately added the SP3update.

Q: I just read your column about hacking the Windows NT Registry to change the default spool directory. The Registry is the only way I know to change the spool directory for a specific printer, but you can change the global spool directory by doing the following:

Can you please share this information with your readers?

You are indeed correct. In general, I like to avoid editing the Registry ifpossible. Your method does work. Thanks for pointing it out.

Q: How can I display drives, folders, and even network systems when NT Explorer opens?

You can control the manner in which the NT Explorer opens. Most of us havefavorite places to store files on our systems, but we also want to seeconnections to routine network systems. To specify how the NT Explorer appears,you have to set some options on the shortcut properties. The proper syntax is

where

/n opens a new window even if the NT Explorer window is already open. The /evalue lets you use the Explorer view. The /root,object value lets you specifythe root directory that NT Explorer opens into. The default root is the desktop.You can change this default setting by specifying a new root (this setting canbe a network system). The /select value specifies what you see in NT Explorer.

I've set my NT Explorer to default to show me my F drive. I use thefollowing syntax on the shortcut line, as you see in Screen 3:

Now when I click NT Explorer, my F drive opens, as you see in Screen 4. Youcan open multiple instances of NT Explorer, so you can create several newshortcuts to NT Explorer and change the shortcut parameters. For example, toconnect to my Primary Domain Controller (PDC) and connect to my D drive (must bea share name and one you have access to), the syntax is

Screen 5 shows the window that NT Explorer opens with these settings. Theobvious advantage to setting up NT Explorer in this fashion is the ability tocopy and move files to and from my PDC and my drive F.

Q: I've recently seen major computer vendors selling preloaded Windows NT computers where they clone the NT Workstation setup, and thus clone the Security Accounts Manager (SAM) database. These vendors claim this practice is safe. Microsoft does not support this practice because the vendor is cloning the unique security identifier (SID) for each user as part of the workstation setup. Microsoft claims that you can't have duplicate SIDs and that having duplicates can cause problems with future releases of NT. Who's right and who's wrong?

This question is significant. The whole issue of cloning systems hascreated considerable confusion within the NT industry. Most of the confusionstarted with Microsoft stating that you can clone NT disk replication. However,when you carefully analyze the information in the Microsoft NT literature, yourealize you can't clone a fully installed version of NT because you can't haveduplicate primary SIDs (a combination of the computer name and username) on anetwork. In the case of cloning entire NT installations, Microsoft is right andthe vendors are wrong. You can't clone fully installed NT installations. If youdo, all primary SIDs will be the same and the network will fail. However, youcan use cloning to assist you in mass rollouts of machines. Two methods come tomind.

Method 1
One correct procedure for cloning a system so that you create separate SIDsfor each machine is as follows:

1. Start by modifying the Unattend.txt file so that user input isrequired for the ComputerName, User ID, and Password entries. For example, astandard UserData portion of an unattended text file will look similar to

Simply delete references to name (FullName), organization (OrgName), andcomputer name (ComputerName). You want to force the user to add this informationwhen you place the cloned drive in a system and boot the system. When the NTinstallation enters the graphic phase, it will ask for the above information,thus making the SID unique to the machine and user on the network. Be certainthat all other necessary information is in the unattended text file. This way,the installation will need only the information above supplied by the user.

2. If you plan on using Sysdiff.exe to add applications to a cloned NT disk,you need to generate any necessary sysdiff packages to install software andplace the appropriate lines in Cmdlines.txt. You also need to create thenecessary distribution directories. So, if you want to install Office 97 onmultiple machines, you must include the difference files on the shared drive.For example, to install Office 97 on drive C, you create the folderI386$OEM$CMsoffice on the share, create a Cmdlines.txt file in the $OEM$folder, and add the line

(The Sysdiff_file is the file made by Sysdiff /diff, and the /m flag remapsthe file changes to the user profile for the default user. For more on usingSysdiff, see my column, "Tricks and Traps," May 1997.)

3. Set up a reference computer and install all necessary components. Startthe unattended installation, but stop after the text mode phase by turning offthe machine. You can now clone the reference drive you just made. Notethat if you set up the reference computer properly, the drive will contain thetemporary installation directory (i.e., the $WIN_NT$.~LS directory).

4. When the user turns on the new system, that user must supply a computername, user ID, and password. Forcing the user to enter these values ensures thatthe machine creates a unique primary SID for the machine. For an NT network towork properly, you can't have multiple identical SIDs on the network.

Method 2
Another correct procedure for cloning a system is as follows:

1. Place all installation files including the I386 directory from the NTCD-ROM on a reference drive, and create the $OEM$ subdirectory.

2. Make the necessary Sysdiff difference files from the same referencecomputer, and add them to the $OEM$ subdirectory. Add the lines listed above toCmdlines.txt.

3. Clone the reference drive you just created. Boot to an unattendedinstallation disk, but point to the local I386 directory. In this situation, allinstallation files are local and the time for the installation is substantiallyshorter than a network installation. In fact, the only time you will havenetwork traffic is when you boot to the network and when you create accounts onthe network.

Q: What is a security identifier (SID), and why is it important? When I look in the Windows NT Registry, I just see a string of numbers. What do they mean?

When you install NT on a computer, NT assigns the computer a SID. NTcomputes a statistically unique 96-bit number (the SID) for each workstation,server, and Primary Domain Controller (PDC). For an NT Backup Domain Controller(BDC), the SID is identical to the PDC's SID (this arrangement explains why youcan promote a BDC to a PDC and why a domain controller is always a domaincontroller).

SIDs are the identifiers that let NT networks identify individual machinesand users on networks. The primary SID, a prefix of the SID, does not changeeven if you rename the machine. User SIDs are typically identified by the lastset of digits in the string of numbers comprising the SID.

SIDs are typically shown in a standardized notation consisting of

where

You can write a SID in notation as S-1-5-32-544, where the SID has arevision level of 1, an identifier-authority value of 5, a first subauthorityvalue of 32, and a second subauthority value of 544.

NT Setup generates a primary SID, for all local user accounts and groupaccounts created on a particular computer. NT concatenates the primary SIDwith the Relative Identifier (RID) for the user account to create the account'sunique identifier. If two systems have the same primary SID (i.e., cloning oneNT installation creates multiple identical SIDs), the first accounts that NTcreates on each cloned system will be identical because the SIDs will be thesame on these machines.

You can use Regedt32.exe to view the local user's SID and see the primarySID. If you create several local accounts, you will see a separate SID for eachaccount when you log on as each user. Examples of local machine accounts on oneof my systems are

Notice that NT increments only the last four digits as you add new accounts.This uniqueness lets local users have rights on other computers and haveuser-specific access to resources. If every SID were the same number, you wouldhave no way of managing security for any shares (ownership would becompromised).

The HKEY_LOCAL_MACHINESystemCurrentControlSetControlHiveList key inthe Registry lists all hives (i.e., user profiles) that are active, but itdoesn't list any user profiles that are not active. The ProfileList subkey listsall user profiles known on the computer and whether the profiles are activeunder the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileListSID_# key.

Each installed user profile has a subkey under the ProfileList subkey, andthat subkey contains the following entry:

This entry specifies the path and filename for the hive for this user. Thehive filename that is the value for ProfileImagePath includes a portion of theusername associated with that SID_#, so that you can identify the user to whichit belongs.

This entry specifies the SID in binary or hex.

Problems That Can Occur with SIDs
If you are aware of the problems that you might encounter with SIDs, you can avoid certain pitfalls associated with assigning them. For example, what do you do when the server's computer name and your computer name both claim to be an NT domain controller for the domain? Remove one of the servers from the domain because each server has a different SID. This problem can happen if you place identically named domains from different networks on the same network.

Likewise, what happens to the SIDs when you change domain names? You canrename a domain in the following order:

1. You must change the Primary Domain Controller's (PDC's) domain namefirst.

2. You must change the domain name on all other computers in the domain tothe new domain name. (The only way you can separate a machine from its domain'sSID is by reinstalling NT. Therefore, to change a domain's SID, you mustreinstall NT Server.) Note: No SIDs will change in this procedure; only thedomain name changes.

Finally, suppose you have multiple PDCs on your network and that theadministrator shuts down a PDC and installs a new one. If the original PDC comesback online at some point (in this situation, the PDCs have different primarySIDs), the NetLogon service discovers multiple PDCs on the network. NetLogonfails, and the original PDC can no longer participate in the domain. You need toremove one of the PDCs.