Windows Tips & Tricks UPDATE--September 8, 2003

This week, John Savill explains how to add a GC to a DC, how to let users log on to the domain when they can't contact the GC, how to configure Windows 2003 DCs to cache Universal group memberships, and more.

John Savill

September 7, 2003

12 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows Tips & Tricks UPDATE, September 8, 2003, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

This Issue Sponsored By

Aelita Software
http://www.aelita.com/090803tips

Windows & .NET Magazine Network
http://www.winnetmag.com

1. Commentary

2. FAQs

  • Q. How can I determine which ports a specific process is using on Windows XP and later?

  • Q. Why can't I see any system updates when I access Windows Update after I perform a clean OS installation?

  • Q. When I use a limited user account in Windows XP to run a program that wasn't written for XP, I experience problems. What's causing these problems?

  • Q. How can I perform a batch action on a list of files from the command line?

  • Q. How can I move the Active Directory (AD) Global Catalog (GC) to another domain controller (DC)?

  • Q. How can I let users log on to the domain when they can't contact the Global Catalog (GC)?

  • Q. How can I configure Windows Server 2003 domain controllers (DCs) to cache Universal group memberships?

3. Announcements

  • $300 Early Bird Discount Expires Soon

  • Find Your Next Job at Our IT Career Center

4. Event

  • New--Mobile & Wireless Road Show!

5. Contact Us

  • See this section for a list of ways to contact us.

Sponsor: Aelita Software

Free White Paper: Best Practices for Message-level Exchange Recovery

In this paper, Aelita Exchange experts outline the many needs for message-level recovery as well as the pros and cons of four options for getting the job done in your environment. Get this free white paper for answers to your message-level Exchange recovery questions.

This paper outlines the needs for message-level restores such as

  • Providing fast access to the information users need to be productive

  • Meeting HR and executive level discovery requirements

  • Demonstrating your organization is in compliance

Additionally, the pros and cons of four options for performing a message-level restore will be reviewed in depth. Get this free white paper for answers to your message-level recovery questions.

http://www.aelita.com/090803tips

1. Commentary
by John Savill, FAQ Editor, [email protected]

This week, I explain how to determine which ports a specific process is using in Windows XP and later, why you might not be able to see system updates when you access Windows Update, why you might experience problems when using a limited user account in XP to run a program that wasn't written for XP, and how to perform a batch action on a list of files from the command line. I also tell you how to add a Global Catalog (GC) to a domain controller (DC), how to let users log on to the domain when they can't contact the GC, and how to configure Windows Server 2003 DCs to cache Universal group memberships.

Around the industry this week, GFI Software announced GFI MailEssentials for Exchange/SMTP 9. The new version includes updated antispam algorithms (for details, see the company's Web site). Knowledge Factory has released a whitepaper that outlines the features of its Special Operations Suite product, which extends desktop management through Active Directory (AD).

Sponsor: Windows & .NET Magazine Network

If You Like This Email Newsletter...
Then be sure to check out the Windows & .NET Magazine Network. You'll find page after page of problem-solving, time-saving articles plus other fantastic resources like our forums, Windows IT library, Download Central, and much, much more. Click here now!
http://www.winnetmag.com

2. FAQs

Q. How can I determine which ports a specific process is using on Windows XP and later?

A. If you want to find out which ports a process is using and you know the process name, you must first determine the process identifier (PID). For example, to identify the PID for the pop3svc.exe process running on my system, I went to the command prompt and typed

c:> tasklist /fi "IMAGENAME eq pop3svc.exe"

This command returned the following information:

Image Name   PID    Session Name   Session#    Mem Usage POP3Svc.exe  3044   RDP-Tcp#9      0           2,072 K 

The second column shows the PID, which I can then use with the Netstat command to search all in-use ports. For example, if I type

c:> netstat -ano | findstr 3044

my system returns the following information:

TCP     0.0.0.0:110     0.0.0.0:0     LISTENING     3044

This result shows that the POP3 service was using TCP port 110 on all addresses.

You can also perform a reverse operation to find out which process is associated with a port. For example, to identify which process is using port 25, I could go to the command prompt and type

c:> netstat -ano | findstr :25

On my system, this command returns the following information:

TCP     0.0.0.0:25     0.0.0.0:0     LISTENING     2500

After I identify the process (in this case, 2500), I can determine the process name by typing

c:> tasklist /fi "PID eq 2500"

which returns the following information on my system:

Image Name   PID    Session Name   Session#    Mem Usage inetinfo.exe 2500   RDP-Tcp#9      0           5,584 K 

This information tells me that port 25 is being used by the inetinfo.exe process.

Q. Why can't I see any system updates when I access Windows Update after I perform a clean OS installation?

A. If no updates are available from the Windows Update Web site, the problem probably relates to the user not having defined a language for use in Microsoft Internet Explorer (IE). To resolve this problem, perform the following steps:

  1. Start IE.

  2. From the Tools menu, select Internet Options.

  3. Select the General tab, then click Languages.

  4. If no languages are listed, click Add.

  5. Select your language from the displayed list, then click OK.

  6. Click OK to close the Language Preference screen, then click OK to close the Internet Options dialog box.

You should now be able to see updates on the Windows Update Web site.

Q. When I use a limited user account in Windows XP to run a program that wasn't written for XP, I experience problems. What's causing these problems?

A. When you use a limited account, you might encounter any of the following problems:

  • The program doesn't run.

  • The program hangs.

  • You receive notification of runtime error 7 or runtime error 3446.

  • The program doesn't recognize that a CD-ROM is in the CD-ROM drive.

  • The program doesn't let you save, open, or edit files.

  • The program displays a blank error message.

  • You can't remove the program.

  • You can't open the Help file.

These problems occur because the limited user account prevents certain functions from executing. To resolve this problem, contact the program manufacturer for an updated XP version of the program. As a workaround, you can use an Administrator account to run the program by performing the following steps:

  1. Right-click the program shortcut, then select Properties.

  2. From the Shortcut tab, click Advanced.

  3. Select the "Run with different credentials" check box, as this figure shows, then click OK.

  4. Click OK to close the Properties dialog box.

Now, when you execute the program shortcut, XP will prompt you to enter the user context in which you want to run the program. Select "The following user" and specify a non-limited account.

Q. How can I perform a batch action on a list of files from the command line?

A. You can use the built-in "for" command to loop through a list of files. If you type the command

for /f "tokens=*" %a in ('dir /b *.*') do echo %a

the command outputs only the name of each file in the current folder, which the 'dir /b *.*' component can do all by itself. However, you can edit the "do" portion of the command to perform a secondary task. For example, you can add the name of a batch file and the %a parameter to call the batch file on each .msg file:

for /f "tokens=*" %a in ('dir /b *.msg') do datetime.bat %a

In addition to outputting the name of each file in the specified folder, this command adds the current date and time to the end of each .msg filename. If you use the command in a batch file, you need to add two percent (%) signs instead of one to access the parameters. For example, if you incorporate the above command into a batch file, you would type it as

for /f "tokens=*" %%a in ('dir /b *.msg') do datetime.bat %%a

Q. How can I move the Active Directory (AD) Global Catalog (GC) to another domain controller (DC)?

A. You don't actually move the GC between servers. Instead, you simply enable the GC on a new server, then disable the current GC. I explained how to configure a new server as a GC in the FAQ "How do I configure a server as a Global Catalog?".

Keep in mind that if you already have one GC in the domain, you won't want to disable that GC until after your new one has received all the existing GC content. You can check this progress by using Event Viewer to view the Directory Services log. Specifically, you'll want to look for event ID 1119, as this figure shows, which tells you that the new server is now advertising itself as a GC server. Before event ID 1119 appears, you should see event ID 1110, which is the new server advising you of a delay (typically 5 minutes) before the new server will start advertising.

In summary, enabling a new GC is a three-step process:

  1. Enable the GC on the new server (open the Microsoft Management Console--MMC--Active Directory Sites and Services snap-in, navigate to Sites, select the name of the site that will contain the new GC server, navigate to Servers, select and expand the name of the new GC server, right-click NTDS Settings in the left-hand pane, select Properties, then select the Global Catalog check box).

  2. Wait until event ID 1119 appears in the new GC Directory Services event log.

  3. Disable the GC on the old server (in the Active Directory Sites and Services snap-in, navigate to Sites, select the name of the site containing the old GC server, select and expand the name of the old GC server, right-click NTDS Settings in the left-hand pane, select Properties, then clear the Global Catalog check box).

If you add or remove GCs and you use Exchange Server, you must reboot the Exchange servers to let them update the DSAccess topology report and begin using the new GCs--otherwise Exchange won't discover the GCs and use them for DSAccess. To create its AD topology view, DSAccess

  1. calls the Directory Service (DS) Locator service

  2. retrieves a list of all DCs and GCs from the local AD site

  3. contacts each server in the list

  4. caches as many as 10 active DCs and 10 active GCs

  5. reorders the active-GC list so that domain-local GCs are at the top of the list

  6. uses the cached DC and GC server list on a simple round-robin basis for global information lookups.

Q. How can I let users log on to the domain when they can't contact the Global Catalog (GC)?

A. When a native-mode user logs on to the domain, a GC checks Universal group memberships. If the user can't contact a GC, the logon will fail. To let users log on even though they can't contact the GC, perform the following steps on the servers that service the client logons:

  1. Start a registry editor (e.g., regedit.exe) on each domain controller (DC).

  2. Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters registry subkey.

  3. From the Edit menu, select New, Key.

  4. Enter the name IgnoreGCFailures, then press Enter.

  5. Close the registry editor.

  6. Restart the DC.

Be aware that performing these steps can cause security problems. For example, imagine that you're a member of the Universal group that's denied access to a particular network resource. If your system can't contact the GC when you log on, your user token won't have the SID of the Universal group. In that case, you might be able to access the denied resource just as if you weren't a member of the Universal group.

Q. How can I configure Windows Server 2003 domain controllers (DCs) to cache Universal group memberships?

A. During a native-mode domain logon, the logon process reads the Universal group membership from the Global Catalog (GC). You can cache these memberships locally on the DC by performing the following steps:

  1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in (go to Start, Programs, Administrative Tools, and click "Active Directory Sites and Services").

  2. Select the site for which you want to enable caching.

  3. Right-click NTDS Site Settings, then click Properties.

  4. Select the Enable Universal Group Membership Caching check box, as this figure shows, then click OK.

Windows 2003 will populate the cache the first time the user logs on and use that cache for future logons. The system will refresh the cache periodically.

3. Announcements
(from Windows & .NET Magazine and its partners)

  • $300 Early Bird Discount Expires Soon


Don't miss your $300 discount. Register for Windows & .NET Magazine Connections by September 15, 2003. Stay competitive in your job, and invest your time to keep pace with the latest technologies, tips, and tricks. Register now, save $300, and receive access to concurrently running Exchange Connections.
http://www.winconnections.com

  • Find Your Next Job at Our IT Career Center


Check out our new online career center in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today!
http://windows.itcareerpath.com

4. Event
(brought to you by Windows & .NET Magazine)

  • New--Mobile & Wireless Road Show!


Learn more about the wireless and mobility solutions that are available today! Register now for this free event!
http://www.winnetmag.com/roadshows/wireless

Sponsored Links

  • Aelita Software


Free message-level Exchange recovery web seminar October 9th
http://ad.doubleclick.net/clk;6098474;8214395;v?http://www.aelita.com/090103updatelink

  • CrossTec


Free Download - NEW NetOp 7.6 - faster, more secure, remote support
http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html

  • MailFrontier


Eliminate spam once and for all. MailFrontier Anti-Spam Gateway.
http://ad.doubleclick.net/clk;6080289;8214395;q?http://altfarm.mediaplex.com/ad/ck/2848-15512-3892-1

5. Contact Us
Here's how to reach us with your comments and questions:

This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
http://www.winnetmag.com/sub.cfm?code=wswi201x1z

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like