October 2005 - Posts
Today I’ve got an email with the message “Your web site is better than others”. I’m very happy with this. By the chance I want to visit the comment link in the email, I discovered a very exciting security feature of Outlook 2003 (with Service Pack 2).
If the email message is from an address not in the “Safe Senders List”, Outlook 2003 (with Service Pack 2) will block the links in the message. If we click the links, Outlook does not start Internet Explorer to access the URL, but pops up a dialog box (Figure 1).
In order to be able to visit links directly from Outlook 2003 (with Service Pack 2), we need to “unblock” them. Note the information bar above the recipient email address (Figure 2). Click it, and then we will see a context menu with 3 options.
1. Turn on Links (not recommended)
This is to simply unblock the links in the email message. Microsoft doesn’t recommend this because not all customers know the links in emails may be unsafe.
2. Add Sender to Safe Senders List
This option is to add the specific sender, in this case, “postmaster at msmvps.com”, to the Safe Senders List. If we select this option, links in future emails from this email address will not be blocked.
3. Add the Domain @msmvps.com to the Safe Senders List
This option is similar to the second one, but adds the whole domain to the Safe Senders List. If we select this option, links in future emails from any address of the “msmvps.com” domain will not be blocked.
What would happen if we didn't either use dcpromo to demote the first domain controller before removing it from the domain or move each Operations Master role seperately before removing the computer?
We could use command line tool to assign the Operations Master roles to a new DC.
- Log on to a member server or domain controller with an administrator account.
- Click “Start”, click “run”, and enter “cmd“
- Enter “ntdsutil“
- Enter “roles“
- Enter “connections“
- Enter “connect to server [ServerName]“
- Enter “quit“ to return to the roles level
- Enter “transfer [RoleName] “
- Click “Yes“ on the confirmation dialog
The commend line tool ntdsutil will then transfer the specific role to the specific domain controller. The figure below shows an example.
Many IT people would add DCs to the existing Windows network some times after the first implement. At the same time, many IT people like to remove some early DCs from the network because their newly added ones are more powerful.
However, many IT people meet problems. Their domain no longer functioning properly after removing the early (exactly first) DCs. This is because the first DC is by default the Operations Master. Before removing it from the network, the administrator needs to run “dcpromo” to demote the DC to a member server. During this process it will automatically transfer the Operations Master roles to other DCs.
So, remember that even in the Windows Server 2003 domains, the DCs are not equal. Don't forget the Operations Master roles when removing old servers.
Virtual PC is a fantastic tool to help us build test or experimental environment of Windows Server System.
Suppose now we are building a test environment for Windows Server 2003 and its updates. The purpose is to simulate the company's real network environment and test the Service Pack and other updates.
We setup the workstations, member servers and domain controllers on Virtual PC successfully. The next step is to make the scenario as same as the real life environment. We begin to build the Network Address Translation (NAT) server. At this time, we need 2 NICs on the virtual machine. However, by default after installation, there is only one in this virtual Windows Server 2003 and there is only one real NIC in the host computer.
How can we do that? How can we add another NIC to the Windows Server 2003 virtual machine so that we could simulate the real life NAT environment?
Actually we could finish this work within a minute. First, shut down the virtual machine we need to add NICs to. Then start Virtual PC 2004, click the virtual machine we need to add NICs to. Click “Action”, then click “Settings...”. On the new dialog box, click “Networking”. In the right pane, click the dropbox on the right of “Number of network adapters” and choose the total number of NICs we want in this system. Note, here is to choose the total number of NICs we want in this particular virtual machine, but not to choose the number of NICs we want to add to this particular virtual machine. Then we will need to set the scope of the added NIC(s). “Local only” means the particular virtual NIC could only have network connection with virtual machines on the same host computer. We could see another option is the name of the host NIC (we assumed only one NIC in the host computer), this option means the particular virtual NIC could have network connections with virtual machines on the same host computer, the host computer, and computers connectted to the host computer through the host's NIC. If we're configuring the first virtual NIC on a virtual machine, we also can see another option called “NAT”. It's almost the same meaning as the real life NAT concept. After configuring the virtual NICs, click “OK” to close the dialog box.
We've done. Turn on the particular virtual machine we've just configured, we will see another LAN interface is right there. Then we could do the simulation of the real life environment, for instance, the NAT environment, and continue testing the Service Pack and updates in the simulated environment.
To learn more about Virtual PC 2004, please visit:
Microsoft has changed the way IPSec Monitor runs in Windows Server 2003. Dislike it's in Windows 2000, we can't start IPSec Monitor by clicking “start”- “Run” then enter “ipsecmon”.
In Windows Server 2003, IPSec Monitor becomes a MMC-based tool. We can start it from MMC:
- Click “start”- “Run”
- Enter “MMC”
- Click “File” - “Add/Remove Snap-in...”
- Click “Add”, and double-click “IP Security Monitor”
- Click “Close” and click “OK”.
We're all set. Now we can use the powerful tool to check whether our IPSec configurations functions well or not.
In Windows XP, IP Security Monitor starts the same way as it is in Windows Server 2003. In fact, Windows XP is the first operating system that Microsoft changes the IP Security Monitor after Windows 2000.
It's not necessary for us to write the search function by ourselves. MSN Search provides codes for site owners.
We can add a search box to our blog by adding (and modifying) these codes:
<!-- Site search from MSN -->
<form method="get" action="http://search.msn.com/results.aspx">
<a href="http://search.msn.com/" target="_blank">
<img src="http://search.msn.com/s/affillogo.gif" border="0" ALT="MSN Search"/>
<input type="text" name="q" size="10" />
<input type="submit" value="Search"/>
<input type="hidden" name="q1" value="site:msmvps.com/nuoyan"/>
<!-- Site Search from MSN -->
Change my URL "http://msmvps.com/nuoyan" to yours, and you will be all set.
We got a few computers (less than 10) in 2 subnets. We have one Windows XP computer with 2 LAN adapters. We want to use this computer as a very simple router in the middle of the two subnets.
In NT 4 we can simply open the properties of TCP/IP and check “Enable IP Routing”. However, in Windows XP we don't have this checkbox in TCP/IP properties. To make the same effect, we need to change something in the registry.
Click “Start”, click “run” and enter “regedit”.
Locate “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”, we can find a value called “IPEnableRouter”. Let's double click it and set the value to “1”. We are all set then.
This is not good for large enterprises. But for some specific very small businesses enabling Windows XP as the simple router will save the cost, as we don't need to buy a new copy of Windows Server 2003 only for the Routing feature.
You got a new computer or server, and you spent a long time configured all network settings. Now you want to make sure the software, hardware and network connections are functioning normally.
A buit-in tool in Windows XP and Windows Server 2003 can help you.
Click “Start”, click “run” and enter “cmd” to open the Command Console.
Enter “netsh diag gui”, the Network Diagnostics tool starts (see the figure below).
Click on “Scan your system”, the tool will scan the software, hardware and network connections settings. (see the figure below)
When the scaning process completes, it will generate a report to show you whether your system has passed or failed the scan (see the figure below). You can also expand the nodes to see the details.
Please note, the server your computer program has connected to may have security concerns to disable “ping“s. You may get a failed message because of the server's configuration. Just don't worry about that. I recommend you to expand the nodes to check all details, especially for failed ones.