IT Support Blog » Windows Server 2003

退出時自動清除分頁檔案

Dick — Thu, 28 May 2009 10:51:06 +0000

1 .開始 -> 執行 -> gpedit.msc
2. [電腦設定] -> [Windows 設定] -> [安全性設定] -> [本機原則] ->[安全性選項]
3. [關機: 清除虛擬記憶體分頁檔] -> 設定為 [已啟用]

禁用Guest 帳戶

Dick — Thu, 28 May 2009 10:47:54 +0000

1 .開始 -> 執行 -> gpedit.msc
2. [電腦設定] -> [Windows 設定] -> [安全性設定] -> [本機原則] ->[安全性選項]
3. [帳戶: Guest 帳戶狀態] -> 設定為 [已停用]

將Administrator 帳戶改名

Dick — Thu, 28 May 2009 10:39:48 +0000

1 .開始 -> 執行 -> gpedit.msc
2. [電腦設定] -> [Windows 設定] -> [安全性設定] -> [本機原則] ->[安全性選項]
3. [重新命名系統管理員帳戶]

設定群組原則加強系統密碼安全

Dick — Thu, 28 May 2009 09:43:56 +0000

1. 開始 -> 執行 -> 輸入 “gpedit.msc” -> 確定
2. 展開:
[電腦設定] -> [Windows 設定] -> [安全性設定] -> [帳戶原則] -> [密碼原則]
3. 按兩下 [密碼必須符合複雜性需求]原則
4. 打開其內容對話框, 將內容設定為 [已啟用] -> 確定
5. 按兩下[最小密碼長度] -> 設定長度

Migrate Workgroup to Domain

aionman — Wed, 29 Apr 2009 12:03:37 +0000

1) Reboot and log onto the machine as local admin. Copy the profile of the local user.(old user profile) Name it “copyofusername” or something similar. (optional)
2) Join the domain (under local admin as Domain Administrator). Reboot. Login as Domain Admin.
3) Add domain users to local admin group. Log off.
4) Log on as the domain user. Reboot.
5) Log on as domain admin. Rename the new domain profile to “username.domain.old” or something similar. Rename the “copyofusername” file to whatever the new domain user profile was called. Log off.
6) Log on as domain user.Note: Everything should work as it did before. You may need the users email username and password.

Active Directory database corrupted

aionman — Wed, 22 Apr 2009 02:42:30 +0000

Active Directory database corruption is nasty. If you don’t have your image backup or any system state backup. It’s going to cost you time (and money).

We have faced this recently, here are some of the approaches and links to find the solution.

http://www.mombu.com/microsoft/windows-2000-active-directory/t-event-id-474-inconsistent-ntdsdit-151743.html

If you have a recent backup, we recommend you to perform restore operation right away. However if the backup is not recent, and you’ll loose many objects.

You can try to repair the Database, In some situation, certain configurations will be lost with this procedure.

Before you start the computer in Directory Services Restore Mode, obtain the
password for the offline administrator account.

For more information about how to change the password in Windows Server
2003, click the following article number to view the article in the Microsoft Knowledge Base http://support.microsoft.com/kb/322672/

“Directory Services cannot start” error message when you start your
Windows-based or SBS-based domain controller
http://support.microsoft.com/?id=258062

Next step:

How to Recover the Database and if it fails try How to Repair the Database
(Be careful. Read carefully)

http://support.microsoft.com/default…b;en-us;315131

How to complete a semantic database analysis for the Active Directory
database by using Ntdsutil.exe
http://support.microsoft.com/default…b;en-us;315136

If you fail to repair a corrupted Active Directory, try the following:
You may try the following steps to recover the corrupted Active Directory.

1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.

The default permissions are:

Administrators – Full Control
System – Full Control

4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
5. Check the permissions on the Winnt\Sysvol\Sysvol share.

The default permissions are:

Share Permissions:
Administrators – Full Control
Authenticated Users – Full Control
Everyone – Read

NTFS Permissions:
Administrators – Full Control
Authenticated Users – Read & Execute, List Folder Contents, Read
Creator Owner – none
Server Operators – Read & Execute, List Folder Contents, Read
System – Full Control

Note: You may not be able to change the permissions on these folders if the
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.

6. Make sure there is a folder in the Sysvol share labeled with the correct
name for their domain.
7. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2

To check the file paths type the following commands:

NTDSUTIL
Files
Info

The output should look similar to:

Drive Information:

C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)

DS Path Information:

Database : C:\WINNT\NTDS\ntds.dit – 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS – 30.0 Mb total
res2.log – 10.0 Mb
res1.log – 10.0 Mb
edb.log – 10.0 Mb

This information is pulled directly from the registry and mismatched paths
will cause Active Directory not to start. Type Quit to end the NTDSUTIL
session.

8. Rename the edb.chk file and try to boot to Normal mode. If that fails,
proceed with the next steps.

9. Reboot into Directory Services Restore mode again. At the command prompt,
use the ESENTUTL to check the integrity of the database.
NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is
usually more reliable.

Type the following command:
ESENTUTL /g “\NTDS.dit” /!10240 /8 /v /x /o
(Note: Type the path without the quotes).

Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be
different in some cases.

The output will tell you if the database is inconsistent and may produce a
jet_error 1206 stating that the database is corrupt. If the database is
inconsistent or corrupt it will need to be recovered or repaired . To
recover the database type the following at the command prompt:

NTDSUTIL
Files
Recover

If this fails with an error, type quit until back at the command prompt and
repair the database using ESENTUTL by typing the following:

ESENTUTL /p “\NTDS.dit” /!10240 /8 /v /x /o
(Note: Type the path without the quotes).

Note: If you do not put the switches at the end of the command you will
most likely get a Jet_error 1213 “Page size mismatch” error.

10. Delete the log files in the NTDS directory, but do not delete or move
the ntds.dit file.
11. The NTDSUTIL tool needs to be run again to check the Integrity of the
database and to perform a Semantic Database analysis.

To check the integrity, at the command prompt type:

NTDSUTIL
Files
Integrity

The output should tell you that the integrity check completed successfully
and prompt that you should perform a Semantic Database Analysis.

Type quit.

To perform the Semantic Database Analysis type the following at the NTDSUTIL
Prompt type:

Semantic Database Analysis
Go

The output will tell you that the Analysis completed successfully.
Type quit and closes the command prompt.

NOTE: If you get errors running the Analysis then type the following at the
semantic checker prompt:

semantic checker: go fix

This puts the checker in Fixup mode, which should fix whatever errors there
were.

12. Reboot the server to Normal Mode.

If any of these steps fail to recover the database the only alternative is
to perform an Authoritative System State restore from backup in Directory
Services Restore mode.

For more information, please refer to the following articles:

315136 HOW TO: Complete a Semantic Database Analysis for the Active
Directory
http://support.microsoft.com/?id=315136

265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC
Creation
http://support.microsoft.com/?id=265706

258007 Error Message: Lsass.exe – System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007

265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory
http://support.microsoft.com/?id=265089

315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131

How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?

aionman — Sun, 07 Dec 2008 12:01:52 +0000

How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?

Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.

The default-hidden shares are:

C$ D$ E$ - Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
ADMIN$ - %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it’s C:\Windows).
FAX$ - On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$ - Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer’s shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
NetLogon - This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
PRINT$ - %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.

It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.

You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:

In order to disable these shares permanently, a registry edit will be necessary.

Servers

For NT 4.0/W2K/Windows Server 2003s, the change is:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer
Data Type: REG_DWORD
Value: 0

Idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.

Note: A reboot is necessary for this to take effect.

Workstations

For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0

A double idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.

Note: Again, a reboot is necessary for this to take effect.

If you want the administrative shares to be re-created, you can change the value back to 1.

Note: Some applications depend on the presence of these shares. If things stop working you’ll know to re-enable the shares.

Security note: Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven’t disabled anonymous user access or you haven’t disabled the guest account then this port can lead to total system compromise within minutes!