Windows NT Version 5.0

Interim Developer's Release 2

Microsoft Confidential

The following sections of this document contain vital information pertaining to this release. Consult these notes before installing this release.

Setup/Hardware Issues

Setting up Windows NT 5.0 using boot floppies results in Stop

When attempting to setup this Interim Developer's Release of Windows NT 5.0 using the boot floppies, the user will receive an error and setup will not continue. The creation and use of the three boot floppies, regardless of how they are created (WINNT, WINNT32 or from them Bootdisk directory), does not work in this release of Windows NT 5.0 Workstation or Server.

To setup Windows NT 5.0, launch setup using WINNT.EXE or WINNT32.EXE from an existing OS and do not choose to create the boot floppies.

Dell Precision 410 Wks SCSI

This SCSI device contains the Ultra II chip and is not yet supported on this interim release. This will be supported in a future release.

Compaq Computers with Symbios 810 SCSI Controllers

If your Compaq computer (such as the Compaq Proliant 2500) uses the cpq32fs2.sys driver which supports the built-in Symbios 810 SCSI controller on Windows NT 4.0, you will need to disable it before performing an upgrade to this interim release. For example:

remove cpq32fs2.sys from the drive, or
copy null.sys over cpq32fs2.sys

The Symbios 810 will be correctly detected by Windows NT Setup (symc810.sys) and the SCSI device will function correctly.

Slave CD-ROM drive not detected on Compaq Proliant 1600 machines

On some Compaq Proliant 1600 machines, the system is shipped with a slave CD-ROM drive on the IDE channel. If the user starts the install in a safe build from CD-ROM, the NT5 setup will not be able to detect the CD-ROM drive after the first reboot. There are two ways to workaround this problem.

Jumper the CD-ROM drive as master.

Replace the ATAPI.SYS on the disk with an updated version on http://ntbeta.microsoft.com/support/idr2.asp. If setup says it cannot find the CD-ROM drive, then copy the ATAPI.SYS available on http://ntbeta.microsoft.com/support/idr2.asp to the \$WIN_NT$.~BT\ and \$WIN_NT$.~LS\I386 directories, and restart setup.

Having a slave device alone on an IDE channel is not a recommended configuration by ATAPI specification. This issue is fixed in a later build.

Bug Check (Inaccessible_boot_device) on EISA systems

We do not recommend installing this Interim Developers Release on EISA systems. If your system boots from an EISA SCSI card and bugchecks (Inaccessible _boot_ device), you can get an updated version of the kernel and SCSIPORT.SYS from http://ntbeta.microsoft.com/support/idr2.asp to resolve the problem. These updated files may also resolve issues with EISA netcards not starting properly. Follow the directions below to update these files.

Download the new kernel and SCSIPORT.SYS from http://ntbeta.microsoft.com/support/idr2.asp.
Place the new kernel in the %systemroot%\SYSTEM32 directory.
Place the new SCSIPORT.SYS in the %systemroot%\SYSTEM32\DRIVERS directory.
Reboot the system.

Gateway Services for NetWare

When upgrading Windows NT Server 4.0 with Gateway Services for NetWare installed, previously shared folders may not be present after the upgrade. The shares must be manually re-created.

To re-share the file resource:

Right click on the folder from Explorer, or My Computer.

Choose Sharing

Click the radio button next to "shared as" to share.

Click OK.

Disable Diskperf Before Upgrading

You must first disable Diskperf before upgrading to this Interim Developer's Release. Failure to do so will result in a bluescreen and Setup will fail. Diskperf is not supported on this interim release, but will be fixed in a future release.

New File System Conversion Scenarios

Conversion of NTFS to NTFS v5

Conversion of NTFS to NTFS v5 will take place on any new installation or upgrade of NT 5.0. This will upgrade any mounted NTFS volume to NTFS v5. In dual boot situations where NT 4.0 pre SP3 is installed, user must upgrade to NT 4.0 Sp3 or SP4 before attempting the NT 5.0 installation or the NTFS volume will no longer be accessible to the NT 4.0 installation. In the case of NT 4.0 SP3, NT 5.0 setup will copy over NTFS40.sys to the NT 4.0 SP3’s %systemroot%\system32\drivers subdirectory as NTFS.sys. This will allow the NT 4.0 installation to access NTFS v5 formatted volumes. If the NT 4.0 system is running NT 4.0 Sp4, the NTFS.sys installed is capable of mounting NT 5.0 formatted NTFS volumes. In the case of NT 3.51, there will not be any backwards compatibility provided.

Note: You will NOT be able to install NT 4.0 on a drive that has been converted to NTFS v5. If you choose to dual-boot NT 4.0 and NT 5.0, you must either install NT 4.0 and apply SP3 or SP4 BEFORE installing NT 5.0 and converting the drive to NTFS v5 or do not convert the boot drive or drive you wish to install NT 4.0 on to NTFS.

Conversion of FAT to NTFS v5

Note: The conversion of FAT to NTFS v5 is not implemented in this Interim Developer's Release. The following information will be implemented in Beta 2.

Winnt32.exe started in attended mode will display a file system conversion page providing users an option to convert their existing FAT/FAT32 file systems to NTFS. This FAT to NTFS conversion will only take place if the user confirms this dialog during setup

Installations/upgrades of systems started with Winnt32.exe in unattended mode will convert or leave the file system alone based on the value of the FileSystem key in the answer file. If the FileSystem key does not exist, setup will leave the file system alone. Note: this will not effect the NTFS to NTFS v5 conversions

Starting setup using winnt.exe, boot floppies, or CD boot, textmode setup will allow you to select your file system.

Below is a chart containing the setup/installations scenarios. Please use this chart to find the scenario that applies to your configuration. FAT to NTFS is not implemented in this Interim Developer's Release.

	File system conversion (default Behavior)
System state	FAT to NTFS	NTFS to NTFS v5
Windows NT 3.51
Windows NT 3.51 Workstation	Winnt32.exe will display wizard page with the "No" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed.
Windows NT 3.51 Server (Standalone/DC)	Winnt32.exe will display wizard page with the "Yes" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed.
Windows NT 4.0
Windows NT 4.0 Workstation (Pre -Sp3)	Winnt32.exe will display wizard page with the "No" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed.
Windows NT 4.0 Workstation (SP3)	Winnt32.exe will display wizard page with the "No" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed. If dual boot with NT 4.0 Sp3, setup will copy over updated NTFS.sys to other installations %systemroot%\system32\drivers subdirectory
Windows NT 4.0 Workstation (SP4 or later)	Winnt32.exe will display wizard page with the "No" option selected	All mounted NTFS volumes will be converted to NTFS v5
Windows NT 4.0 Server Pre-sp3 (Standalone/DC)	Winnt32.exe will display wizard page with the "Yes" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed.
Windows NT 4.0 Server Sp3 (Standalone/DC)	Winnt32.exe will display wizard page with the "Yes" option selected	All mounted NTFS volumes will be converted to NTFS v5. Warning will be displayed and user can cancel setup or proceed. If dual boot with NT 4.0 Sp3, setup will copy over updated NTFS.sys to other installations %systemroot%\system32\drivers subdirectory
Windows NT 4.0 Server SP4 or later (Standalone/DC)	Winnt32.exe will display wizard page with the "Yes" option selected	All mounted NTFS volumes will be converted to NTFS v5
Windows 9x
Windows 95	No conversion will take place, File system will be left intact	N/A
Windows 95 OSR2	No conversion will take place, File system will be left intact	N/A
Windows 98	No conversion will take place, File system will be left intact	N/A

Video Notes

Laptop Computers with Neomagic or Chips and Technology Chipsets

When performing an upgrade from a previous version of Windows NT 5.0 to this Interim Developer's Release, under certain conditions Neomagic or Chips and Technology video drivers may no longer work properly. The workaround is as follows:

From Device Manager, double click on Devices.
Double click on Display Adapters.
If the display key does not exist, click on "Continue".
Select the Neomagic or C&T driver.
Right click and select "Uninstall".
Repeat these steps if multiple Neomagic or C&T drivers are listed in the Display Adapters field.

After the appropriate drivers have been removed:

Select the Hardware Wizard in the Control Panel.
Click "Next".
Select "Add New Hardware" and click "Next".
Select "Display Adapters" and click "Next".
Select the driver you want to install. Choose "Have Disk..." if you want to obtain a driver from another location.
Complete the installation and reboot the computer.

Riva 128 Chipsets

This Interim Developer's Release does not support display adapters utilizing the Riva 128 chipsets. If you are using a display adapter with this chipset on Windows NT 4.0, you will need to perform the following before performing an upgrade to this release. This workaround is not necessary if you are performing a fresh installation.

Open the Display Applet by right clicking on the desktop.
Select Properties.
Click on the "Settings" tab.
Select "Display Type".
Click "Change".
In the "Change Display" dialog, select "(Standard display types)" under "Manufacturer".
In "Display", select "VGA compatible display adapter".
Click "OK".
Complete the installation of the standard VGA driver from the Windows NT 4.0 compact disc.

You can now perform an upgrade installation from Windows NT 4.0 to this release in VGA mode.

Disaster Recovery

The ability to create an Emergency Repair Disk (ERD) has been moved to NT Backup under the Tools menu, "Create an Emergency Repair Disk." The ERD no longer contains a backup of the registry, nor can the registry be repaired using the ERD process. In order to backup the registry you can use NT Backup and with the Backup Wizard and select "Only backup the registry". The registry can also be backed up and restored with the Automatic System Recovery (ASR) process. An ASR Disaster Recovery set can be created with NT Backup also under the tools menu, "Disaster Recovery Preparation." In the unlikely event your system has a complete failure of the system drive or operating system, the Disaster Recovery set can recover the entire system. The recovery process is started during textmode setup with the "To recover a destroyed system, or system disk, press D" option, you will have to insert the Disaster Recovery set Disk created from NT Backup previously. This process will recover your system disk and boot environment only, any user data or applications stored on other volumes will have to be restored separately.

Network Notes

Joining a Workgroup or Domain and Changing Your Computer Name

For this release, you can join a workgroup or domain and change your computer name through the Control Panel, System, Network ID tab. Or you can right click on My Computer and select Properties or open the System applet in the Control Panel. Additionally, you can choose "Network Identification" from the Connections menu of the Network Connections folder. When you join a domain that contains your previously created machine account, you will be prompted to provide a username and password.

DNS/DHCP

DNS configurations that host registrations under the DHCP assigned domain name will fail on this interim release. To workaround this problem, override the DHCP assigned domain name with the DNS domain name:

Select Start, Control Panel, Open Network Connections.
Select the Local Area Connection, Properties.
Open the Properties for Internet Protocol (TCP/IP), Advanced, DNS properties.
In the DNS domain edit box, type in the DNS name of the domain the domain controller was promoted for.

This will be fixed in a future release.

DNS Name Resolution

DNS name resolution problems may exist when the system is configured to use non-Microsoft DNS servers. As a result of a problem in the DNS resolver code, response data may cause certain applications to fail to obtain an address for the name queried. This is because the Name Server records in the response packet, reference to one or more DNS servers that may be on the same network or sub-network that the computer is on. A feature to prioritize DNS records based on machine's local IP address or addresses and subnet mask(s) causes the failure. The workaround is as follows:

Disable the DNS record prioritization to leave response data in the format it is received from the DNS server. This can be done by creating/editing the Registry key value:

Key: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value: PrioritizeRecordData (REG_DWORD) 0x0

Manually Initializing the System Volume for File Replication (for Fresh and Upgrade Installations)

This Interim Developer's Release contains a system volume hosted on all Windows NT version 5.0 domain controllers to store well known scripts and part of the group policy objects for both the current domain as well as the enterprise.

During fresh installations, the system volume is automatically created on a local volume by dcpromo.exe.

Because the system volume is accessed as \\domain-name\sysvol, it is required that all Windows NT 5.0 domain controllers host a system volume.

The system volume replicates on the same schedule as the Active Directory. As such, you may not notice files being replicated to or from your newly created system volume until two replication periods have elapsed (typically ten minutes). This is because the first replication period is used to update the configuration of other system volumes so that they are aware of the newly created system volume.

Sysvol requires NTFS version 5.0. You can verify the format version of any drive using chkntfs.exe, for example "chkntfs c:".

Directory Service

You cannot install the Directory Service on a dynamic drive. It can only be installed on basic drives.

Directory Service Migration

The Directory Service Migration tool (off-line migration from NetWare bindery and NDS resources) is an optional installation. This component was shipped in Windows NT 5.0 Beta. If you installed this tool using the previous Beta release, complete the steps below to ensure the updated version is installed. This process will overwrite your existing Directory Service Migration data files.

Run From a Domain Controller

The Directory Service Migration tool performs optimally when run from a domain controller. This is due to less information hitting the network during the configuration (export) to Active Directory. Running this tool from a workstation is not supported in this release.

Directory Service Migration Tool

This is an optional installation. Complete the steps below to install this component.

From Control Panel, select Add/Remove Programs- v2. Do not select the Add/Remove Programs applet that does not indicate "v2".
Select "Remove or Modify an existing program" and select Next.
Select "Windows NT Optional Components" and select Modify.
Select "Networking Options" and select Show Subcomponents.
Select "Directory Service Migration Tool" and select OK.
Select Next, and follow the prompts.

If you are prompted for Remote Access Service dial-up properties, provide the details and close. This a known problem with the installer which will be fixed in a future release. There is no dial capability associated with the Directory Service Migration tool.

Running the Tool

After this component is installed, from Start, Program, Administrative tools, select "Directory Service Manager Tool."

Documentation

Complete documentation is provided in this release. You can review documentation from both the "Assistant" as well as from the Help menu directly.

Usage Tips

Create a project. This creates an off-line holder for the Directory information.
From that project, create a view from NetWare to populate the off-line holder with directory information.
From this view, modify the off-line data to match your migration needs (ie: rename users, move branches).
Configure the view to Active Directory to populate Active Directory with the directory information in the off-line view.
Once user objects exist in Active Directory, you can optionally perform a file migration.

Distributed File System

Before using Distributed File System (Dfs) on this release, familiarize yourself with the following information.

Dfs Manager Console

On this Windows NT 5.0 Interim Developer's Release, the legacy Dfsadmin.exe has been replaced with a Dfs Manager console. This console can be invoked from the Start, Programs, Administrative Tools.

Dfs v4.0 Roots

To administer an existing stand-alone Dfs, from the Dfs Manager console, right-click, and select "Connect to Existing Dfs Root." This will permit you to enumerate existing stand-alone Dfs roots and select one. You can alternatively type in the Dfs server root and share name in the edit field provided (ex: \\Server\Share) of the Connect To dialog box.

Dfs v5.0 Roots

Use the "Connect to Existing Dfs Root" steps referenced above. You can then select the Domain and Fault Tolerant root to administer. If you encounter problems on this release, we recommend you manually enter the FT-Dfs root \\MachineName\DfsShare. The Dfs Manager will resolve this to the proper Domain Name. This issue will be addressed in a future release.

Creating New Dfs Roots

Run Dfs Manager Locally

To create a new Dfs root, run Dfs Manager from the server that will host the Dfs share. A future release of Dfs Manager will allow you to create roots remotely.

Creation Wizard

The Creation Wizard steps you through the Dfs root creation process. To invoke the wizard from Dfs Manager, Right-Click, and select "New Dfs Root." You can create either a stand-alone (one root) or Fault Tolerant (multiple root participants, DNS naming, leverages Active Directory) Dfs root. In this release, you must reboot of your server to complete the Dfs root setup. No reboot will be necessary in a future release.

Selecting a Share to Host Dfs

The Creation Wizard will not create the directory to host the Dfs root. You must choose an existing directory or create it manually. This issue will be addressed in a future beta release.

Publishing a New Child

After you have setup a Dfs root, and connected to it from Dfs Manager after reboot, you can add child nodes to the Dfs root. Right click on the Dfs root name, and select "New Dfs Child Node."

Publishing a Child Replica

From any Child Node, you can add replica nodes. Right click on the child node, and select "New Dfs Replica Member."

Adding a New FT-Dfs Root Member

If you have configured a Fault Tolerant root, and want to add an additional server to co-host the root, run Dfs Manager directly on the server, and step through the "New Dfs root" specifying the same domain and Dfs root name as on the previous computer. In a future release, this will be supported from the "New Root Replica" option.

File Replication

For this release, support for file replication between child nodes within a replica has been added.

Convergences

After creating or adding new child nodes for Fault Tolerant roots, some users may not see changes immediately. This is a result of the replication schedule on the Active Directory between domain controllers. After all domain controllers have replicated the Dfs topology, all users in the enterprise will view the Fault Tolerant Dfs root consistently.

End User Access

For Fault Tolerant roots, users can now access the root by using either a root server name or by using the domain name. For example:

Dir \\{domain.organization.com}\Dfsroot, or

Dir \\{Dfsroot Server}\Dfsroot Share

If users are unable to resolve domain names, verify the Dfs service (Net Start) is properly started on all domain controllers in the domain.

Sites

If the domain is configured to support multiple sites, clients will take preference to child nodes located within their site.

Microsoft Cluster Server

Dfs v5.0 does not currently support Microsoft Cluster Server. This will be supported in a future release.

Removing Dfs

To remove a Dfs root, use the "Delete Dfs Root" option in Dfs Manager. Perform this locally on the server hosting the Dfs root to be removed. Alternatively:

If a machine-based Dfs configuration is damaged and you are unable to stop hosting a Dfs volume through DfsAdmin, you can reset the service on the computer using the following procedure:

Run Regedt32

HKEY_LOCAL_MACHINE\Software\Microsoft

Delete the folder 'DfsHost', and any subfolders.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\DfsDriver\LocalVolumes

Delete any subfolders under this folder. Do not delete the LocalVolumes folder.

Reboot the machine.

If a Fault Tolerant Dfs configuration is damaged and you are unable to stop hosting a Dfs volume through DfsAdmin, you can reset Fault Tolerant Dfs on the computer from Active Directory using the following procedure:

Perform the same steps listed above for a machine based Dfs without rebooting.

Run the Directory Management MMC tool:

Start, Programs, Administrative Tools, Directory Management

Expand the domain name

Select the Fault-tolerant Dfs name to be removed.

Select Action, Delete to remove the FtDfs from the Ds.

Reboot the machine(s) in the fault-tolerant Dfs.

Setting Up Multiple Site Replication

To configure replication between multiple sites, the administrator must perform the following tasks from the Active Directory Sites and Services Manager snap-in located from the Start menu, Programs, Administrative Tools menu "Sites Topology".

Install two or more domain controllers into the domain as replicas, or parent and child. By default they are installed into FirstSite unless subnet objects have been created for each subnet on which a domain controller will reside, and the subnet objects are associated to sites created in Step 3 below.

In the example of two domain controllers to create two sites:

In FirstSite\Servers[serverA]\NTDS Settings create a second connection from the NTDS Settings container of server B
In FirstSite\Servers\[serverB]\NTDS Settings create a second connection from the NTDS Settings container of server A
Right click on the Sites node to create the SecondSite (or determined name)
Right click on one of the servers in FirstSite, and select Move...
Click [Browse...]
Select Sites\SecondSite\Servers
OK.
OK.

After each site has been seeded, a subnet object for the location can be created and associated to the site. Newly promoted domain controllers will be recognized in the site to which their subnet object is associated. For site policies to operate properly, you must create subnets and associate them to the sites.

This can be performed from one computer if the order is carefully preserved. If Step 4 is completed before Steps 1 and 2, then Steps 1 and 2 must be performed at the location of each replicating domain controller.

Domain Controllers

Creating Domain Controllers

When creating replica or child domain controllers, the timezone settings for each must be identical. The system clock between both computers must also be within five minutes of each other. Failure to do so will cause credential failures and will not successfully create a domain controller.

Demoting Child Domain Controllers may fail

The demotion of a child domain in an arbitrarily deep domain tree structure will fail.

This Interim Developer's Release has support for demotion of domain controllers back to standalone servers. Users are now able to demote a root DC, a child DC, or a replica DC to a member server. In any domain, however, the last domain controller may only be demoted if that domain has no children of its own. The demotion will succeed in simple trees that are no deeper than one level without any problems. However, in trees that contain grandchildren, great-grandchildren, or deeper domains underneath the root domain controller, any attempt to demote a DC deeper than the first child domain of the root domain will fail with endless prompting for credentials.

To work around the problem, the following steps are required:

Before beginning demotion of the grandchild domain controller, add the Administrator account from the root domain of the domain tree to the administrators group on the immediate parent domain controller of the child domain which is to be demoted.
When the popup dialog prompting for credentials appears during DCPromo demotion on the child domain controller, supply the credentials for the Administrator account from the root domain of the domain tree. This account should be the same one you added in the previous step to the parent's Administrators group.
Do not supply the DNS name of the domain in the domain edit field on the credentials popup page, even though this is the default choice. Use the NETBIOS domain name instead. Unless otherwise changed, the NETBIOS domain name is the same as the leftmost portion of the DNS domain name. For example, the DNS domain name "mydomain.myNT5dom.com" would have a NETBIOS name of "mydomain" if it had not been changed during the original DCPromo operation.

After following the steps above, the demotions should proceed through to completion successfully.

Configuring Domain Controllers for Inter-Site Replication

To configure a domain controller to perform inter-site replication, verify that the Public Key Certficate has been generated as follows:

Activate the Microsoft Management Console from the command line (mmc.exe) on the domain controller.
In the Console menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in pane, click Add.
Select "Certificate Manager", and click OK
In the MMC Certificate Manager Snap-in wizard, select "Computer-account" and click Next.
Select "Local computer" and click Finish.
Close the Add/Remove Snap-in pane, click OK.
In the mmc console, select Certificate Manager (Local Computer) -> My -> Certificates.
Verify that there is a certificate in the results pane with the name of your domain controller.

If the certificate is not present:

Reboot the DC and try again, or
Manually enroll for the domain controller certificate by selecting the Task->Request new Certificate... context menu in the results pane of the mmc. This will bring up the certificate request wizard. If the wizard does not appear, an error is issued that no certification authorities are available to handle your request as a result of a misconfigured Certification Authority.

Otherwise, continue with the enrollment wizard:

Select the Certification Authority you wish to enroll at (the default should be sufficient).
Click Next> and select the "Domain Controller" certificate template.
Click Next> and choose a friendly name and description (optional).
Click Next> and verify your choices.
Click Finish.

The certificate request wizard should succeed, and you should receive a certificate.

PWDUMP Utility

Protection against the PWDUMP utility is not supported in this release. This will be fixed in a future release.

Network Monitor

Windows NT Workstation includes the Network Monitor protocol. Windows NT Server includes this protocol and Network Monitor Tools.

If you perform an upgrade to this release from Windows NT 4.0 or Windows NT 5.0 Beta, first remove all Network Monitor components. Failure to remove Network Monitor before upgrading will result in an unknown state.

After the Windows NT upgrade has successfully completed, you can then install the Network Monitor Tools and Network Monitor Agent v2 driver. After it is installed, Network Monitor will be accessible from the Start, Programs, Network Analysis, Network Monitor menu.

Note

If you perform an upgrade to this release before removing these components, you will need to remove the Network Monitor components and Network Monitor Agent v2 driver and reinstall them.

Adding Network Monitor Components

From Control Panel\Add/Remove Programs v2\Remove or modify an existing program\click<Next>\select Windows NT Optional Components\click<Modify>\select Networking Options \click<Details>\check Microsoft Network Monitor Tools\click<OK>.

Removing Network Monitor Components

From Control Panel\Add/Remove Programs v2\Remove or modify an existing program\click <Next>\select Windows NT Optional Components\click <Modify>\select Networking Options\click <Show Subcomponents...>\uncheck Microsoft Network Monitor Tools \click <OK>.

Adding the Network Monitor Agent V2 Driver

Right click on the Connection icon\Properties\Networking tab\click <Add>\select Protocols\click <Add>\select Network Monitor Agent v2 Driver\click <OK>\click <OK>.

Removing the Network Monitor Agent V2 Driver

Right click on the Connection icon\Properties\Networking tab\select Network Monitor Agent v2 Driver \click <Remove>\click <OK>\click <OK>.

SNMP Agent

In this release, the SNMP Agent will fail unexpectedly when attempting to browse the 1.3.6.1.2.1. portion of the Management Information Base (MIB). The service will stop processing requests until it is restarted. To workaround this problem:

Run Regedt32

HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs

Set the registry variable to FFFFFFFF

Known Issue

The SNMP Agent will hang when attempting to set the following Object Identifier (OID):

1.3.6.1.2.1.4.24.2.1.2.127.0.0.0.2.0.127.0.0.1

Active Directory

Active Directory Installation

Upgrading a Windows NT 4.0 Backup Domain Controller to a Windows NT 5.0 Replica

When the Active Directory Installation Wizard in Windows NT Setup prompts you to select either "Leave as a member server" or "Make a domain controller", select "Leave as a member server". After the installation wizard completes the process, leave the Domain and join a Workgroup through the Network ID tab of the System applet. Reboot the system. Select Start, Run and type Dcpromo.exe to install a replica domain controller.

If you select to install "Make a domain controller", the following error message will occur:

Active Directory Installation Failed

The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.

Cancel the Domain Controller wizard (Dcpromo.exe) and restart it. Select Start, Run and type Dcpromo.exe and follow the above instructions.

If the Domain Controller wizard continues to appear after each reboot of the system, edit the following entry in the Registry. Select Start, Run, Regedt32.exe.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit

remove "dcpromo /upgrade"

Active Directory Manager

Active Directory Manager is the Microsoft Management Console snap-in for administering the Active Directory.

New Features of Active Directory

Mode of Operation

Active Directory Manager supports two modes of operation selected from the snap-in View menu. In Normal mode, only standard objects are displayed as containers, Organizational Units, Groups, Contacts, Users, and Computers. These items display a reduced set of properties.

In Advanced mode, additional containers such as Lost and Found, and System can be viewed. In this mode, additional properties are available such as security and certificate mappings.

Viewing Computers, Users and Groups as Containers

Objects such as Users, Groups and Computers are viewed as leaf nodes in the directory. These objects may also be viewed as containers. For example, printers are published in a Computer container. To view objects such as Printers and IPSec Settings, you can view Computers, Users and Groups as containers.

Filters

A filter can be applied to display certain types of leaf objects. This allows administrators to selectively view only the object classes that are included in the filter. In this release, there is no visual indication the filter has been applied.

Multiple Select

You can now select multiple objects in the Results pane. The operations applicable for this selection are Enable/Disable User Accounts, Send Mail (assumes a mail client is installed and the users' email address attribute is present), Delete and Move.

Groups

Group Type is new terminology that defines whether a group may be used as a security principal (can be given permissions to access resources) and as a mail distribution list, or whether the group is strictly a mail distribution list.

Group Scope defines whether the group is Enterprise (Universal group), Domain (Domain Global, similar to Windows NT Global Groups) or Resource (Domain Local, similar to Windows NT Local Groups) wide. Universal Groups and nesting of any group type is only permissible when the domain is running in Native Mode. In Native Mode, the domain can not contain downlevel Windows NT 3.51 or 4.0 domain controllers.

Security

The Active Directory provides a rich security model. To simplify the delegation of authority on objects in the Active Directory to specific users and groups, the "Delegation Wizard" will step administrators through a series of tasks that easily enable them to grant management permissions to users.

User Principal Name

The User Principal Name (UPN) is the User Logon Name when accessing the network from Windows NT 5.0 Workstations. An example of a UPN is fredn@antipodes.com. In this release, the only available UPN suffix (for example, antipodes.com) is the domain tree name.

Known Active Directory Issues

There is a problem promoting the a member server of a domain, ex. mydomain.com, to be a replica server of another domain, ex. myotherdomain.com.DCPROMO will report the following error:

The operation has failed. The error message is "The specified domain did not exist."
Note: This server has been unjoined from domain <NETBIOS name for the domain>.

To workaround this problem, make the server either a member of a workgroup, or a member of the domain for which you wish to make the replica server. Ex. If server myserver is a member server of mydomain.com, we make it a member of myotherdomain.com, or a member of workgroup MYWORKGROUP. Now DCPROMO should complete successfully.

After doing a DCPROMO, some user account privileges will have been removed. Web and Transaction services might not function properly. The following two workarounds will resolve the issue.

If IIS/MTS servers are installed with NT 5.0 server install, the workaround is to assign the following rights to the accounts after dcpromo has rebooted the machine:

Logon Locally Right assigned to IUSR_<ComputerName), IWAM_<ComputerName>
Batch Logon Right assigned to MTS_Admin, IUSR_<ComputerName>, IWAM_<ComputerName>

Or choose not install IIS/MTS servers during NT 5.0 server install, then after dcpromo runs to promote a DC, install IIS/MTS from add/remove programs in control for optional components.

The "Delegate Control…" wizard in the Active Directory Service Manager tool does not correctly grant permissions on DS objects. In order to properly grant permissions on DS objects, use the Security property page of the DS object. This property page is accessible when "Advanced Features" is turned on in Active Directory Service Manager.

The Results Pane is not automatically updated after performing Move operations, deleting containers or Organization Units. Select "Refresh" or F5.

"Sheets up. Cannot delete it!" error message. This may occur when two people are administering the same domain simultaneously or if the user has displayed the properties of an object and then attempt to delete it from the snap-in without first closing the properly sheet.

Close any open property pages. Retry the operation. If there are no open pages, restart the Active Directory Manager.

Failure to modify properties for contact objects with LDAP_CONSTRAINT-VIOLATION. The information contained in the "Address" page for contact objects cannot be modified. Saving information on other pages for contacts will fail in the same way if the "Address" page was previously selected. Reopen the property pages for the contact, and make the modifications directly to the page on which you change the information (excluding "Address").

Logon hours set incorrectly for user accounts. Use User Manager to set the logon hours.

User account expiration date is set incorrectly. Use User Manager to set expiration date.

User's "Member Of" page fails to modify membership if attempting to add the user to a group in another domain to which the administrator does not have write permissions. Ensure the administrator has sufficient privileges in this domain.

Internet Protocol Security - IPSec

Not all systems are IPSec enabled

If your NT5.0 IPSec-enabled system needs to talk also to non-IPSec systems, you can allow a "fail-to-clear" negotiation behavior on a per rule basis. Since the negotiation behavior is per rule, it means that only traffic that matches that filter associated with the rule will be negotiated according to the negotiation policy, not necessarily all traffic. The predefined security policy called "Secure Initiator" has this behavior configured because it uses the "Secure Initiator" negotiation policy. Examine the "Secure Initiator" policy, then the "Secure Initiator" negotiation policy to see that the check box labeled "Allow unsecured communication with non-IPSec aware hosts" is checked. When an NT5.0 negotiation request receives no reply for approximately 4 seconds, a "soft association" will be established to allow traffic to be sent and received in clear-text with destinations matching the corresponding filter. This soft security association will last for 8 hours as long as traffic is being exchanged within 8 minutes. If no traffic is exchanged for 8 minutes, the soft association will expire – meaning another packet will drive a new negotiation attempt. At the 8 hour interval soft associations will be forced to renew – meaning another negotiation with the destination is attempted. Use the IPSec monitor to view active associations. If the Negotiation Policy column shows the word "None", then you have a soft association between those source and destination addresses.

Note: During IPSec testing between NT5 systems, if soft associations are established, they may last 8 hours. To delete these, you must log in as Administrator, bring up a command shell, and enter the command "net stop policyagent", followed by "net start policyagent".

If your filter is of the form from "Me" to "Any" IP address or perhaps "Me" to <subnet>, you may experience problems when the system attempts to do a DNS query to an non-IPSec enabled DNS server (NT4, other DNS servers, an NT5 DNS server that does not have IPSec turned on). This happens when the DNS server IP address falls within the destination range of the filter. To work around this, you can do several things:

Use IPSec to communicate securely to your DNS server. This means you would run one of your DNS servers on a Windows NT5.0 IPSec-enabled host and have corresponding IPSec policy to permit clients to successfully negotiate an IPSec security association with it when doing DNS lookups.

Exempt DNS traffic from IPSec on the client by creating a new rule to filter just DNS traffic in the client’s IPSec policy. This new rule has a filter list with a single mirrored filter specification of the destination IP address of the DNS server. The negotiation policy for this rule has the radio button enabled that says "Don’t allow secure communication". When DNS queries are generated going to the DNS server destination IP address, this negotiation policy will prevent IPSec from processing those packets.

You could specify a filter only for the end machine to which you are trying to communicate. Edit the policy, edit the filter list, and make sure that the source is "My IP Address" and the destination is the particular machine you are trying to communicate to. Make sure this filter is mirrored to properly handle reply packets from that destination

Using a DNS name as source or destination in filter specification

When you type in a DNS name in the box for DNS name as a source or destination address, the UI attempts to resolve that DNS name to an IP address for you when you click on OK.

If DNS name can’t be resolved to IP address: A message will pop up if it can not resolve the name to an address.

IF DNS name can be resolved to IP address: the IP address is "cached" in the filter specification.

When the policy is retrieved by the computer, all DNS names in the filters are resolved to their current IP addresses. The new address is the one used. If the DNS lookup fails, then the IP address that is used is the one that was "cached" in the filter specification at the time that the filter was created. If not IP address could be cached, then the filter is discarded.

Generally filters should apply for both directions

For IPSec to work between any two systems, you will need an inbound and outbound filter. For example, to use IPSEC from A to B , host A needs to have filter A -> B and another filter B->A. Host B also needs equivalent filters, source B -> destination A, and source A to destination B. The reverse filter can easily be done using the checkbox on the filter specification dialog "Mirrored. With this checkbox checked, a "Yes" will appear in the mirrored column in the filter specification list. The easiest filter specification to use is from "Me" to "Any IP address" with the checkbox marked

Ping <ip address> does a DNS lookup

When you have enabled a pre-canned IPSec policy on two machines, such as Secure Initiator or Lockdown, and you are trying to ping between them, the ping <ip-address> command may fail because it performs a reverse DNS lookup to find out the name associated with the IP address from your DNS server. This will cause the machine which is trying the ping, to do an ISAKMP negotiation with your DNS server. In the case that you have not activated a compatible IPSec policy on your DNS server, this negotiation attempt will fail, causing ping to always fail. A Netmon sniff of the traffic should indicate the ISAKMP packets being sent to the DNS server address. If you have activated the "Allow communication with non-IPSec hosts" option on the rule’s negotiation policy, then you will fall back to clear after the soft association has been established. The system will need a soft SA to the DNS server and potentially to the destination address specified on the ping command line (when the destination does is not-IPSec enabled). If you repeat the ping command after 8 seconds, you should see it succeed when the destination is not IPSec enabled. Since DNS query replies are cached locally on a system for a short time, you may not see the DNS query packet (or the resulting ISAKMP negotiation packet) actually sent on the wire to the DNS server when you issue a ping.

Cisco IOS IPSec Interoperability

You will need the Windows NT5.0 domestic North American Version in order to negotiate with IOS 11.3 routers that support IP Security transport and tunneling. This is required for interoperability of the cryptographic transforms DES-CBC with 56bit key and Triple-DES.

Getting Started Quickly with IPSec

If Windows NT 5.0 computers are members of the same NT domain or members of trusted domains then the setup for IPSec is straightforward. Pre-defined IPSec policies are configured to use Windows NT 5.0 Kerberos for authentication. IPSec security should be able to be established easily by activating the polices on each system. As an administrator, you can activate IP Security two ways, using an MMC IPSec snapin administrative tool, or using the Network Connections user interface.

Activating IP security as a property of a local area network connection:

Start -> Settings -> Control Panel -> Network Connections
Left click once on Local Area Connection, right click to bring the property dialog, choose Properties
Select Internet Protocol, click on Properties button
Click Advanced
Click on the Options tab
Select IP Security, click Properties
Choose the radio button for "Use this IP security policy". If the tab is completely grayed out, then you can not change any of the IPSec settings because IPSec policy has been assigned to your workstation in the directory service by a domain administrator. Otherwise you can choose between the available locally stored policies and click OK.

Note: this changes the IP security for all connections, not just the LAN connection.

Activating IP security using the Microsoft Management Console IPSec snapin tool:

On Windows NT5.0 Server

Start -> Programs -> Administrative Tools -> IP Security Management

On Windows NT5.0 Workstation

The first thing to do is build an MMC management tool with all the tools that might be useful for managing IPSec policy and investigating the system behavior. After the management tool is built, you will save it to be run again easily.

Building an MMC IPSec management tool:

Start -> Run
Mmc
Console -> Add/Remove Snapin
Select IP Security Management, then click Add button, choose Local Computer, then Finish
Select Computer Management, then click Add button, click Finish (local computer already selected)
From the Add/Remove Snap-in dialog, click on the Extensions tab, and select Computer Management in the top drop-down list
Now select the checkbox active for the following extensions to Computer Management:
Certificate Manager Extension
Event Viewer Extension
Security Configuration Editor Extension
System Information Extension
System Service Management Extension
Don’t click OK yet, rather go back to the Standalone tab under Add/Remove Snap-in dialog
Back at the Standalone tab on Add/Remove Snap-in, click Add button
Select Certificate Manager, then click Add button, click Computer Account, click Next, click Finish (because local computer already selected)
Click OK to view the whole tool with the left-side tree view showing each standalone tool added.
Click Console -> Save As… and provide a name for this new MMC management tool, such as "IPSec Local Policy.msc" and save it under you’re "My Administrative Tools" folder.
Next time, when you want to start this management tool, its easy: Start -> Programs -> My Administrative Tools -> IPSec Local Policy.msc

On either Windows NT 5.0 Workstation or Server

Now that you have an MMC management tool for IP security, simply activate an IPSec policy.

Select the IP Security Policies node, you will see the predefined IPSec policies in the result pane on the right.
Select Secure Initiator or Secure Responder, right click for properties, choose Set Active.

Note: If your computer is using IPSec policy assigned to it from the directory service, the PolicyAgent event log entry message will be informational and say "Using IPSec policy from the Active Directory", otherwise it will say "Using IPSec policy from the local registry". When using Active Directory policy, the MMC IPSec policy may show a local policy as being active when it is not actually be used by the policy agent.

If you were to look at the services running, you will see the IPSec Policy Agent as started, but still set as a manual start service. This means when you reboot, you will need to do a "net start policyagent" on the command line or start the service from the MMC node Computer Management -> Services -> IPSec Policy Agent

Creating and applying IPSec policy in the NT 5.0 Directory Service

There are no IPSec policies created by default in the NT 5.0 directory service. If you want to use directory based policy, you must use the IPSec MMC snapin to create them. To do this,

Start up a blank MMC console or bring up the IP Security Management tool from the Programs -> Administrative Tools menu (server only)

Choose Console -> Add/Remove Snapin

Click the Add button

Select the IP Security Management snapin, click OK.

When prompted for the location you want to manage, choose the "Policy information in your domain controller’s directory service" location.

If you are a domain administrator, then you will have access to the IPSec policy area in the Active Directory and can create policy there.

A separate process is required to assign the IPSec policy to the domain or organizational unit using the Group Policy Editor to edit the appropriate group policy object.

Using Certificate Trust

When configuring an authentication method for a rule, if you choose certificates then the certificate authority name must be entered in a special format. The browse button currently returns the friendly name of the CA, not the full formatted text required. Follow this procedure to enter the CA name:

You will need to enroll in a certificate authority to obtain a machine certificate, not a user certificate. You can test using a user certificate if you move the certificate from the user part of My Store over to the machine part of My Store. Use two Certificate Manager snapins, one focused on user store and one focused on the local computer store, to move the root certificate and the authentication certificate from the Root and My user store over to the Root and My machine store.
Using the Certificate Manager snapin, select the machine Root store -> Certificates. Double-click to see the contents of the certificate whose CA you want to trust. Look at the Details tab, select Issuer.
The name that must be entered into the authentication method's CA name box is a case-sensitive, formatted representation of these Issuer detail fields.

If the Issuer Details appear as:

O = Company
L = Redmond
S = WA
C = US

Starting at the bottom line of detail, format the line as follows ( the _ underbar characters represent spaces in the syntax below, semicolons delimit the fields):

C_=_US;_S_=_WA;_L_=_Redmond;_O_=_Company

If you have mis-entered this string as a CA name in the rule, the IKE negotiation process will not be able to find a certificate issued by the misspelled CA name. In the Event Security Log, a general processing failure is recorded.

Default Policies

The default policies use the Kerberos authentication method. This means that two systems must be in the same or trusted domains to be able to negotiate a security association.

Known Problems with IPSec

Directory polling for policy is disabled

The polling interval for IPSec policy agent to refresh active policy has been set to a large value to effectively disable polling. So if you make changes to any part of an active IPSec policy, you will need to stop the policy agent service on the workstation and restart it. In the event log, you will see informational messages that indicate the polling interval is set to a large number of minutes for this reason.

Separately, every 8 hours the client’s group policy editor engine (part of winlogon) will check for new policy assignment in the directory, including IPSec policy assignment. So changing to a new IPSec policy assignment for an OU will be detected on the interval, or when the client reboots.

When a client is moved from an OU/Domain which contains IPSec policy assignment, to an OU/Domain which does not have any IPSec policy, the policy that was cached on the local machine may in some cases not be deleted. Check the event log to verify the source of the policy.

RAS IPSec tunneling

Client IPSec tunneling does not assign an internal IP address. The same IP address on clients must be used for both the source address of the tunnel and source address for the end-to-end communication.

For clients you have to provide either a specific IP address or a DNS name as the tunnel end point. Do not set "Any IP" address or subnet address (128.0.0.0) as the tunnel end point on the client.

For testing IPSec tunnel servers, should specify filters from "Any" or a subnet going to each client’s IP address.

Router-router tunnel

A ---- GW1 ====== GW2 ----- B

The policy on GW1 should have a rule with a filter specification that says from subnet A going to subnet B, use tunnel end point of GW2, NOT mirrored. And have another filter that specifies from B to A use GW1 as the tunnel end point.

The policy on GW2 should have a rule with a filter specification that says from subnet B going to subnet A, use tunnel end point of GW1, NOT mirrored. And going from subnet A to subnet A use GW2 as the tunnel end point.

Two or more default routes with the same metric

On multi-homed machines, make sure you don't have two default routes with the same metric. This can cause ISAKMP negotiation to fail. Symptoms: your negotiation fails going from host A to host B, but succeeds when B initiates to A.

ISAKMP policy settings

The IPSec policy settings for ISAKMP Perfect Forward Secrecy (PFS) for phase 1 and phase 2, as well as the phase 2 key lifetimes must be set identically on each end point. If you do not change the pre-canned policies, you should not encounter this problem.

If you make changes to the phase 2 key lifetimes, make sure the number of bytes transferred per re-key is very large, such as 20Mb or greater. The actual minimum recommended value depends on how much data is being transferred at what rate. A smaller value results in rekey negotiations which are too fast such that they never complete the first renegotiation before starting the second.

Export Limitations

Export version of the NT5.0 builds will allow you to configure IPSec policies, such as 56bit DES or 3DES, that the underlying mechanisms do not support.

How to Report a Problem with IPSec

If the problem can not be resolved using the checklist of steps above, gather the following information, and send it to the Windows NT5.0 Beta Support networking team using typical bug reporting tools. If the problem is reproducible, then output from the commands listed below before and after is most helpful.

Title of Problem (25 words or less):
Description of computer on which the problem is observed:
Description of what you are trying to do
What is the security you want
Description of what happened, the observed problem
Description of the local network to which that computer is connected:

Attach a copy of the output "ipconfig /all" output
Attach a copy of the output "netstat –a", "netstat –s" and "netstat –r"
Attach a copy of output for "kernrout print"
Attach a (hopefully small) sniff of the ethernet (not just IP or above) traffic to and from the affected computer
Attach the %windir%\ipsecpa.log file and ipsecpa.bak file
Attach the %windir%\oakley.log file and the oakley.log.bak file

Internet Authentication Service

Internet Authentication Service (IAS) uses the Remote Authentication Dial-in User Service (RADIUS) protocol to perform remote authentication, authorization, and accounting of users who connect through a network access server (NAS).

Overview of Features

Authentication:

Checks identity of users in Microsoft Windows NT 4.0 domains, Windows NT 5.0 Active Directory, Windows NT 5.0 local Security Accounts Manager (SAM).

List of supported authentication types are:

PAP:
CHAP: Works only with accounts in Windows NT 4.0 domain controllers or in Windows NT 5.0 Active Directory.
MS-CHAP: Includes MS-CHAP password change version 2.
EAP: Allows use of secure authentication techniques, such as certificates and smart cards. The users accounts must always be present in Windows NT 4.0 domains, Windows NT 5.0 Active Directory, or Windows NT 5.0 local SAM.

Authorization:

The Remote Access Policies feature is used to authorize users for access to the network.

Accounting:

Windows NT 4.0 IAS log format, and ODBC-compatible Log File Format.

Network Access Servers:

IAS is compatible with popular network access servers, such as Ascend, Bay Networks, Cisco, Microsoft Windows NT Remote Access Service, Livingston, U.S. Robotics, and 3Com.

More details on Remote Access Policies

Remote Access Policies is used to authorize users for access to network services. The IAS service evaluates the list of remote access policies in the specified sequence. Each remote access policy is divided into conditions and a corresponding profile. The profile is used when all the conditions in the policy are matched. If none of the conditions in a policy match, then IAS evaluates the next policy in sequence. If none of the policies match, then the user is rejected.

Read this before using IAS (Limitations may be specific to IDS release only)

Remote Access Policies cannot be stored in Active Directory. It is always stored locally on the machine running IAS.
Callback number and Callback options do not work.
Event log does not contain any messages.
MSCHAP Change Password version 1 is not supported. MSCHAP Change Password version 2 is supported.
List of EAP Types is predefined and cannot be changed.
If you use EAP Authentication, then do not use policies that are dependent on Universal Groups.
Interoperability tests failed with a latest update to Ascend MAX, version 5.0AP42. The interoperability tests passed with an earlier version of Ascend MAX.
IAS must be installed either in a native Windows NT 5.0 domain or in a native Windows NT 4.0 domain. IAS does not yet support a mixed domain with Windows NT 4.0 domain controllers and Windows NT 5.0 directory services.
Behavior for users in Windows NT 4.0 domains: The dial-in permission assigned to Windows NT 4.0 users overrides the dial-in bit in the Profile.
Behavior for users in Windows NT 5.0 Active Directory and Windows NT 5.0 SAM: Dial-in permission is determined by membership of users in Windows NT groups (see Remote Access Policies).
Migration from Windows NT 4.0 domains to Windows NT 5.0 Active Directory: The dial-in bit, callback number, callback options, and CHAP password assigned to users in Windows NT 4.0 domains are not upgraded to Windows NT 5.0 Active Directory.
To enable CHAP in Windows NT 4.0 domains, download the CHAP update from www.microsoft.com and follow the instructions in the associated documentation.
To enable clear text password in Active Directory domains follow these steps: in Active Directory snap-in, right click on domain, and select -> Tasks -> Manage Group Policy. If a Group Policy Object does not exist, then create it. Edit the Group Policy Object, and navigate to Computer Settings --> Security Settings --> Account Policies --> Password Policy. Here you will see the option to enable/disable Clear Text Passwords.
Upgrading from the version of IAS in the Windows NT 4.0 Option Pack is not supported.
Changes in configuration do not take effect until the service is restarted. After changing any parameters, stop and restart the service.
RAS and IAS share Remote Access Policies. If you change the Remote Access Policies on a computer, then the change applies to both RAS and IAS on that computer.
Policy-evaluation sequence bug: Policy is not evaluated in the sequence specified by the administrator.

IAS has been tested with the following:

Cisco AS 5200 version 11.2

Windows NT 4.0 Routing and Remote Access Service RADIUS client

Windows NT 5.0 Remote Access Service

Ascend MAX (see note in "Read this before using IAS" list, above).

Installation Checklist for IAS

Verify that you have installed IAS. IAS is an optional component that can be installed using Windows NT Optional Components Manager.

If the user accounts are in Active Directory, then

Verify that Active Directory is switched to "native" mode.

Verify that the machine running the IAS service has permission to read the user object in that domain.

If the machine running the IAS service is a member of that domain, then click Register Service in DS in the IAS taskpad to create the access control lists (ACLs) in the directory service.

If the machine running the IAS service is not a member of that domain, then, create a access control list (ACL) on the user's container so that it allows Read access to all User Objects within the user's container.

The Remote Access Policies that are installed by default disable access for all users in Active Directory, and enable access to users in NT4 domain which have the dial-in permission enabled.

Define the Clients (NAS equipment and RADIUS proxies) with the appropriate shared secret.

Verify that the NAS equipment uses the same RADIUS ports. By default, IAS uses these ports: 1812 for authentication, 1813 for accounting. These ports are recommended by the RADIUS RFC 2138, RFC 2139.

Configure the NAS or RADIUS proxy to forward authentication and accounting packets to the IAS server.

Start the service.

Services for Macintosh

In previous versions of Windows NT Server, Services for Macintosh was installed from Network in Control Panel to enable management of Macintosh file and print services. With this release of Windows NT Server, Services for Macintosh is split into File Services for Macintosh, Print Services for Macintosh, and the AppleTalk protocol. In this release, Macintosh clients can use the TCP/IP protocol to access shares on a Windows NT Server that is running File Services for Macintosh (AFP over IP).

File Services for Macintosh Installation

Notes

You must have an NTFS partition installed before you install File Services for Macintosh.
When File Services for Macintosh and TCP/IP are installed, the Apple Filing Protocol (AFP) over TCP/IP is enabled automatically.
File Services for Macintosh no longer requires the AppleTalk protocol when TCP/IP is installed on the Windows NT Server computer.

To install File Services for Macintosh

In Control Panel on a Windows NT Server computer, click Add/Remove Programs v2.
In the Programs Wizard dialog box, click Remove or modify an existing program, and then click Next.
In the Application Name box, select Windows NT Optional Components, and then click Modify.
In the Components box, select the Networking Options check box, and then click Show Subcomponents.
In the Subcomponents of Networking Options box, select the File Services for Macintosh check box, click OK, and then click Next.

Print Services for Macintosh Installation

Note that if you install Print Services for Macintosh and have not already installed the AppleTalk protocol, the protocol is installed automatically.

To install Print Services for Macintosh

In Control Panel on a Windows NT Server computer, click Add/Remove Programs v2.
In the Programs Wizard dialog box, click Remove or modify an existing program, and then click Next.
In the Application Name box, select Windows NT Optional Components, and then click Modify.
In the Components box, select the Networking Options check box, and then click Show Subcomponents.
In the Subcomponents of Networking Options box, select the Print Services for Macintosh check box, click OK, and then click Next.

AppleTalk Protocol Installation

You can install the AppleTalk protocol separately from File Services for Macintosh or Print Services for Macintosh. For example, you can install the AppleTalk protocol for routing purposes only. In this situation, you need AppleTalk, but not File or Print Services for Macintosh.

Note

Installing the AppleTalk protocol on a LAN connection will install and enable it for all LAN connections on your computer. To disable the AppleTalk protocol on a LAN connection, you must configure the connection and uncheck the AppleTalk protocol box.

To install the AppleTalk network protocol on a connection

Click Start, point to Settings, click Control Panel, and then click Network Connections.
Right-click a Local Area Connection and click Properties.
On the Networking tab, click Add.
Select Protocol and click Add.
In the Network Protocol box, select AppleTalk Protocol, and then click OK.

Note

By installing Print Services for Macintosh, you automatically install the AppleTalk network protocol.

AppleTalk Protocol Configuration

AppleTalk protocol properties—such as a default adapter type and a default zone—are now configured per-connection in the Network Connections folder.

To set default adapter and zone properties

Click Start, point to Settings, click Control Panel, and then click Network Connections.
Right-click a Local Area Connection, and click Properties.
On the Networking tab, select AppleTalk Protocol, and click Properties.
If you want to use this connection as the default adapter, select the Accept inbound connections on this adapter box.
Select a zone for the system, and then click OK.

Note

Once you have selected an adapter as the default adapter, you cannot deselect that adapter. If you want to use a different LAN connection as your default adapter, you must perform this procedure on it.

AppleTalk Routing Configuration

AppleTalk routing properties—such as a network range and whether to enable routing, and the zone list—are now configured by using the Routing and Remote Access Management console.

To configure AppleTalk routing properties

Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access Administrator.
Under Console Root, select AppleTalk.
Right-click an adapter in the Adapters list, and then click Properties.
Configure seed routing and the zone list as appropriate for the computer, and then click OK.

AppleTalk Remote Access Configuration

Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access Administrator.
Under Console Root, right-click Routing and Remote Access, and then click Properties.
On the ARAP tab, configure remote access options as appropriate for the computer, and then click OK.

Note

You must restart your computer before any changes take effect.

Macintosh File Administration

In previous versions of Windows NT Server, the Macfile program handled Macintosh file administration, including the creation of Macintosh volumes, passwords, security options, user limits, and permissions. Access to the Macfile menu was from Control Panel, File Manager, and Server Manager. Macintosh volumes and files are now centrally administered through the File Service Management snap-in of the Microsoft Management Console. Both Macintosh and non-Macintosh files are administered by using File Service Management. This improves the integration of Macintosh file management with non-Macintosh files.

To administer Macintosh volumes

Click Start, point to Programs, point to Administrative Tools, and then click File Service Management.
In the console tree, click Shares.
Right-click a Macintosh shared folder, and then click Properties.

To configure File Server for Macintosh

Click Start, point to Programs, point to Administrative Tools, and then click File Service Management.
In the console tree, right-click File Service Management, and then click Configure File Server for Macintosh.

AppleTalk Remote Access Protocol (ARAP)

Macintosh users may dial in to Windows NT Server 5.0 by using the AppleTalk Remote Access Protocol (ARAP). ARAP installs automatically if the Remote Access Service and AppleTalk protocol are installed. The AppleTalk protocol installs automatically with Print Services for Macintosh. The AppleTalk protocol may also be installed separately. Windows NT Server version 5.0 for ARAP includes the following features:

Addresses are dynamically allocated. Note: do not statically configure the addresses.

Clients are not forced to change their passwords.

Note

If the client is using the Macintosh ARAP client version 3.0, then the Macintosh client must use the ARAP Only protocol.

ARAP client callback functionality is identical to other Dial-In client types. Callback ensures that only users from specific locations can access the Dial-Up server. This saves toll charges for the user. In addition, the ARAP client may specify their number to be called back at the time they dial in, if their account is enabled for callback. To do this, the user specifies their username as Username@Phonenumber. For example, a user called "JohnSmith," whose account is configured for callback, wants to be called back at "5551234." He can enter JohnSmith@5551234 as his user name, and he will get called back at that number.

Guest account authentication and access authorization are identical under ARAP as any other dial-in method.

ARAP requires that user passwords be saved in reversibly encrypted clear-text format on the Dial-Up server. By default, passwords are not stored on the Dial-Up server in clear-text format. Because of the clear-text format requirement, existing users who want to use the ARAP protocol must have their passwords converted to clear-text format in one of two ways. Their administrator must first enable the Dial-Up server to store passwords in clear-text format. For existing accounts, the administrator can then either delete and recreate the accounts, or change the password for the account. Either way, the password is then stored in clear-text format, and the user can dial in using the ARAP protocol.

All account passwords created after enabling clear-text password storage will be saved in clear-text format.

In this release, you cannot store passwords on a domain-wide basis. Instead, you can do it on a per-user basis. So for ARAP clients and to allow Apple Encrypted passwords to work, for each user the admin must:

To store passwords on a per-user basis

On a Windows NT Server Domain Controller, click Start, point to Programs, point to Administrative Tools, and then click Directory Management.
Double-click domain, and then double click Users.
In the user list, right-click on a user and then click Properties.
On the Account tab, select the Save password as encrypted clear text check box, and then click OK.

Note

You must complete this procedure on each user for which you want to enable AppleTalk remote access or enable log in using Apple Encrypted User Authentication Method (UAM).

To configure AppleTalk Remote Access

Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access Administrator.
Under Console Root, right-click Routing and Remote Access, and then click Properties.
On the ARAP tab, configure remote access options as appropriate for the computer, and then click OK.

Note

You must restart your computer before any changes take effect.

ARAP Callback Problems

Macintosh clients may experience problems using the AppleTalk Remote Access Server Callback feature. Specifically, a client may connect initially when they call the server, but when the server calls the client back, modem negotiation fails and the client cannot reconnect.

This is a known issue and requires updating the client modem script file. To resolve the problem, obtain the most current client modem script file from the modem manufacturer, reinstall the script file, and connect again.

Note

If you have Open Transport installed as well as Apple Remote Access Client version 2.x or greater, you must obtain the appropriate Open Transport-specific modem script from your modem manufacturer. To verify that Open Transport is installed, look at the Control Panels folder. If you have an AppleTalk Control Panel, then Open Transport is installed. If you have a Network Control Panel, then you do not.

Send Message

Messages to Macintosh users are sent from the File Service Management snap-in. Messages can only be sent to all Macintosh users of the server. Messages cannot be sent to individual users or to those users accessing a particular volume.

To send a message

Click Start, point to Programs, point to Administrative Tools, and then click File Service Management.
In the console tree, right-click File Service Management, and then click Configure File Server for Macintosh.
On the Sessions tab, type your message text.
Click Send, and then click OK.

Macintosh Volume Names

Macintosh volume names created by using Windows NT Server version 5.0 cannot exceed 12 characters in length. To create volumes with longer names, you must use the command-line tool Macfile.exe.

For example, to add a volume called Landscape Design on the Error! Bookmark not defined. server using the TREES folder on drive E:, type

macfile volume /add /server:\\magnolia /name:"Landscape Design" /path:e:\trees

Password Expiration

When Macintosh user accounts or passwords expire, the Macintosh client receives an inaccurate error message from Windows NT Server. The error message indicates that either the account name or the password is incorrect.

To correct the situation, the Macintosh user’s password must be changed by the administrator at the Windows NT Server version 5.0 computer.

Certificate Services

New Features in this Release

Administration of Certificate Services - The administration model for Certificate Services has changed with this release. Users of the v1.0 Certificate Server will recall that administration was performed using web pages. Starting with this release, all administration will be done using MMC snap-ins.

Enterprise Policy - A new policy module called "Enterprise Policy" has been included in this release. This is in addition to the default policy shipped with Certificate Server v1.0 and shipped here as well. Enterprise policy is intended to address the need for a policy module that works "out of the box" and is administratable using a provided GUI. Enterprise Policy also publishes CA information, CRLs and user certificates to the Active Directory. Enterprise Policy requires the Active Directory.

Certificate Hierarchies - Certificate Hierarchies are now supported.

Certificate Manager - Certificate Services supports processing of requests for certificates from the Certificate Manager. The Certificate Manager is a new MMC snap-in that manages certificates and certificate stores for a user or machine. It is documented elsewhere.

Known Problems and Limitations

Upgrade Support

No upgrade support from previous releases of Certificate Server

It is not possible to upgrade from a previous release of Certificate Server (i.e., v1.0 and its Betas, or NT5 Beta 1), to this release of Certificate Services. This will be addressed in a future release. However, when upgrade support is provided, it will only be from Certificate Server v1.0 on NT 4 to the final release of Certificate Services on NT 5. Upgrades from interim releases will not be provided.

Cryptographic Service Provider Support

Not all available Cryptographic Service Providers have been tested for use with Certificate Services.

When you install the certificate server, you have a capability to set the specific cryptographic parameters to be used. The form on which this is done is displayed when you check the Advanced options box on the Certificate Authority Type Selection form. When you then click Next, the Public Private Key Pair Generation form will then be displayed. On this form is a scrollable listbox entitled "Cryptographic service providers". This listbox contains the names of all CSPs installed on this machine. The only CSP which has been tested with this release of Certificate Services is the Microsoft Base Cryptographic Provider v1.0 (this is the default). You may also see displayed CSPs for DSS or for various smartcards. The installation process will allow you to select these CSPs, however, no testing has been done with these, they are not supported for use with Certificate Services in this release, and results are unpredictable.

Certificate Templates

For enterprise policy, the ability to issue certificates is controlled by adding ACLs to certificate templates. There are two ways to do this using the Certificate Templates MMC extension. In this release only one of these ways will work. Using the Certificate Templates extension and the templates listed in the results pane, right click on the template for which you wish to set an ACL. Select the Task menu, followed by the Edit option. This will launch the Certificate Template Wizard. Make your changes as prompted through the Wizard. Using this method will ensure that your changes are made and committed. The other option, using the Properties page for the template, will not work in this release.

Enrollment

Use the Certificate Manager MMC snap-in to obtain certificates when using Enterprise Policy.

With this release, certificates must be obtained using the Certificate Manager when using Enterprise Policy. The web pages available with the v1.0 release are not installed in this release when an Enterprise root or subordinate CA is installed. These will be incorporated in a future release.

The enrollment web pages are still installed when a Stand Alone root or subordinate CA is installed. These may be used just as they were with the v1.0 Certificate Server.

IIS Server Certificates and Enterprise Policy

IIS Server Certificate requests are not valid for Enterprise policy

With this release, Certificate Services supports two policy modules. One is called the "Enterprise" policy module and gets installed whenever an Enterprise root or subordinate CA is installed. The other is called the "Default" policy and gets installed whenever a Stand Alone root or subordinate CA is installed. Certificate requests generated by IIS don’t currently work with Enterprise policy. Certificate requests from IIS will only work with Default policy in this release. This will be added in a future release.

Valid Names

Microsoft Certificate Services requires that the Subject Common Name specified for the Certificate Server itself during initial setup be limited to the following characters:

a-zA-Z0-9 {space} \()+-./:=?

For maximum compatibility with non-Microsoft systems, it is recommended that all characters of each RDN in any DN specified in a certificate request, issued certificate, and the Certificate Server itself, be further limited to the following characters:

a-zA-Z0-9 {space} ()+-./:=?

Incorrect browser identification

IE 5 is not correctly recognized when using Certificate Services web pages.

This is because the browscap.ini file distributed with this release does not correctly specify IE 5. As such, the web pages supplied with Certificate Services are not able to correctly identify IE 5 as a version of Internet Explorer and the wrong pages will be used during enrollment. This will cause enrollment to fail, most likely with an error code of 80093004 on page kgaccept.asp.

This can be fixed manually by editing browscap.ini and a reboot of the server system (to force usage of the updated browscap.ini). You must add the following to the list of valid Microsoft browsers:

;;ie5 in nt5 (TEMP)
[Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)]
parent=IE 4.0
platform=WinNT
beta=True

;;ie5 in nt5 (TEMP2)
[Mozilla/4.0 (compatible; MSIE 5.0b1; Windows NT 5.0)]
parent=IE 4.0
platform=WinNT
beta=True

These should be added just before the line for the IE 4.x Wildcard entries, that reads:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; IE 4.x WILDCARD (IF ALL ABOVE FAIL)

Documentation

Name changes are in process.

This release renames what was formerly known as "Certificate Server" to "Certificate Services". At this time the work needed to complete this is only partially done. In particular, the documentation will often refer to "Certificate Services", whereas the forms will always say "Certificate Server". These terms mean the same thing.

Additionally, most of the documentation describing how to perform tasks using Certificate Services has not yet been incorporated into the standard documentation facility supplied with NT 5. As such, see the section titled Certificate Services Documentation

Certificate Services Documentation

This section will provide elements of documentation about Certificate Services that has not yet been incorporated into the standard documentation supplied with NT 5. Specifically, what follows is focused on how to perform various administrative tasks. This information will be incorporated in the standard documentation for NT 5 in a future release.

General Prerequisites

In general, you will need to have the following capabilities prior to administering a certificate services system

Be logged in to an account that is a member of the Administrators or Cert Server Admins group that controls the certificate services system to be administered.

Know the name of the certificate services system that you want to administer. This name is uniquely identified by the machine name and the Common Name (CN) of the Distinguished Name (DN) of the certification authority.

Have added the Certificate Services Manager snap-in for the machine on which the certificate services system in question is running.

To Start or Stop the Certificate Services Service:

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question.
In the Task menu, select either the Start Service or Stop Service option depending on what you are trying to do

To View the certificate of the Certification Authority

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Properties option
Click on the View CA Certificate… button

To View the current Certificate Revocation List (CRL)

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Properties option
Click on the View Current CRL… button

To configure the Certificate Services system to use a new Policy Module

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Properties option
Click on the Policy Module tab
Click the Install Module button
Find the DLL for the new policy module using the browse dialog. Select it. Click the Open button
Make this DLL the active policy module. Click on the Set Active Module button.
Select the module and click OK
Click on the Configure button. If this policy module has its own configuration interface, it will be displayed. Otherwise, the existing properties page will be displayed. Given that the policy module has its own configuration interface, follow those instructions.
Click Apply
Click OK

To configure the Certificate Server to use a new Exit Module

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Properties option
Click on the Exit Module tab
Click the Install Module button
Find the DLL for the new exit module using the browse dialog. Select it. Click the Open button
Make this DLL the active exit module. Click on the Set Active Module button.
Select the module and click OK
Click on the Configure button. If this policy module has its own configuration interface, it will be displayed. Otherwise, the existing properties page will be displayed. Given that the exit module has its own configuration interface, follow those instructions.
Click Apply
Click OK

To revoke an issued certificate

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Expand the node to display four folders, including those for Issued Certificates and Revoked Certificates
Double click the Issued Certificates folder to display the log of issued certificates
Right click on the certificate to be revoked
Select the task menu, followed by the Revoke Certificate option
This will display the Certificate Revocation reason code drop down box. Select the reason for the revocation and click Yes.

Notes: The result of this action is that the certificate will be marked as revoked. As such it is no longer displayed in the result panel when the Issued Certificates folder is open. To see the certificate, double click on the Revoked Certificates folder. To publish the fact that this certificate has been revoked, you will need to create and publish a CRL. This is described elsewhere in this document.

To back up the Certificate Services database

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Task menu, followed by the Backup CA option
Click Next on the Welcome page of the Certificate Services backup wizard
Click the check boxes for the backup options needed on the Choose Data page. Click Next.
Key a password used to secure the private keys in the backup. You will also need this password when you subsequently perform a restore operation. Click Next.
Click the Browse button to select a location for the backup file, enter a file name where indicated. Click Save, followed by Next.
Click Finish

To restore the Certificate Services database

Using the Certificate Services Manager snap-in, do the following
Right click on the node with the CN of the certification authority in question
Select the Task menu, followed by the Restore CA option
Click Next on the Welcome page of the Certificate Services restore wizard
Click the check boxes for the backup options needed on the Choose Data page. Click Next.
Key a password used to secure the private keys in the backup. You will also need this password when you subsequently perform a restore operation. Click Next.
Click the Browse button to select a location for the backup file, enter a file name where indicated. Click Save, followed by Next.
Click Finish

To schedule automatic CRL publication

Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
Right click on the Revoked Certificates folder
Select Properties
Specify the automated publishing interval by entering the time quantity and units using the input box and dropdown list, respectively
Click OK

To manually publish a CRL

Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
Right click on the Revoked Certificates folder
Select the Task menu, followed by the Publish option
Click OK on the Certificate Revocation List page when asked if you want to continue with manual CRL publication
The CRL will be published in %windir%\system32\CertSrv\CertEnroll. If the directory is present, it will also be published there.

To add a certificate template to the valid list of certificates to issue

Performing this function requires that the Certificate Services Manager snap-in is present, and that the Certificate Server Policy Settings extension is present.
Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
Right click on the Policy Settings folder
Select the New menu, followed by the Certificate to Issue option
Select the new certificate template this certification authority will issue. Click OK

To remove a certificate template from the valid list of certificates to issue

Performing this function requires that the Certificate Services Manager snap-in is present, and that the Certificate Server Policy Settings extension is present.
Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
Double-click the Policy Settings folder to display its contents in the result pane
In the result pane, right click the certificate template that this certification authority will no longer be allowed to issue.
Select Delete

To add a new certificate template

Performing this function requires that the following MMC snap-ins and extensions be present; the Group Policy Editor (for the Active Directory) snap-in, the Security Configuration Editor extension, the Public Key Policies extension, and the Certificate Template Manager extension.
Using the Group Policy Editor snap-in, do the following
Expand the node of the Group Policy and the listed extensions until the Certificate Templates folder is visible in the left pane.
Right click on the Certificate Templates folder
Select the New menu, followed by the Certificate Template option
This will launch the Certificate Template Wizard. Click Next on the first form.
If you know an existing template that will be a good model for your new template, select it. Otherwise, select <No Base Type>. Click Next.
Key in the name of the new template. Check the box for the purpose(s) of the certificates that will be issued using the new template. If no suitable purpose currently exists, perform step 5a below before continuing.
Click the New Purpose…. Button. Enter the OID of the new purpose. Click OK.
Check the boxes for the desired certificate contents and characteristics. Click Next.
If you know the users and/or groups that should be allowed to obtain certificates of this type, perform step 7a before continuing. Click Next.
Select the user(s) and/or group(s) you wish to be able to obtain certificates of this type. Add each by clicking Add until the list is complete. Click OK.
If you are satisfied with the new certificate template, click Finish. Otherwise, use the Back button to go back and make the necessary corrections.

To display issuance policy for a certificate template

Issuance policy (access control) for a certificate template can be displayed using the Certificate Server Policy Settings extension.
Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
Double-click the Policy Settings folder to display its contents in the result pane
In the result pane, right click the certificate template for which the issuance policy is to be displayed. Select Properties
Click on the Access Control tab. The listed users and members of the listed groups will be allowed to obtain certificates of this type when they request them of this certificate services system.

To edit basic information or issuance policy for a certificate template

Performing this function requires that the following MMC snap-ins and extensions be present; the Group Policy Editor (for the Active Directory) snap-in, the Security Configuration Editor extension, the Public Key Policies extension, and the Certificate Template Manager extension.
Using the Group Policy Editor snap-in, do the following
Expand the node of the Group Policy and the listed extensions until the Certificate Templates folder is visible in the left pane.
Double-click on the Certificate Templates folder. The existing Certificate Templates will be listed in the results pane.
Right click on the template you wish to change. Select the Task menu, followed by the Edit option. This will launch the Certificate Template Wizard. Click Next on the first form.
Make the changes needed to the basic information about this Certificate Template. When complete, or if no changes required (i.e., all you want to do is edit the issuance policy), click Next.
If you wish to add users or groups to the list of entities that are allowed to obtain certificates of this type, perform step 7a. If you wish to remove users or groups, perform step 7b. When finished, click Next.
Click Add… to view the list of available users and groups. Select each user or group you wish and click Add. Repeat until the list content is what you intend. Click OK.
Select the user(s) or group(s) you wish to remove. Click Remove. Repeat until the list content is what you intend. Click Next.
If you are satisfied with your changes, click Finish. Otherwise, use the Back button to go back and make the necessary corrections.

To customize the result pane

Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
The certificate services database is logically segmented into four categories. These are 1) Revoked Certificates, 2) Issued Certificates, 3) Pending Requests, and 4) Failed Requests. Each of these is denoted by a folder. The contents of a folder may be displayed by double-clicking on the folder icon. These contents will be displayed in the result pane.
The selection criteria for display can then be customized with respect to the records displayed. This is done as follows.
Right click on the open folder
Select the View menu
To specify the desired columns, select the Columns option
Check the boxes you wish displayed, uncheck the boxes you wish not displayed. Click OK
Sorting the results can be done by clicking the column heading in the results pane

To specify query parameters

Using the Certificate Services Manager snap-in, do the following
Expand the node with the CN of the certification authority in question
The certificate services database is logically segmented into four categories. These are 1) Revoked Certificates, 2) Issued Certificates, 3) Pending Requests, and 4) Failed Requests. Each of these is denoted by a folder. The contents of a folder may be displayed by double-clicking on the folder icon. These contents will be displayed in the result pane.
The selection criteria for display can then be customized with respect to the records displayed. This is done as follows.
Right click on the open folder
Select the View menu
To specify the desired records, select the Filter option
For each selection criteria, first select the field on which to filter using the Field drop down box in New restriction frame.
Next select the operation to qualify the filter value for this field by using the Operation drop down box
Next key the qualification value in the Value text box
Click the Add button
Repeat for each additional qualification needed
Click OK to display the resulting selected records

To Install a Root Certification Authority

Go to the control panel (Start->Settings->Control Panel). Double click on Add/Remove Programs.
Select Microsoft Certificate Server (Install). Click Modify/Remove.
Check the Certificate Server check box. Click Next.
Click the radio button for the type of certification authority to be installed. In this case either Enterprise Root CA or Stand-alone Root CA (note: Installing an Enterprise Root CA requires that the Active Directory be present. If the Active Directory is not present, this option will be grayed out). Check the Advanced options check box if you need to specify key parameters (e.g., key length) other than the defaults. Click Next.
If the Advanced options check box was checked, a form for Key Pair Generation parameters will be displayed. Select the options you require. Click Next.
Enter the identifying information for your certification authority. Click Next.
If the Active Directory is present, specification of a shared folder is optional. If the Directory is not present, specification of a shared folder is required. Enter the shared folder name. Click Next.
When setup completes, start the Certificate Services service (see above).

To Uninstall a Certification Authority

Go to the control panel (Start->Settings->Control Panel). Double click on Add/Remove Programs.
Select Microsoft Certificate Server (Install). Click Modify/Remove.
Uncheck the Certificate Server check box. Click Next.

To Install a Subordinate Certification Authority

Go to the control panel (Start->Settings->Control Panel). Double click on Add/Remove Programs.
Select Microsoft Certificate Server (Install). Click Change/Remove.
Check the Certificate Server check box. Click Next.
Click the radio button for the type of certification authority to be installed. In this case either Enterprise Subordinate CA or Stand-alone subordinate CA (note: Installing an Enterprise Subordinate CA requires that the Active Directory be present. If the Active Directory is not present, this option will be greed out). Check the Advanced options check box if you need to specify key parameters (e.g., key length) other than the defaults. Click Next.
If the Advanced options check box was checked, a form for Key Pair Generation parameters will be displayed. Select the options you require. Click Next.
Enter the identifying information for your certification authority. Click Next.
If the Active Directory is present, specification of a shared folder is optional, though recommended. If the Directory is not present, specification of a shared folder is required. Enter the shared folder name. Click Next.
Obtaining the certificate for a subordinate CA requires submission of a certificate request to another CA. This may be done online or offline. Each is described below.

Online

Click the radio button with the label "Send the request directly to a CA already on the network.

Select the desired CA to service the certificate request. This can be done in two ways. First, by using the Browse… button to search the directory for available CAs. Second, by directly specifying it in the Parent CA and Computer Name text boxes. Click Next.

Offline

Click the radio button with the label "Save the request to a file".

If you wish to change the default name or location of the request file, click "Browse…" and use the Save As dialog to make the changes desired. Click Save. Click Next.

An informational message will now be displayed that instructs you to use the request file created to obtain a certificate from the parent CA. Click OK.

Obtain this CA’s certificate from the parent CA. The procedure for this will be unique to the parent CA and must be obtained from that CA. At a minimum, the parent CA should provide a file containing the subordinate CA’s newly issued certificate and the chain of CA’s above it. The format of this file is as a BASE64-encoded X.509v3 certificate.

Using the Certificate Services Manager snap-in, do the following

Right click on the node with the CN of the certification authority in question

Select the Task menu, followed by the Install CA Certificate option

Use the file selection dialog box to locate the certificate file

Select the file and click Open

The certificate will be installed and Certificate Services will be started

Right click on the node of the certification authority and select Refresh. The status icon for the certification authority will change from disabled to enabled

If you obtained your certificate using the offline method, you will need to start the Certificate Authority service. This can be done by re-booting or by issuing the "net start certsvc" command.

To Install the Web Client Only

When a certificate services system is installed, there are two components that may be installed. These are the "Certificate Server Certificate Authority" and the "Certificate Server Web Client". By default, both are installed. However, it is possible to create servers that don’t run a CA themselves, but do need the ability to request certificates or administer certificate services systems remotely. A common example of this is when a web server receives requests from its clients that need to pass through to a certificate services system. Based on this example, this component is called the "Certificate Server Web Client", and it can be installed as a separate component. In actuality, this component allows client module to access the ICertRequest, ICertConfig and ICertAdmin interfaces. See the sample page ceaccept.asp for an example.
Go to the control panel (Start->Settings->Control Panel). Double click on Add/Remove Programs.
Select Microsoft Certificate Server (Install). Click Change/Remove.
Check the Certificate Server check box. Click Details…
Uncheck the checkbox labeled Certificate Server Certificate Authority. Verify that the checkbox labeled Certificate Server Web Client remains checked. Click OK. Click Next.

Internet Information Server and Peer Web Services

After doing a DCPROMO, some user account privileges will have been removed. Web and Transaction services might not function properly. The following two workarounds will resolve the issue.

If IIS/MTS servers are installed with NT server install, the workaround is to assign the following rights to the accounts after dcpromo has rebooted the machine:

Logon Locally Right assigned to IUSR_<ComputerName), IWAM_<ComputerName>
Batch Logon Right assigned to MTS_Admin, IUSR_<ComputerName>, IWAM_<ComputerName>

Or choose not install IIS/MTS servers during NT server install, then after dcpromo runs to promote a DC, install IIS/MTS from add/remove programs in control for optional components.

This release of Internet Information Server does not support:

Installation on domain controllers

Secure Sockets Layer (SSL)

Client certificate mapping

Custom error messages

Known MMC Snap-In Issues

Using the Performance Monitor MMC snap-in to display IIS performance counters in not supported in this release. If you wish to view IIS performance counters, you must use the Windows NT Performance Monitor application (Perfmon.exe).
Using the MMC snap-in to view or set IIS computer (or master) level properties is not supported in this release.

Key Manager Does Not Manage Certificates

The Key Manager application will be installed by default, but is no longer used to manage certificates.

IntelliMirror

Remote Boot Machine Replacement

The IntelliMirror Remote Boot Machine Replacement feature will provide organizations with an easy way to roll out and upgrade an OS, and or recover failed Windows NT 5.0 workstations throughout a corporate network. Below are some of the known issues to be aware of in this Interim Developer's Release

Do not install the remote boot directory on the same drive that the Windows NT system is installed on. Choose a separate drive that has been formatted with NTFS v5.

Do not install the DHCP service on the remote boot server machine. These services must be installed on separate server machines.

Different vendor machine replacement, grouping of remote boot servers, and pre-staging client machine features are not supported within this IDW/S release.

The following Network PC's are supported in this IDW/S release:

Hewlett Packard Netvectra

Compaq Deskpro 4000 N and S models

The following network cards are supported with the Remote Boot Floppy. The floppy creation utility can be found on the Windows NT CD-ROM under the \Valueadd directory:

3Com 3c90x network cards

HP DeskDirect 10/100 tx

Intel Pro 100+ and 100B models

Disk replacement with RAW disks is not supported.

Client Side Caching

The client side caching feature should be disabled on all Domain Controllers and unattended servers, to prevent the possibility of accidentally taking the SMB client offline and using cached data. In order to do this, the following key in the registry should be set:

HKLM/System/CurrentControlSet/Services/MRxSmb/Parameters/CscEnabled REG_DWORD 0

A reboot is required for this to take effect.

Group Policy

On Replicated DCs it is possible that Group Policy information has not been replicated to its replication partners when an attempt is made to modify Group Policy information on a replicated DC. To lessen this possibility:

Limit edit access for Group Policy to the needed Administrators. Having multiple Administrators increases the chance that changes will be made and not replicated. If you get an error wait 15 minutes and try again.

If you close the Group Policy Manager or the Group Policy Editor and quickly log onto another machine that binds to another DC that has not replicated yet, you may get an error. Wait 15 minutes and try again.

These are normal issues for a replicated environment. We will be making changes for Beta2 that will lessen the occurrence of these situations.

A Group Policy Object (GPO) is made of Sysvol data and DS data. When a client logs on using a DC that has a GPO with out of sync data (caused by replication schedule differences) the client will get the what amounts to ‘cached’ policy. In other words, any new policy will not be applied until the GPO is back in sync.

To turn on Advanced mode for the AD Manager, Right Click on the "root node" select View and then select Advanced Features. This enables the ability to view the storage location of the GPO. While in the GPE, bring up the task menu on the ‘root node’ and select Properties.

The "Block Policy inheritance from parent containers" check box of the Group Policy Manager is non-functional

In the Group Policy Manager dialog it is not evident what Domain the GPO lives in. This will be fixed for Beta2. For this release this can be found by using the Add button and selecting "Use existing..." and then Browse. Using the Domain drop down list it is possible to see a list of all GPOs per Domain. Cancel back out of the dialogs if you do not want to actually add a GPO to your existing SDOU.

The Group Policy Manager Security tab is not present in the IDS. Therefore the affect of Group Policy for an entire SDOU can not be filtered with Security Groups. This can be done at the GPO level by using the Security tab at the "root node" of the GPO in the GPE

When the GPE is run against the local machine.

Trying to do Application Deployment will cause errors. In Beta2 Application Deployment will be disabled for the local machine
Policy settings do not apply immediately. User Settings require a logoff, logon and machine setting require a reboot. See also the item on PolTest.

Verbose mode may be enabled to diagnose Group Policy processing. In this IDS the Application Deployment and Security Settings extensions do not provide any verbose errors. They will in Beta2. You can use the PolTest tool to enable this or use regedt32 to set the appropriate registry value.

To turn on Verbose logging to the Event log. Enable the RunDiagnosticLoggingGlobal or RunDiagnosticLoggingGroupPolicy keys. This will tun on Verbose Diagnostic Logging for Winlogon processing. The other keys listed below are here for completeness.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\RunDiagnosticLoggingGlobal

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\RunDiagnosticLoggingGroupPolicy

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\RunDiagnosticLoggingIntelliMirror

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\RunDiagnosticLoggingAppDeploy

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\RunDiagnosticLoggingFileDeployment

REG_DWORD 0, 1

0 = Normal Logging (as done today in NT4)
1 = Verbose Logging (similar to what some folks do with debug DLLs)
Default is 0 (or value missing completely)

File deployment to the IE Favorites folder will not display any files other than shortcuts.

Application of Policy frequency - By default Policy is NOT periodically updated. This may be changed using the Sample GPE extension. We are interested in your feedback on whether the default should be on or off, but still allow the administrator to turn this feature on or off, on an as needed basis. Please send your feedback to ManageIt@Microsoft.Com mailto:ManageIt@Microsoft.Com.

Logon processing of Group Policy -

By default, Policy is applied asynchronously, like Logon scripts. This means that Policy could still be being applied when the shell starts. The default behavior for Beta2 will be synchronous, with an option to make it asynchronous.
We have ensured that Computer Policy will be applied before User Policy is started, because policy may be applied asynchronously.
Processing order - this is the order in which policy is applied. Remember that this processing is (by default) asynchronous.

Computer policy is processed in this order

Software Policies

Other client side extensions (Application deployment, Security Settings, etc.). These will process in an undetermined order. In Beta2 we are investigating making this a determined order

Scripts

User policy is processed in this order

Profiles are applied before Policies

Software Policies

Other client side extensions (Application deployment, Security Settings, etc.). These will process in an undetermined order. In Beta2 we are investigating making this a determined order

Scripts

Start Shell

Due to the asynchronous logon process of policies, any shell initialization done with logon scripts may not be processed during the first logon. This would occur if the shell finishes initialization before the scripts could be executed.

Distinguished names are not valid in the NT 5 shell’s open file dialogs in the IDS. Therefore they are not valid in the Samples node when specifying a server in the My Documents sample. Use only the NETBIOS file:///\\server/share naming convention.

The Software Policies node of the GPE is only partially complete in this release. It will be for Beta2. Any policy that is more than enabled/disabled will not be able to be changed. Also in this release some policies do not cause the correct action. This will be fixed for Beta2.

Application Management

Known Issues:

With this Interim Developer's Release, build the ability for an administrator to use the Application Deployment Editor to assign an application to a user or a machine in a site, or to publish to a user in a site has not been tested yet. You may try this feature, but be aware that it may leave a workstation in an unknown state. This functionality will be available in Windows NT 5.0 beta two.

When using the GPE (group policy editor) with a replicated DC for any changes you made you need to wait until the replication takes places. Occasionally you might get an error "Class Store not found" just after you created the GPO and you try to edit it. Please wait for the replication to take place and try again. This will be fixed for beta2.

When opening a document having and embedded object of a published/assigned app inside the automatic installation of the app will be triggered right away the moment you open the doc and not when you click on the embedded object. This will be fixed for beta2.

The ADE has the UI for the transforms (modifications) to be applied to the managed apps but this functionality is not available for this release. It will be available for beta2.

Other Known Interim Developer's Release Issues

In the Interim Developer's Release, there are two Add/Remove Programs applets (Add/Remove Programs and Add/Remove Programs -v2). Add/Remove Programs is now web based and used for adding, removing, or modifying existing applications installed on Windows NT 5.0. Add/Remove Programs - v2 is used for the installation, removal and maintenance of applications deployed through Application Management.

The new Add/Remove Programs applet is now fully functional. The old Add/Remove Programs v2 has not been removed yet – it can be used as a backup if you have any problems with the new one. The new Add/Remove Programs might take some time until it displays the initial page. The performance will be improved for beta2. Also the information displayed for the apps might not be accurate at this time. (size, support URL, etc.)

Windows NT Version 5.0 Interim Developer's Release 2

Setup/Hardware Issues

Setting up Windows NT 5.0 using boot floppies results in Stop

Dell Precision 410 Wks SCSI

Compaq Computers with Symbios 810 SCSI Controllers

Slave CD-ROM drive not detected on Compaq Proliant 1600 machines

Bug Check (Inaccessible_boot_device) on EISA systems

Gateway Services for NetWare

Disable Diskperf Before Upgrading

New File System Conversion Scenarios

Conversion of NTFS to NTFS v5

Conversion of FAT to NTFS v5

Video Notes

Laptop Computers with Neomagic or Chips and Technology Chipsets

Riva 128 Chipsets

Disaster Recovery

Network Notes

Joining a Workgroup or Domain and Changing Your Computer Name

DNS/DHCP

DNS Name Resolution

Manually Initializing the System Volume for File Replication (for Fresh and Upgrade Installations)

Directory Service

Directory Service Migration

Run From a Domain Controller

Directory Service Migration Tool

Running the Tool

Documentation

Usage Tips

Distributed File System

Dfs Manager Console

Dfs v4.0 Roots

Dfs v5.0 Roots

Creating New Dfs Roots

Run Dfs Manager Locally

Creation Wizard

Selecting a Share to Host Dfs

Publishing a New Child

Publishing a Child Replica

Adding a New FT-Dfs Root Member

File Replication

Convergences

End User Access

Sites

Microsoft Cluster Server

Removing Dfs

Setting Up Multiple Site Replication

Domain Controllers

Creating Domain Controllers

Demoting Child Domain Controllers may fail

Configuring Domain Controllers for Inter-Site Replication

PWDUMP Utility

Network Monitor

Note

Adding Network Monitor Components

Removing Network Monitor Components

Adding the Network Monitor Agent V2 Driver

Removing the Network Monitor Agent V2 Driver

SNMP Agent

Known Issue

Active Directory

Active Directory Installation

Active Directory Manager

New Features of Active Directory

Mode of Operation

Viewing Computers, Users and Groups as Containers

Filters

Multiple Select

Groups

Security

User Principal Name

Known Active Directory Issues

Internet Protocol Security - IPSec

Not all systems are IPSec enabled

Using a DNS name as source or destination in filter specification

Generally filters should apply for both directions

Ping <ip address> does a DNS lookup

Cisco IOS IPSec Interoperability

Getting Started Quickly with IPSec

Activating IP security as a property of a local area network connection:

Activating IP security using the Microsoft Management Console IPSec snapin tool:

Windows NT Version 5.0

Interim Developer's Release 2