- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 10, 2000
'Active Directory Special'
  This issue of W2Knews™ contains:
* It's an 'Active Directory Special' this time.
* Pro's and Con's of Microsoft AD V1.0.
* Article on AD by Andy Milford, creator of UltraAdmin.
* Brand New UltraAdmin V2.0 has great AD support.
* DirectoryAnalyzer: AD monitor & troubleshooter.
* April Special Offer: Security Explorer.
Instructions on how to subscribe, sign off or change your address.

Check out the new Windows 2000 Magazine Network. Not only can
you access great content from 11 Web sites in the Windows 2000
Magazine family, you can zero in on answers from sources you know
and trust. We've divided our content into convenient channels to
allow you to broaden your knowledge about specific topics without
having to bounce around from site to site. It's well worth a look.


**********************WHAT IS W2Knews?***************************
Sunbelt W2Knews (the original NTools E-News) is the World's first
and largest E-Newsletter designed for NT/2000 System Admins that
have the job to get and keep NT up & running in a production
environment. Sunbelt launched this electronic newsletter early 1996.
Every week we keep the Windows NT/2000 community informed and aware
of new developments of NT and 3-rd party System Management Tools.
You get hints and tips that will enable you to better utilize and
understand Win NT/2000 and help to pass your Certification Exams.
Info and Stu's bio: http://www.sunbelt-software.com/w2knews.htm

Via (separate) NTools E-NewsFlashes we will send you important
breaking news like new service packs, killer viruses, etc. Sunbelt
Software is the first and largest provider worldwide of Third
Party System Management Tools for Windows NT. Tell Your Friends!
All back issues are here, searchable and indexed on key words:


! [NOTE: Due to a glitch in the scheduling of Lyris, a small part !
! of you received a preliminary version of this already last Monday!
! night. It was killed after a few percent went out. Here is the !
! full final version that has quite a few modifications] !

Hi NT/W2K Pro's,

It's an 'Active Directory Special' this time. I'll go into detail
in the Tech Briefing but I'll try to stick to the essentials. In
the Third Party section we have two tools I specifically like if
you already run AD, or shortly will go there.

My feeling is that many network admins are dragging their feet on
starting the Windows 2000 migration process partly due to fear,
partly due to lack of knowledge, and mostly due to insufficient
hardware for running 2000. What would be a good lab excercise
is that you can create a small testnet and only upgrade one server
on that network to support Active Directory.

In particular, all you have to do is install Windows 2000 to your
PDC, and boom - your test domain is now running in Windows 2000
mixed mode. Keep in mind that very few features of Win2K can be
actually realized until users begin logging into the Active
directory, but this setup will allow some ease of workstation
management to start with. (In a production environment you'd want
at _least_ 2 W2K domain controllers for redundancy reasons).

That will allow you some experimentation time and give you some
time to put well thought out planning in place before you touch
a production environment. Think about things like logon scripts,
replication, domain consolidation and a dozen other things. Real
W2K domain migration is a big job you want to attack with a team.

Warm regards,

Stu Sjouwerman

Email me with feedback at: [email protected]

OOPS1: SR-1 of Office 2000 does not break all the time in every
configuration. My item last week was a bit too 'general'. Some
specifics: http://www.msnbc.com/news/387569.asp?0m=T23E&cp1=1

OOPS2: The actor in 'Network' was Peter Finch, and the movie
itself was directed by Sidney Lumet.

PPS: Thanks again for your extremely positive feedback about our
new website design. Everybody said it was much easier to navigate.
Not looked yet? Check: http://www.sunbelt-software.com/index.htm

Want to track your NT/2000 Event Logs from any web browser? With
Event+Solution from Computing Edge, centrally define the Event
Log policies and automatically receive notification (i.e. pager,
e-mail, or SNMP) and initiate an automated response. Numerous
web-based reports give you total flexibility to track the reports
and status from any web browser. Save hundreds, even thousands
of dollars compared to other Event Log products. Same low price
for NT workstation and server. 30-day FREE trial!


* Pro's and Con's of MS Active Directory

Active Directory was an immediate response from MS to complaints
from large scale users that big NT domains were a headache to
manage. Keep in mind that NT 3.51 and 4.0 were basically only
initially developed as servers for relatively small networks.
Microsoft came out of the consumer market and the next level
up was small business and small LAN's. NT 3.51 and 4.0 were
simply not ready for really large scale environments. AD and
W2K are the solution to this.

Microsoft claims that Active Directory makes it easier to manage
your (large) networks. Their position is that if you move to W2K,
one of the biggest returns is that AD makes your life a lot easier.
They also say it cuts costs for your employer. Let's look first at
what Microsoft states about AD. (I took some paragraphs of their
site and worked them around a bit).

"What _is_ AD?

It's a mechanism to manage the identities and relationships of the
distributed resources that make up your network environment. The
directory service provides a place to store the info about all your
network-based entities such as applications, files, printers, and
people. AD provides a consistent way to name, describe, locate,
access, manage, and secure information about those individual
resources you currently manage with a multitude of tools.

Further, a directory service acts as the main switchboard of the
W2K network itself. It is the central authority that manages the
identities and brokers the relationships between these distributed
resources, enabling all of them to work together in concert.

Because a directory service supplies these fundamental network
operating system functions, it must be tightly coupled with the
management and security mechanisms of the operating system to
ensure the integrity and privacy of your network. It also plays
a critical role in your organization's ability to define and
maintain your network infrastructure, perform system admin tasks,
and control your overall user experience."

"Why migrate to AD?

- It simplifies management. Ad provides a single, consistent point
of management for both users, applications, and devices.

- It strengthens security. Ad gets users with a single sign-on to
network resources and provides you as an administrator with powerful
and consistent tools to manage security services for internal desktop
users, remote dial-up users, and external e-commerce customers.

- It extends interoperability. Supplies standards-based access to
all Active Directory features as well as synchronization support for
popular directories. A directory service is both a management and
user tool. As the number of objects in a network grows, the directory
service becomes essential. The directory service is the hub around
which a large distributed system turns. To address these needs,
Windows 2000 Server introduces Active Directory, an integrated set
of directory services that improve the management, security, and
interoperability of the Windows network operating system."

What are the pitfalls?

Now let's start with the potential pitfalls of AD. Peter Coburn
sent me the following and I have to agree mostly, as we are really
looking at a Microsoft V1.0 product. We know that these usually
are bare bones and somewhat clunky, but they do get it right over

1. Active Directory is new, untested, about where Novells's NDS
was 5 years ago
2. Active Directory does not support a heterogeneous environment
yet, including other MS systems!
3. Performance: not as good as Novell's NDS
4. Reliability: largely untested and unknown
5. Security: ditto.

This means that I would strongly advise you to actually so start
with it as soon as possible in an advanced (power user) department
and get familiar with the new concepts. Get trained on AD, find
out where and if it gives you benefits, and approach it thoroughly
and professionally. I'm sure that MS still has some challenges to
overcome with AD, but the concept is sound.

At the end of the following webpage is a 16 minute video they
produced, which gives you a pretty good overview about the benefits.
Up to you to get this implemented in your own environment!
Below you find some tools that will help you with that task.

* Article on AD by Andy Milford, creator of UltraAdmin

"As I interact more and more with my network administrator friends,
I find that a common shared concern is the amount of time and money
it will take to move towards Windows 2000 in their organization.

In detail, they are concerned about upgrading hardware to meet the
demands of Windows 2000, flattening their domain models, and charting
out a comprehensive upgrade schedule for all of the servers and work-
stations on their networks. They often are surprised when I tell them
that it really doesn't take a lot of work to begin realizing one of
Windows 2000's greatest features - Active Directory.

Specifically, all a domain administrator needs to do is upgrade the
PDC (Primary Domain Controller) of a NT 4 domain to Windows 2000
Server. This in itself isn't that tedious - for if you read MS's
recommendations, they simply ask you to verify that
1.) your server meets the requirements of the Windows 2000 HCL,
2.) has enough disk space on the system partition for the new OS,
3.) your file system is NTFS, and
4.) you have a domain backup strategy in place using a
disconnected BDC (Backup Domain Controller).

Since a good majority of organizations already have their current
PDCs running on powerful, fault-tolerant machines, most of the steps
outlined above have been met. All that remains is about 2 hours of
work on a weekend or evening when network use is at a minimum.

Once your PDC has been upgraded to Windows 2000 Server with Active
Directory in place, your domain begins running in Windows 2000 mixed
mode, and your PDC still can replicate information to the older BDCs
still running NT 4. But even more importantly, you now have access
to the rich information database of Active Directory. Using our
utility, UltraAdmin, you can quickly start adding Active Directory
information to users, groups, and computers in your new Windows
2000 domain. Soon, you'll start to have a much more comprehensive
view of how your organization is structured.

For example, instead of just having a brief description of John
Doe, you can begin filing away his phone numbers, email address,
job title, mailing address, web pages, and more. You can store
the physical location of computers and their DNS names every time
you create a new computer account. In sum, as an administrator,
Active Directory becomes a detailed rolodex of information about
your network.

Certainly, I don't want to oversimplify the Windows 2000 migration
process. Stu has plenty of tools and books that can help you with
the finer details of a migration. Yet all it takes to begin
implementing Active Directory is a single Windows 2000 upgrade
coupled with a flexible and AD-enabled administration tool like

Andy Milford, CEO/Chief Software Architect
Dorian Software Creations, Inc.


* Brand New UltraAdmin V2.0 has great AD support

What's new in UltraAdmin 2.0?

Sunbelt is proud to announce the release of UltraAdmin 2.0, the
second version of the consolidated user, group, and server admin
tool for Microsoft Windows NT/2000 networks. Version 2.0 ships
with several new features, the most important being Active
Directory support for users, groups, and computers inside W2K
mixed and native mode domains.

The developer Dorian Software told us they are dedicated to
insuring UltraAdmin's interoperability between W2K and NT
domains during this especially critical time of operating
system transition. Already, UltraAdmin is gaining recognition
in the emerging W2K community. In January of 2000, UltraAdmin
was selected for inclusion with the Windows 2000 Server Bible,
published by IDG Books.

What can UltraAdmin do for you network administrators? Many IT
departments have already made plans for migrating to W2K, others
are drafting such plans currently. Handling the migration is a
lengthy process, and many of you will have a mixed environment
of existing NT 4 domains and machines alongside newer W2K ones.

What will prove difficult for network admins is finding a tool
versatile enough to manage the different types of users, groups,
and computers in this mixed environment. UltraAdmin meets this
challenge by effectively becoming a domain admin's "Swiss army
knife," with many different feature sets that auto-adapt to
the current mode of the domain (NT 4, Mixed Mode 2000, Native
Mode 2000).

Want specifics? Here are some of the new areas of W2K support
that UltraAdmin 2.0 offers you:

1) UltraAdmin supports Active Directory for W2K Users, Groups,
and Computers

W2K brings Active Directory technology to the table, which allows
administrators to collect and maintain much more detailed info
about their users, groups, and computers in a central database.
However, management of Active Directory is much different than
traditional user and group management using User Manager for

In fact, Active Directory account names are distinct from the
traditional SAM account names maintained by NT 4 domain control-
lers. Furthermore, Active Directory administration requires
learning the new MMC snap-in Microsoft provides, which can only
be run from a W2K system.

UltraAdmin gives you full access to Active Directory information
on users, groups, and computers regardless of their workstation
OS (as UltraAdmin runs on NT 4 and 2000). Furthermore, it
compartmentalizes the new Active Directory information and
distinguishes it from legacy NT 4 account information (e.g.
logon hours, dial-in settings, user-rights, etc). Account info
is still enumerated using traditional SAM account names, but
with Active Directory information just a click away. By using
this unique approach to Active Directory, UltraAdmin eases the
learning curve for anyone that is new to W2K.

2) UltraAdmin auto-detects NT 4, 2000 mixed mode, and 2000 native
mode domains.

UltraAdmin's interface always keeps you abreast of what mode a
domain is in, displaying a graphic indicating the mode in the
lower right-hand corner. Furthermore, UltraAdmin adapts its
interface to the different rules that apply to different modes.

For instance, did you know that you can't synchronize a W2K
native mode Active Directory server? Or that W2K domains only
accept the creation of one kind of computer account? UltraAdmin
adjusts itself automatically to prevent headaches for you.

3) UltraAdmin supports new user account flags.

Remember those traditional user account flags in User Manager,
like "User cannot change password?" Microsoft W2K adds a whole
new slew of these, like:

+ Require Smart Card Logon
+ Trust Account for Delegation
+ Account Cannot be Delegated
+ Support Reversible Encryption of Passwords (for Apple clients)
+ Use DES Encryption
+ Kerberos Preauthentication

As stated before, UltraAdmin adapts its administrative views, and
will allow you to toggle these flags when managing W2K users.

4) UltraAdmin continues to support W2K specific user rights, and
audit policies.

In addition to its new W2K features, UltraAdmin 2.0 includes new
features useful in both Windows NT and 2000 environments, like:

+ Device configuration and management
+ Group account renaming
+ User and group copying, producing easy, templated account creation
+ Remote viewing of installed software
+ Remote viewing of network hardware (especially useful on
multihomed machines)

When you combine these new features with UltraAdmin's already rich
set of Windows NT/2000 administration capabilities, you have a tool
that needs to be in every network administrator's tool suite,
especially those migrating to W2K. But surprisingly, with all of
its functionality, UltraAdmin remains the most competitively priced
utility in its class, costing only $175.00 per network administrator
using the software. Per license discounts are available for volume
purchases. You can get a single license from the Sunbelt Onlineshop
with immediate delivery of full product. For Volume licenses, call
your reseller or your Sunbelt Account Rep. To get your copy now, go
to the new Sunbelt Software website and click the ONLINE SHOP tab.

If you're still not convinced, check out some of the rest of
UltraAdmin's many features:

+ Edit, add, and delete user accounts
+ Edit, add, and delete group accounts
+ Add and delete computer accounts
+ Map security identifiers to account names and vice versa
+ Manage NT services remotely
+ Manage open server resources
+ Manage user sessions/connections
+ Manage shared printers
+ Manage network shares and access control lists
+ Check free disk space / total disk space remotely
+ Check processor and OS type remotely
+ Check original date of installation and Service Pack info
+ View remote server time and time zone information
+ Calculate relative network speed, number of hops, and round trip
time to a server
+ Initiate full and partial domain resynchronization
+ Set domain-wide and computer-specific user account policy
+ Set domain-wide and computer-specific audit policy (NT 4
set AND Win2K set)
+ Manage user rights explicitly per user and per group (NT 4
set AND Win2K set)
+ Reboot servers remotely
+ Hide servers and workstations from the browse list
+ Perform remote network logons to untrusting workstations
+ Send popup messages to other NT users' machines
+ Browse to computer file shares
+ Quickly open connections to administrative hidden shares
(e.g. C$, ADMIN$)
+ View event log information
+ Create and delete Exchange Server mailboxes when you add
and delete domain users
+ Extend UltraAdmin with the UltraAdmin SDK

Additional functionality is added all the time. Check out the
specs here: http://www.sunbelt-software.com/product.cfm?id=277
Again, you can get a single admin license online for just $175
with immediate delivery of FULL product. For more than one
license call your Reseller or Sunbelt Rep. Find us over here
at: http://www.sunbelt-software.com/contact_us.cfm

* DirectoryAnalyzer: AD monitor & troubleshooter

Deploy Active Directory with Microsoft W2K Server and you're taking
the first step into a whole new world of network manageability.
Ad is a powerful facility to administer user access to distributed
services, control security and implement personal preferences.
And, that's only the beginning. It's just a matter of time before
everyone in your company will heavily depend on Active Directory.

You can't afford to take chances with AD. You need to proactively
manage the availability and performance of your directory with the
only tool built specifically for that purpose: DirectoryAnalyzer,
manufactured by NetPro Computing, Inc.

While other (and older) server-oriented management products may promise
the same value, they can't deliver it. Active Directory is logically
distributed across your network, and it can only be managed with a
tool that sees the service as a whole, not just one server at a time.

If you have Active Directory you simply need DirectoryAnalyzer to
keep it healthy.

Major features:

+ Ensures the health of the directory
+ Delivers early warning of directory infrastructure problems
+ Provides error resolution with context-sensitive knowledge base
+ Troubleshoots your domains, DCs and DNS server
+ Centralizes access to directory information

Download a 30-day eval and see what this tool can do in your domains:

* April Special Offer: Security Explorer.

Security Explorer is a powerful and intuitive utility to search
for and modify Windows NT security on NTFS drives, the Registry,
and Shares. Search across subdirectories for permissions. Grant,
revoke, and clone permissions across subdirectories without
affecting any other user's permissions.

Select 50 shares on a server, and grant permissions to multiple
users and groups at one time. Export permissions to a database
for further analysis and reporting. Back up your file permissions
and restore them if necessary. Set ownership on files and direc-
tories. Seamless integration with the NT 4.0 Desktop (right-click
just about anywhere). Security Explorer makes finding security
holes and fixing them a snap!

APRIL ONLY SPECIAL: Normally a Corporate, world-wide license,
including maintenance costs $13,194. But for April 2000 only,
this has been brought down to just $9,495 and, thrown in is 1
year tech support, updates, and a free upgrade to the Windows
2000 version that comes out in a few months. A BIG DISCOUNT !
Check out: http://www.sunbelt-software.com/product.cfm?id=788


4. "HOW TO USE THE MAILING LIST" Instructions on how to subscribe,
sign off or change your email address

TO SUBSCRIBE TO THE LIST (Tell your friends!)

Click: http://lyris.sunbelt-software.com/scripts/lyris.pl?join=nt-list
and fill out the form, simple & easy: 1 minute work.

Or by email, send a blank message to the following address:
[email protected]



1) The Web Way:
choose the NT-List, use your email address that is at
the bottom of each newsletter and leave the list via
the web interface.

2) The Email Way: Simply follow the personalized
instructions at the very end of this newsletter.


First unsubscribe and then resubscribe as per the
procedure above.



On the World Wide Web point your browser to:

For the newsletter and our website:

For Tech Support on Sunbelt products mentioned:

Email for US sales information to:
[email protected]
Email for US Tech support to:
[email protected]
Email to the US Editor:
[email protected]

Email for European Sales to:
[email protected]
Email for European Tech support to:
[email protected]

At the time of this newsletter's release, all links were
checked to verify their accuracy and validity. However,
due to the ever changing pages of various sites, some links
may later prove to be invalid. We regret any inconvenience
should you be unable to open any of these links.

Things Our Lawyers Make Us Say:

This document is provided for informational purposes only.
The information contained in this document represents the
current view of Sunbelt Software Distribution on the issues
discussed as of the date of publication. Because Sunbelt
must respond to changes in market conditions, it should not
be interpreted to be a commitment on the part of Sunbelt
and Sunbelt cannot guarantee the accuracy of any informa-
tion presented after the date of publication.


The user assumes the entire risk as to the accuracy and the
use of this document. This document may be copied and
distributed subject to the following conditions: 1) All text
must be copied without modification and all pages must be
included; 2) All copies must contain Sunbelt's copyright
notice and any other notices provided therein; and 3) This
document may not be distributed for profit. All trademarks
acknowledged. Copyright Sunbelt Software Distribution, Inc.

(email me with feedback: [email protected])