Administrative Enhancements

So, what do you think so far?  Whistler is promising to be an… interesting upgrade to Windows 2000.  As you can see so far, there aren’t that many changes that would confuse a Windows 2000 MCSE, which is why Microsoft is not retiring the Windows 2000 SE track. (At least not at this point in time.)  Some of the changes are in Active Directory.  Some other enhancements include support for remote professionals to remote control your system.

Remote Assistance

Remote Assistance is an interesting new feature for Windows 2000.  It is found by going to Help and Support from the Start Menu.  From the Help and Support Services window, click Support on the top navigation bar.  You will then be brought to the support window.  This window shows you which options are available to you.  Click the Microsoft Remote Assistance option on the left navigation bar.  After navigating through the introduction screens that describe the feature, you will arrive at the following window:

Basically, you are inviting someone to view your current session of Windows and you are allowing them to communicate with you on your computer.  You will be able to communicate with the remote person helping you using either text-based chat services or Voice over IP, which Windows XP and Whistler both support.  This person can be either someone from Microsoft, or someone within your own IT department that you will be getting support from.  This Invitation, as it is called, can be sent via an email message, by using a floppy disk, or using the MSN Messenger.  You will be able to password-protect the invitation so that only that remote support professional can access your system.  Whistler also allows you to set how long the session will stay active before they are unable to connect with the invitation that you sent to the support person.  The only catch is that the person supporting your system must also be running either Whistler, or a later version of a Microsoft operating system.

Access Control Lists

There have been some improvements to the Access Control Lists in Whistler as well.  If you are not sure exactly what an Access Control List is, well, it’s the list of access control that each user has assigned to him or her for a particular object.  To get to the ACL of a particular folder, right-click the folder, click Properties, go to the Security tab and click the Advanced button.  You will see a screen like the following if you did it correctly:

In Windows 2000, you did not have a column header called, “Inherited From.”  This is a very helpful improvement for an Administrator, because if you can see that certain permission has been allowed or denied from a higher level, you can now see what level that permission is coming from.  There is also an additional tab now called the Effective Permissions tab.  Let’s look at this tab and see what it does:

This feature allows you to select a user or group from Active Directory and see exactly what their permissions will be for the object that you are currently looking at, based on the Groups and permissions assigned to that individual user account, or the permissions assigned to the groups that user is a member of.  If you look at the screenshot displayed above, I selected the Users group to do the comparison to.

Active Directory

The Schema of AD has been divided into another section.  There will be a partition that will hold information specific to Applications now that will be replicated to any DC’s that need that information, not necessarily all Domain Controllers in a domain or forest.  That way, if you store DNS inside of Active Directory, the DNS information would not be replicated to Servers that do not host DNS themselves.  This will cut down on replication time because now if information changes on an application server that takes advantage of AD, it will not replicate those changes to any servers except for the one that has the application installed onto it.

There will also be various levels of functionality that Whistler will provide.  Windows 2000 had a “Native Mode” environment that allowed an administrator to take advantage of features like group-nesting and Universal Security Groups if the Domain was switched to Native Mode.  Well, there will be different “Levels” of versioning for AD that will allow an administrator to take advantage of special features as the System gets upgraded to all Windows 2000/Whistler Servers, then another mode for a Whistler-only environment.

Whistler Servers do not rely on Global Catalog Servers to authenticate logon requests for clients in a Native-mode domain.

Have you ever run dcpromo on a remote system and found that the process of replicating all AD information from a remote DC took an excessively long amount of time?  Well, Whistler gives you the ability to backup the AD database to a CD ROM and have the dcpromo utility extract the AD information from the CD rather than having to get it from the a remote server.  This only works if you add a DC in an existing domain.  It is not used for creating new domains, trees, or forests.

Did you get a chance to migrate user accounts from a Windows NT 4.0 domain to a Windows 2000 Domain?  Did you notice one key thing that didn’t migrate over?  Namely, PASSWORDS.  Wouldn’t it have been nice if the Active Directory Migration tool could have done that as well?  Well, it can in Whistler.  As a matter of fact, it can even pull them from an NT 4.0 domain to a Windows 2000 domain.

Active Directory Users and Computers also has a few noticeable enhancements to it.  One is the ability to select multiple user accounts and configure common properties on them.

You can assign multiple users to the same Office, give them duplicate Descriptions, Telephone Numbers, Group Membership, Address information, password expiration dates, logon hours, etc… all through Active Directory.  You can also drag and drop user accounts as well in ADU&C. 

There is one more noticeable enhancement for Active Directory that the people at Microsoft implemented, and that was the ability to see what a user account’s effective group policy will be.  There are two levels that Active Directory will allow you to check this: The Planning level and the Logging Level.  The planning level allows you to select a user account and select which OU you would like to compare that user to.  That way, if you move a user into a different Active Directory Organizational Unit, you will be able to see how all of the group policies will affect him or her.  Here is a screenshot:

The second option that you could see is the Logging Option.  Logging will check the User account with a Computer account that you choose and the result will be what permissions that user will have on the system.  Now, this does not cover NTFS permissions, only Group Policy permissions.

Here are a list of New Command Prompt utilities that you have available in Whistler and what they do:

• Bootcfg.exe – Used to view or set the properties (such as debug on/off) of the boot.ini file on a local or remote server (not on 64-bit).

• DriverQuery.exe - Used to view the currently loaded device drivers and their memory usage.

• bitscli.exe - Used to manage Background Intelligent Transfer Service (BITS) downloads.

• dsadd - Used to create an object instance of a specified type to the Active Directory.

• dsmod - Used to modify select attributes of an existing object in the Active Directory.

• dsrm - Used to remove an object or the complete sub-tree under an object in the Active Directory.

• dsmove - Used to move an object from its current location to a new parent location within the same naming context or to rename an object in the Active Directory.

• dsquery - Used to find objects in the Active Directory that match a specified search criteria.

• dsget - Used to get or view select properties of an existing object in the Active Directory when the location of the object to be viewed is specifically know.

• Eventtriggers.exe - Used to launch a process based on the occurrence of an event written to the event log.

• Eventquery.vbs - Used to specify the type of events to extract from the event log and the selected events can be displayed on the screen or saved to a file.

• Eventcreate.exe - Used to write a user-defined event to any of the event logs.

• GPresult.exe - Used to get the Resulting Set of Policies (RSoP) and list of policies that are applied to a computer.

• IIS scripts - Many new scripts (IISWeb.vbs, IISVdir.vbs, etc.) provide command line tools to configure, provision and manage Internet Information Services (IIS) server and Active Server Page (ASP) applications.

•  Ipseccmd.exe - Used to view and modify the policies and properties of Internet Protocol (IP) security.

• NetDom.exe – Used to get/set the Machine Name, set the computer name and Domain Name System (DNS) first label of a machine.

• NetSh.exe - Extensive network configuration tool, now adds the basic network diagnostic. features provided by older NetDiag.exe tool.

• Openfiles.exe - Used to view the list of connected users and files in use per share on a computer.

• Pagefileconfig.vbs - Used to get the current pagefile size or set a new pagefile size.

• Print scripts - Many new scripts (prncnfg.vbs, prnjobs.vbs,etc.) used to manage printer services, drivers and queues.

• Reg.exe - Used to view, set and edit registry keys.

• SC.exe - Used to start/stop and manage Win32 services.

• SchTasks.exe - Used to get, set or edit a scheduled task using the existing Win32 scheduling service.

• Shutdown.exe - Used to shut down or re-start a computer and allows a re-start explanation to be written to the event log.

• Systeminfo.exe - Used to view basic properties of a machine (such as CPU and memory).

• TaskKill.exe - Used to kill or stop a running process.

• TaskList.exe - Used to view or identify all running processes with PIDs.

If you use Active Directory to deploy software through Group Policies, you can now have it do a Full install of the software once the user logs onto the system, rather than waiting for the user to execute the shortcut for the Application.

Trust relationships have been improved quite a bit in Whistler as well.  Whistler now supports Cross-Forest trusts.  If you create a cross-forest trust, all domains in each forest trust each other.  Here is a screenshot of the new Domain Trust Wizard:

This concludes the section on Administrative enhancements.  As you can tell, Microsoft has been fast at work, trying to improve their access control for Whistler.  Administrators can now find out more information quicker than they could before.  There have been many improvements over Windows 2000 and now let’s talk about How Terminal Services have been improved.