Alexander’s Blog

The Microsoft SharePoint Administration Toolkit contains functionality to help manage Microsoft Office SharePoint Server (MOSS) 2007 and Windows SharePoint Services (WSS) version 3.0. This toolkit contains the ability to diagnose performance issues, perform bulk operations on site collections, an Stsadm operation to update alert e-mails after the URL for a Web application has been changed, and a User Profile Replication Engine tool.

The supported operating systems include Windows Server 2003, Windows Server 2008, Windows Vista and Windows XP. You must have MOSS 2007 or WSS 3.0 installed on your computer. Microsoft recommends that version 1.0 and 2.0 of the SharePoint Administration Toolkit be uninstalled first before you install version 3.0 of the SharePoint Administration Toolkit.

Here are the download links:

Microsoft SharePoint Administration Toolkit v3.0 x64

Microsoft SharePoint Administration Toolkit v3.0 x86

SharePoint Permission Reporting Tool

Included in the SharePoint Administration Toolkit from Microsoft is the Permission Reporting Tool, which provides various components to help better understand how security is being derived and applied across and within sites, lists and item. The tool includes three components – the Compare Permissions Sets function, the Check Effective Permissions function and the Broken Inheritance Reports function. Here’s a video on TechNet that will show you how to use the Permission Reporting Tool.

I am glad someone is looking out for Site Administrators. There is a lot of focus on resources for Network and SharePoint Administrators, for obvious reasons, but it’s important to also keep the Site Administrators in mind. I’ve noticed that my colleague Sharee English is often talking and blogging about Site Administrators. She recently posted a blog that lists training resources for SharePoint Site Administrators. Here’s a quote from her blog.

“Site Administrators have the largest burden when it comes to SharePoint. They are responsible for managing permissions, creating lists and libraries, and maintaining metadata. Most site administrators have never done any of these things before and may not even know what some of these things mean. Luckily there are so many resources available.”

Click here for more details and links to the resources that she has listed.

NetDom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use NetDom, you must run the NetDom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use NetDom to:

- Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.

- Provide an option to specify the organizational unit (OU) for the computer account.

- Generate a random computer password for an initial Join operation.

- Manage computer accounts for domain member workstations and member servers. Management operations include:

- Add, Remove, Query.

- An option to specify the OU for the computer account.

- An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.

- Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.

- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.

- Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).

- The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.

- Verify or reset the secure channel for the following configurations:

- Member workstations and servers.

- Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

- Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.

- Manage trust relationships between domains, including the following operations:

- Enumerate trust relationships (direct and indirect).

- View and change some attributes on a trust.

NetDom Commands

Here are the NetDom commands.

Command	Description
Netdom add	Adds a workstation or server account to the domain.
Netdom computername	Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.
Netdom join	Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.
Netdom move	Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.
Netdom query	Queries the domain for information such as membership and trust.
Netdom remove	Removes a workstation or server from the domain.
Netdom movent4bdc	Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.
Netdom renamecomputer	Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command.
Netdom reset	Resets the secure connection between a workstation and a domain controller.
Netdom resetpwd	Resets the computer account password for a domain controller.
Netdom trust	Establishes, verifies, or resets a trust relationship between domains.
Netdom verify	Verifies the secure connection between a workstation and a domain controller.

Microsoft has listed lots of examples on TechNet here. Here are some of them.

NetDom Examples

NOTE: The following examples apply to at least Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1 and Windows Server 2003 with SP2.

Example 1: Add a Workstation or Member Server to a Windows NT 4.0 Domain

To add the workstation mywksta to the Windows NT 4.0 domainreskita, type the following at the command line:

netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password

Example 2: Add a Workstation or Member Server to a Windows Server 2003 Domain

To add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:

netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Note

• If the /ou parameter is not specified, the account is created in the Computers container.

Example 3: Move a Windows NT 4.0 BDC to a new domain

To join myBDC to the Windows NT 4.0 domain reskita type the following at the command prompt:

netdom mybdc moveNT4BDC /domain:reskita

Example 4: Add an alternate name for a Windows Server 2003 domain controller

To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:

netdom computername dc /add:altDC.example.com

A name must first exist as an alternate before it can be made the primary name of a computer.

Example 5: Rename a domain controller in a Windows Server 2003 domain

To rename the domain controller DC to altDC in the example.com domain use the following syntax:

netdom computername dc /makeprimary:altdc.example.com

To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary name.

Example 6: Rename a Member Server

To rename the member server member to member1, type the following at the command prompt:

netdom renamecomputer member /newname:member1.example.com /userd:administrator

Example 7: Join a Workstation or Member Server to a Domain

To join mywksta to the devgroup.example.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:

netdom join /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.

Example 8: Remove a Workstation or Member Server from a Domain

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:

netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password

Example 9: Move a Workstation or Member Server from One Domain to Another

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.

Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC

To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta

To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type the following at the command prompt:

netdom reset /d:Northamerica NABDC

Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller

Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a member and a specific domain controller by using the /server parameter with the reset operation, type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta /Server:mylocalbdc

Example 12: Verify a Workstation or Member Server Secure Channel

To verify the secure channel secret is maintained between mywksta and devgroup.example.com, type the following at the command prompt:

netdom verify /d:devgroup.example.com mywksta

Example 13: Establish a One-Way Trust Relationship

When used with the trust operation, the /d:Domain parameter always refers to the trusted domain.

To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*

Press Enter and the following prompt is displayed:

Password for Northamerica\admin:

Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:

Password for USA-Chicago\admin:

Enter the password for USA-Chicago\admin and press Enter.

The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.

If you then want to specify a two-way trust, type the following at the command prompt

netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com:

Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm

To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:

netdom trust /d:ATHENA Northamerica /add /PT:password /realm

The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.

Note

• Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both domains.

If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:

netdom trust /d:Northamerica ATHENA /add

Note

• To make the trust two-way, you can specify the /twoway parameter.

Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans:yes

To display the transitive state, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans

The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.

Example 15: Break a One-Way Trust Relationship

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /remove

Example 16: Break a Two-Way Trust Relationship

To break a two-way trust relationship, type the following at the command prompt:

netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com

Example 17: Verify a Specific Trust Relationship

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /verify

To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:

netdom trust /d:Northamerica EUROPE /verify /twoway

The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.

Example 18: Reset a Specific Trust Relationship

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset

The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.

Example 19: Verify Kerberos Functionality

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.example.com, type the following at the command prompt:

netdom trust /d:devgroup.example.com /verify /KERBEROS

When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.

Note

• This operation cannot be executed remotely. It must be run on the workstation being tested.

Example 20: View All Workstation Members in a Domain

To list all the workstations in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION

Example 21: View All Server Members in a Domain

To list all of the servers in Northamerica, type the following at the command prompt:

netdom query /d:Northamerica SERVER

Example 22: View All Domain Controller Members in a Domain

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica DC

Example 23: View All Organizational Unit Members in a Domain

To list all of the OUs in devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com OU

Example 24: List the Primary Domain Controller Member in a Domain

To list the PDC for Northamerica, type the following at the command prompt:

netdom query /d:Northamerica PDC

Example 25: List the Primary Domain Controller Emulator in a Domain

To list the current PDC emulator for devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com FSMO

NOTE: There are more examples on TechNet here.

For those of you who are using Windows 7, you may have notice that it’s a vast improvement over Windows Vista. I wholeheartedly recommend Windows 7 to my clients and students and just about everyone who uses Windows. Microsoft should be commended for doing a great job with Windows 7. People are often quick to criticize Microsoft when they see a lack of quality or security in Microsoft’s products so I believe people should also be quick to praise Microsoft when they do a good job.

Overall, I am very impressed with Windows 7 operating system (OS). I can go on with all the great things in Windows 7 but in this post I am going to focus on what I believe is missing in Windows 7. Here’s a short list.

Copying CD/DVD
Windows 7 does not allow you to make a copy of your CDs or DVDs. You can burn (i.e. copy) music, pictures and videos to a DVD but you cannot make a copy of your own data, pictures or video CDs/DVDs. Your option: Use a third-party tool.

Newsreader
Unlike Windows XP, Microsoft no longer provides a newsreader in its new operating systems. Your option: Use a third-party tool, like Mozilla’s Thunderbird.

Sound Recorder
Technically, Sound Recorder is not missing but Microsoft has significantly downgraded the Sound Recorder utility in Windows 7. Unlike Windows XP, which contains a fully-functional Sound Recorder utility that lets you edit, mix files, and includes several special effects, the Windows 7 Sound Recorder utility looks like it was created by a 5 year-old during his lunch break at the daycare. The only thing you can do is record the sound and save the file. That’s about it. People are still trying to figure out Microsoft’s logic behind their decision. They couldn’t enhance the Sound Recorder tool so they decided they will make it worse than before and offer a stripped-down version instead. Why? No one knows. If it wasn’t important then why not remove it from the OS all together? Your option: Use a third-party tool.

Support for Microsoft Virtual PC 2007
Unlike Windows XP, Microsoft does not offer support for Microsoft Virtual PC 2007 in Windows 7. This raises numerous virtualization issues, some of which I have documented in this blog.

By not providing support for Microsoft Virtual PC 2007 and to make things even worse…..not offering support for running x64 guest operating systems in Virtual PC 2007 or Virtual Server 2005, Microsoft is encouraging Windows 7 users to look for alternate solutions, such as VMware Server. I am hoping Microsoft will revise this bad marketing decision because these days 64-bit hardware and software is very common and Microsoft really needs to rethink it’s strategy. Your option: Use a third-party tool.

Anti-Virus Software
Windows 7 doesn’t include any anti-virus software. You can, however, install Microsoft Security Essentials, which is free and protects your PC against viruses, spyware, and other malicious software, Your option: Either use a third-party tool such as AVGFree, or install Microsoft Security Essentials.

Comments:
In the past joining Microsoft SpyNet was optional (e.g. in Windows Defender) but with Microsoft Security Essentials you are only given two choices.

Choice #1: You must agree to have information automatically collected and sent to Microsoft, including your personal information.
Choice #2: You must agree to have information automatically collected and sent to Microsoft, including your personal information.

That’s right. Those are the only two choices. You can either send “some” information to Microsoft or you can send “a lot” of information to Microsoft. So what’s your pleasure?

Basic Membership: You agree to send some information to Microsoft.
Advanced Membership: You agree to send a lot of information to Microsoft.

In either case Microsoft warns you that you might be risking your privacy because your personal information might be unintentionally sent to Microsoft. Do you have the option to not send personal information to Microsoft? Absolutely not! If you want to use Microsoft Security Essentials you have no choice but to agree to risk your privacy.

Recovery Console

The Recovery Console in earlier versions of Windows is no longer available in Windows 7. Recovery Console was awesome because it easily allowed you to managed services and drivers by enabling or disabling them. It also allowed you to fix the boot sector and master boot record, etc. Starting with Windows Vista, the Recovery Console has been replaced by several tools that are located in the System Recovery Options menu. What this means is that you now have to go through a bunch of steps and recovery of the system is not as simple in some cases as it used to be in the previous versions.

Conclusion
I may update this post and add more items to the list of things that are missing in Windows 7 in the future as I discover them. The purpose of this post is to let Microsoft know what’s missing in Windows 7 so they can hopefully add these components either with optional Windows Updates, service packs or in the next OS. I think it would be great if Microsoft could provide some explanation to the consumers when they leave things out of the OS. Frankly, there might be some very good explanations or reasoning behind the decisions but if the consumers don’t know then it causes confusion. For instance, to avoid confusion, Microsoft could say we couldn’t get a 64-bit version of the newsreader in time so we left it out of the OS and will add it at a later date.

I believe most people will be able to live with some of what’s missing in Windows 7 but the lack of support for 64-bit virtualization and the inability to duplicate CDs/DVDs are something that deserves a lot of press……along with all the cool stuff included in Windows 7.

---

Copyright ©2010 Zubair Alexander. All rights reserved.