Saturday, March 29, 2008

Large memory support is available in Windows Server 2003 and in Windows 2000

MORE INFORMATION

PAE is the added ability of the IA32 processor to address more than 4 GB of physical memory. The following operating systems can use PAE to take advantage of physical memory beyond 4 GB:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Datacenter Edition
To enable PAE, use the /PAE switch in the Boot.ini file.

Note In Windows Server 2003, PAE is automatically enabled only if the server is using hot-add memory devices. In this case, you do not have to use the /PAE switch on a system that is configured to use hot-add memory devices. In all other cases, you must use the /PAE switch in the Boot.ini file to take advantage of memory over 4GB.

Typically, a process running under Windows 2000 or Windows Server 2003 can access up to 2 GB of memory address space (assuming the /3GB switch was not used) with some of the memory being physical memory and some being virtual memory. The more programs (and, therefore, more processes) that run, the more memory you commit up to the full 2 GB of address space.

When this situation occurs, the paging process increases dramatically and performance may be negatively impacted. The Windows 2000 and Windows Server 2003 memory managers use PAE to provide more physical memory to a program. This reduces the need to swap the memory of the page file and results in increased performance. The program itself is not aware of the actual memory size. All the memory management and allocation of the PAE memory is handled by the memory manager independently of the programs that run.

The preceding information is valid for programs that run when the /3GB switch is used. A program that requests 3 GB of memory is more likely to be able to have more of its memory remain in physical memory rather than be paged out. This increases the performance of programs that are capable of using the /3GB switch. The exception is when the /3GB switch is used in conjunction with the /PAE switch. In this case, the operating system does not use any memory in excess of 16 GB. This behavior is caused by kernel virtual memory space considerations. Thus, if the system restarts with the /3GB entry in the Boot.ini file, and the system has more than 16 GB of physical memory, the additional physical random access memory (RAM) is not used by the operating system. Restarting the computer without the /3GB switch enables the use of all the physical memory.

AWE is a set of application programming interfaces (APIs) to the memory manager functions that enables programs to address more memory than the 4 GB that is available through standard 32-bit addressing. AWE enables programs to reserve physical memory as non-paged memory and then to dynamically map portions of the non-paged memory to the program's working set of memory. This process enables memory-intensive programs, such as large database systems, to reserve large amounts of physical memory for data without having to be paged in and out of a paging file for usage. Instead, the data is swapped in and out of the working set and reserved memory is in excess of the 4 GB range. Additionally, the range of memory in excess of 4 GB is exposed to the memory manager and the AWE functions by PAE. Without PAE, AWE cannot reserve memory in excess of 4 GB.

The following is an example of a Boot.ini file where the PAE switch has been added:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /PAE


Warning The contents of your Boot.ini file will vary based upon your configuration. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
317526 (http://support.microsoft.com/kb/317526/) How to edit the Boot.ini file in Windows Server 2003
To summarize, PAE is a function of the Windows 2000 and Windows Server 2003 memory managers that provides more physical memory to a program that requests memory. The program is not aware that any of the memory that it uses resides in the range greater than 4 GB, just as a program is not aware that the memory it has requested is actually in the page file.

AWE is an API set that enables programs to reserve large chunks of memory. The reserved memory is non-pageable and is only accessible to that program. For more information about AWE and PAE, click the following article number to view the article in the Microsoft Knowledge Base:
268363 (http://support.microsoft.com/kb/268363/) Intel Physical Addressing Extensions (PAE) in Windows 2000
For more information, visit the following Microsoft Web sites:
http://msdn2.microsoft.com/en-us/library/aa213764(SQL.80).aspx (http://msdn2.microsoft.com/en-us/library/aa213764(SQL.80).aspx)
http://msdn2.microsoft.com/en-us/library/ms810461.aspx (http://msdn2.microsoft.com/en-us/library/ms810461.aspx)
If you add more memory to the system, it is possible that the BIOS will recognize the full amount of physical RAM that is installed in the server but that Windows will recognize only a part of the RAM. If the server has a redundant memory feature or a memory mirroring feature that is enabled, the full complement of memory may not be visible to Windows. Redundant memory provides the system with a failover memory bank when a memory bank fails. Memory mirroring splits the memory banks into a mirrored set. Both features are enabled or disabled in the BIOS and cannot be accessed through Windows. To modify the settings for these features, you may have to refer to the system user manual or the OEM Web site. Alternatively, you may have to contact the hardware vendor.

For example, if you are running a system that has 4 GB of RAM installed and you then add 4 GB of additional RAM, Windows may recognize only 4 GB of physical memory or possibly 6 GB instead of the full 8 GB. The redundant memory feature or the memory mirroring feature may be enabled on the new memory banks without your knowledge. These symptoms are similar to the symptoms that occur when you do not add the /PAE switch to the Boot.ini file.

Back to the top

REFERENCES

For more information, visit the following Microsoft Web site: Operating Systems and PAE Support http://www.microsoft.com/whdc/system/platform/server/PAE/pae_os.mspx

Intel Physical Addressing Extensions (PAE) in Windows 2000

SUMMARY

Windows 2000 Advanced Server and Windows 2000 Datacenter Server support memory in excess of 4 gigabytes (GB) of random access memory (RAM) by way of the Intel Physical Addressing Extension (PAE) specification. Windows 2000 Advanced Server is limited to 8 GB, and Windows 2000 Datacenter Server is limited to 32 GB. You can enable PAE in the Boot.ini file. To enable PAE, follow these steps:
1.Click Start, and then click Run.
2.Type X:\boot.ini, where X is the drive letter of the location of the boot files, Ntldr, Boot.ini, and so forth.
3.Modify the line that corresponds to your operating system by appending the /PAE switch.
4.Save the file, and then restart the computer.
Even with PAE enabled, the underlying architecture of the system is still based on 32-bit linear addresses. This effectively retains the 2 GB of application space and the 2 GB of kernel mode space because only 4 GB of addresses are available. However, multiple processes can immediately benefit from the increased RAM because they are less likely to encounter physical memory restrictions and begin paging. Additionally, applications can be modified to use the AWE API to allocate memory outside of the applications process space, bypassing the 2-GB limit for applications.

MORE INFORMATION

With PAE enabled, the operating system moves from a two-level linear address translation to a three-level address translation. The extra layer of translation is what provides access to physical memory beyond 4 GB. Instead of a linear address being split into three separate fields for indexing into memory tables, it is split into four separate fields; a 2-bit field, two 9-bit fields, and a 12-bit field that corresponds to the page size implemented by Intel Architecture (4 KB).

During a context switch the CR3 register is set by the operating system to point to a Page directory pointer index that is 2-bits wide. The first two bits are used as an index into this table, with the resulting value pointing to a Page directory. The first 9-bit field is then used to index into the Page directory. The indexed value then points to a Page table. The second 9-bit field is an index into the Page table. This value points to the actual page in memory where the desired byte is located. Finding this byte is a simple matter of using the remaining twelve bits of data to index into the page.

If you add more memory, the BIOS may recognize the full amount of physical RAM that is installed on the server. However, Windows will recognize only some of the RAM. If the server includes the Redundant Memory feature, the full amount of RAM is not exposed to Windows. The Redundant Memory feature provides the system with a fail-over memory bank when a memory bank fails. The Memory Mirroring feature splits the memory banks into a mirrored set. Both features are enabled in the BIOS and cannot be accessed through Windows. You may have to see the system user manual or the manufacturer's Web site to modify the settings for this feature.

For example, if you are running a system that has 4 GB of RAM installed, and you add 4 GB of RAM, Windows recognizes 4 GB or 6 GB of RAM instead of the full 8 GB of physical memory. One of these features may be enabled on the new memory banks without your knowledge. In this scenario, the symptoms are similar to the symptoms that may occur when the /PAE switch is not added to the Boot.ini file.

Tuesday, February 5, 2008

Couple of Common Schema Related issue with Active Directory and their solution.

Unable to modify or extend the schema.

Cause: The schema operations master is not available. The domain controller that currently holds the schema master role is offline or network connectivity between you and the schema master is inoperable.

Solution: Restore the availability of the schema master by fixing the network connectivity problem or by transferring or seizing the schema master role.

===========================================

Unable to add attributes to a class.

Cause: The attributes cannot be associated with a class because the schema cache has not been updated.

Solution: Ensure that the schema cache is updated after an attribute is added before attempting to add the attribute to a class.

=============================================
Unable to connect to a domain controller running Windows 2000 from the Active Directory Schema snap-in.

Cause: You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3 or later installed.

Solution: Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.







Trust Relationship Between Workstation and Domain Fails

Solution:

Log on locally as a local administrator. In the Network tool of Control Panel, select Change and enter a Workgroup name, leaving the domain. Restart the computer and log on locally as a local administrator.

There are two methods to rejoin the domain:
You can join the domain from the client if at the same time you can provide an administrator username and password on the domain.

-or-
You can delete the existing computer account in Server Manager, recreate the computer account, synchronize the domain, and then on the client rejoin the domain.

Friday, January 11, 2008

How to restrict access to the registry from a remote computer

Restricting Network Access to the Registry

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Note In Windows 2000 and later, only Administrators and Backup Operators have default network access to the registry. This section may not apply in certain instances. To restrict network access to the registry, follow the steps listed below to create the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name: Description
Type: REG_SZ
Value: Registry Server
The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access. The default Windows installation defines this key and sets the Access Control List to restrict remote registry access as follows:
Administrators have Full Control
The default configuration for Windows permits only Administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system reboot to take effect.

To create the registry key to restrict access to the registry:
1.Start Registry Editor (Regedt32.exe) and go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
2.On the Edit menu, click Add Key.
3.Enter the following values:
Key Name: SecurePipeServers
Class: REG_SZ
4.Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
5.On the Edit menu, click Add Key.
6.Enter the following values:
Key Name: winreg
Class: REG_SZ
7.Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
8.On the Edit menu, click Add Value.
9.Enter the following values:
Value Name: Description
Data Type: REG_SZ
String: Registry Server
10.Go to the following subkey.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
11.Select "winreg". Click Security and then click Permissions. Add users or groups to which you want to grant access.
12.Exit Registry Editor and restart Windows.
13.If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.

Back to the top

Bypassing the Access Restriction

Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.

You can either add the account name that the service is running under to the access list of the "winreg" key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
   Value:        Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Services\Replicator

Valid Range: A valid path to a location in the registry.
Description: Allow machines access to listed locations in the
registry provided that no explicit access
restrictions exists for that location.

Value: Users
Value Type: REG_MULTI_SZ - Multi string
Default Data: (None)
Valid Range: A valid path to a location in the registry.
Description: Allow Users access to listed locations in the
registry provided that no explicit access
restrictions exists for that location.
Changed slightly in Windows 2000 and later:
   Value:        Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
system\CurrentControlSet\control\Server Applications
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion

Value: Users - Does not exist by default.

Description of the standard terminology that is used to describe Microsoft software updates

Microsoft is adopting the following standard terminology to describe software updates:
Connector

Definition: A connector is a software component that is designed to support connections between software.
Critical Update

Definition: A critical update is a broadly released fix for a specific problem that addresses a critical, non-security-related bug.

Additional Information: Critical updates are available for customers to download and are accompanied by a Microsoft Knowledge Base article.
Development Kit

Definition: A development kit is software that is designed to help developers to write new programs. Development kits typically include a visual builder, an editor, and a compiler.
Driver

Definition: A driver is a software component that is designed to support new hardware.
Feature Pack

Definition: A feature pack is new product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release.
Guidance

Definition: Guidance includes scripts, sample code, and technical documentation that is designed to help deploy and use a product or a technology.
Hotfix

Definition: A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a product and are cumulative at the binary and file level. A hotfix addresses a specific customer situation and may not be distributed outside the customer's organization.

Additional Information: Hotfixes are distributed by Microsoft Product Support Services. Customers may not redistribute hotfixes without written, legal consent from Microsoft.
Security Update

Definition: A security update is a broadly released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated based on their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.

Additional Information: Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article. For more information about the format of Microsoft Knowledge Base articles for Microsoft security updates, click the following article number to view the article in the Microsoft Knowledge Base:
824689 (http://support.microsoft.com/kb/824689/) Description of the format of Microsoft Knowledge Base articles for Microsoft security updates
Service Pack

Definition: A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Service packs may also contain additional fixes for problems that are found internally since the release of the product and a limited number of customer-requested design changes or features.

Additional Information: Microsoft service packs are available for download and are accompanied by Microsoft Knowledge Base articles.
Software Update

Definition: A software update is any update, update rollup, service pack, feature pack, critical update, security update, or hotfix that is used to improve or to fix a software product that is released by Microsoft Corporation.

Additional Information: A Microsoft software update is accompanied by a Microsoft Knowledge Base article.
Tool

Definition: A tool is a utility or a feature that helps to complete a task or a set of tasks.
Update

Definition: An update is a broadly released fix for a specific problem. An update addresses a non-critical, non-security-related bug.

Additional Information: Microsoft updates are available for customers to download and are accompanied by a Microsoft Knowledge Base article.
Update Rollup

Definition: An update rollup is a tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).

Additional Information: Microsoft update rollups are available for customers to download and are accompanied by a Microsoft Knowledge Base article.
Upgrade

Definition: An upgrade is a software package that replaces an installed version of a product with a newer version of the same product. The upgrade process typically leaves existing customer data and preferences intact while replacing the existing software with the newer version.

Saturday, January 5, 2008

How to Remove Administrative share in windows?

To remove administrative shares and prevent them from being automatically created in Windows:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer must be set as type REG_DWORD. When this value is set to 0 (zero), Windows does not automatically create administrative shares. Note that this does not apply to the IPC$ share or shares that you create manually.
4.On the Edit menu, click Modify. In the Value data box, type 0, and then click OK.
5.Quit Registry Editor.
6.Stop and then start the Server service. To do so:
a. Click Start, and then click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following lines. Press ENTER after each line:
net stop server
net start server
d. Type exit to quit Command Prompt.