Using command-line utilities to expand the flexibility of the operating system
REPRINTED FROM WWW.CRAMSESSION.COM
Anybody out there remember MS-DOS? Those of us who began using PCs back in the “olden days” called it The Dark Place. We lived there, happily processing our words and spreading our sheets and basing our data in a monochromatic, text-only world. Primitive, you say? Just goes to show you’re a computer newbie, who could not possibly appreciate the glories of Wordstar because you never had the experience of “automated” document creation using an IBM Mag Card typewriter (if you don’t know, don’t ask. You had to be there).
Then sometime in the 80’s, PCs got gooey – er, GUI. As in Graphical User Interfaces. We were mesmerized by pretty icons and the amazing ability to run two or more programs simultaneously (at least, until they all came crashing down in a heap, which sometimes didn’t happen for several hours after startup). We started cutting and pasting and dragging and dropping like crazy. We decorated our desktops with colorful wallpapers and multitasked to our heart's content. PCs have been getting friendlier and friendlier ever since – to the point where sometimes you just want to slap them in the interface and say "back off." Those multi-tabbed, button festooned, drop-down box encumbered dialog boxes (see the figure below) that keep popping up, saying "can we talk?" are enough to drive anyone back, screaming, to the Dark Place.
Confusing as a Florida election ballot? Okay, maybe it's
not really quite this bad, but …
Luckily, Windows 2000 feels your pain. Microsoft has included, in their new operating system, a variety of command line utilities that let you bypass the GUI and get down to business. In this article, we will examine some new command line tools that were not included in Windows NT 4.0.
There are literally hundreds of command line utilities that can be used with Windows 2000. These include standard TCP/IP tools such as ping, ipconfig, and tracert. You are probably familiar with their functions if you've worked with Windows NT and other implementations of TCP/IP (indeed, some of these can also be found in non-Microsoft operating systems, while others carry similar but different names, such as ifconfig in UNIX/Linux).
Of more interest are the new command line tools that are available in Windows 2000. Many of these are new to the o/s because they are used with its most prominent new feature: the Active Directory. Let's look at a few of the command line support tools that can be used to configure and manage the directory services in Windows 2000. First, we'll examine some utilities that are useful in migrating a network from Windows NT to Windows 2000, or in other situations where you need to restructure domains.
Switching your domain-based network from NT to Windows 2000 is more involved than just upgrading the operating systems on your machines. There are some important differences between the Window 2000 domain structure and the NT models:
The result of these differences is that the domain structure (or "layout") that was appropriate for your NT network may not be what you would want after upgrading to Windows 2000. There is no longer a need to create additional domains just for administrative purposes, or because the number of security objects has grown large. Many of the Windows 2000 migration tools (available on the Win2K Server compact disk in the \Support\Tools folder or in the Win2K resource kit) are used for restructuring domains before or after the upgrade.
NetDom.exe allows you to manage domains and trusts from the command line; this includes both NT and Windows 2000 domains. Computer accounts can be added to domains and trusts can be established and managed. NetDom can be used to create explicit trust relationships between NT domains and Windows 2000 domains. You can modify certain trust relationships, changing them from non-transitive to transitive using NetDom.
An especially useful function of NetDom is the ability to provide a report of all trust relationships between domains. This gives you the ability to document your domain structure.
SIDWalker is a useful command line utility that gives you the ability to set ACLs (access control lists) on "orphaned" objects, or those that have been moved or deleted. With SIDWalker, you can discover what groups are associated with specific shared network resources. The command for using the SIDWalker tool is sidewalk.exe.
Other Migration Tools
The Win2K Resource Kit also includes gpolmig.exe, a command line utility used to migrate NT 4.0 system policies to Windows 2000 group policy objects.
In addition to the migration tools, Windows 2000 includes command line utilities for managing various aspects of Active Directory.
Ntdsutil
The ntdsutil.exe command gives administrators a way to perform many Active Directory management tasks from the command line. Following are some of the tasks you can perform with ntdsutil:
§ You can manage domains and security accounts
§ You can configure LDAP policies
§ You can manage the operations masters roles (Schema master, domain naming master, RID master, infrastructure master and PDC emulator)
§ You can manage Active Directory files (the ntds.dit database file and log files), repair, compact or move the directory database.
§ You can perform an authoritative restore of the domain controller's system state data.
Ntdsutil commands can be automated with batch files or scripts.
DomMap allows you to verify the relationships between sites and domains, and the replication topology. Dsacls.exe provides a way to view or change the access control lists of objects in the Active Directory. Repadmin.exe lets you check the status of Active Directory replication, verify replication consistency between replication partners, and force replication of the Active Directory database. With acldiag.exe, you can find out whether a user account was granted or denied access to a specified object in the Active Directory, or to reset the ACL to its default status.
There are many additional command line tools in Windows 2000, far too many to list in this article. For example, the Windows 2000 implementation adds new TCP/IP utilities such as pathping, which combines the functionalities of ping and tracert. The Windows 2000 Recovery Console is a command-line interface that can be used to troubleshoot and repair the operating system when Windows 2000 won't start.
Many of the command line tools can be used only if you are logged in as an administrator. Because it is a better security practice for network administrators to log in with regular user accounts for performing routine daily work, Windows 2000 provides a way to run programs with the administrative credentials, without having to log off and log back on under the admin account name. This feature is called secondary logon, more commonly referred to as the runas command.
The runas feature can be invoked in the graphical interface, by right-clicking on a program icon in Windows Explorer while holding down the Shift key. This adds the "Run as…" selection to the context menu.
Runas can also be used at the command line. The syntax is:
runas /user:<accountname> <program>
Running programs with admin credentials when logged on as a "mere" user
You will be prompted to enter the password for the user account with which you wish to run the program.
Note that the user account name must be in the format username@domainname or domainname\username.
This article has touched upon only a few of the many command line utilities available in Windows 2000. We hoped it has sparked your interest in returning, at least temporarily, to the "Dark Place." Once you experience the speed, simplicity, and power that some of these command interface tools have to offer, you may just find yourself spending a lot of time there.
For more info on Windows 2000 command line tools, see the Win2K Help Files, TechNet, and the Windows 2000 Server Resource Kit.
DEBRA LITTLEJOHN SHINDER is an instructor in the Eastfield
College MCSE training program, a columnist for Swynk and
Brainbuzz, and – together with her husband, Dr. Thomas Shinder –
editor and author of eleven books on Windows 2000. She just
completed a book on general networking for Cisco Press, to be
released in the first quarter of 2001, and she and Tom have
authored numerous MCSE certification courses for DigitalThink, a
major online training company. She is not afraid of the dark place.