Windows 2003
When you run Dcpromo.exe to create a replica domain controller, you receive the “Failed to modify the necessary properties for the machine account. Access is denied” error message
by neyomax on Oct.15, 2009, under Windows 2003
http://support.microsoft.com/kb/232070
When you run Dcpromo.exe to create a replica domain controller, you receive one…
When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe:
Error message 1
Failed to modify the necessary properties for the machine account. Access is denied.
Error message 2
Error – The Active Directory Installation Wizard was unable to convert the computer account <Computer Name>$ to a domain controller account. (5)
Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.
This problem can occur if the account that is used for the promotion operation h…
This problem can occur if the account that is used for the promotion operation has not been assigned the “Delegation Privilege” right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the “Delegation Privilege” right.
To resolve this problem, use an account in the Administrators group, or add the…
To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:
- In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
- Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
- Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
- Apply the policy using one of the following methods:
- If it is a Windows 2000 domain controller, open a command prompt, and then type:
secedit /refreshpolicy machine_policy /enforce
- If it is a Windows Server 2003 or a Windows Server 2008 domain controller, open a command prompt, and type:
gupdate /force
- Force replication from the domain controller on which the policy was changed to the other domain controllers in the domain by using repadmin, replmon, or Active Directory Sites and Services.
To apply the updated policy, restart the problematic server which you wanted to promote as a domain controller.
Export Members List from Active Directory
by Kapuwa on Sep.11, 2009, under Windows 2003, Windows 2008
Open a command prompt and enter
net group YourGroupName /domain >c:\memberslist.txt
(Do NOT replace /domain with your domain name.)
Download This Script File to export All AD users Group info
Export AD users group full list
After run check the file “groupdump.txt”
Find All Locked Out Accounts
by Kapuwa on Jul.08, 2009, under Windows 2003
Use Saved Queries to quickly locate all locked out user accounts.
You can use the Saved Queries feature of Windows Server 2003 to query Active Directory for any locked-out accounts. Just open the Active Directory Users and Computers console, right-click on Saved Queries in the console tree and select New –> Query. Type a name and description for the query, specify a query root (where in your namespace your query begins searching), and click the Define Query button. Since there’s no default option for finding locked-out accounts in the Common Queries box, select Custom Search instead to open the Find Custom Search box. Then select the Advanced tab and enter the following LDAP string in the Enter LDAP Query textbox:
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Click OK twice to create and run the saved query.
The string works on Windows Server 2003 SP1.
To copy the IAS configuration to another server
by Kapuwa on Jul.04, 2009, under Windows 2003
To copy the IAS configuration to another server
Open Command Prompt.
At the command prompt, type netsh aaaa show config >path\file.txt.
This stores configuration settings (including registry settings) in a text file. The path can be relative or absolute, or it can be a UNC path.
Copy the file you created to the destination computer.
At a command prompt on the destination computer, type netsh exec path\file.txt.
A message appears indicating whether the update was successful
Error message when you create the trusted side of a trust between Windows Server 2003-based domains: "The parameter is incorrect"
by Kapuwa on Jul.04, 2009, under Windows 2003
http://support.microsoft.com/kb/930218
If the names of two domains collide, you can rename one of the domains. If the SIDs of the domains are duplicate, you have to remove one of the domains. Typically, this situation occurs when one of the following scenarios exists:
- One domain was cloned from the other domain.
- Before a computer became the first domain controller in either of the two domains, you clone this computer without using the SYSPREP tool.
Alternatively, you can migrate one of the domains to a new domain. However, you cannot migrate a domain to a new SID by using the sIDHistory property. Even if you successfully create a trust after you migrate one of the domain SIDs, you still have duplicate SIDs in user access tokens. Then, users who have duplicate SIDs can access resources that they should be unable to access.
