Archive for the ‘Windows 2003’ Category

When you run Dcpromo.exe to create a replica domain controller, you receive the “Failed to modify the necessary properties for the machine account. Access is denied” error message

http://support.microsoft.com/kb/232070 SYMPTOMS When you run Dcpromo.exe to create a replica domain controller, you receive one… When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe: Error message 1 Failed to modify the necessary properties for the machine account. Access is denied. Error message 2 Error […]

Export Members List from Active Directory

Open a command prompt and enter net group YourGroupName /domain >c:\memberslist.txt (Do NOT replace /domain with your domain name.) Download This Script File to export All AD users Group info Export AD users group full list After run check the file “groupdump.txt”

Find All Locked Out Accounts

Use Saved Queries to quickly locate all locked out user accounts. You can use the Saved Queries feature of Windows Server 2003 to query Active Directory for any locked-out accounts. Just open the Active Directory Users and Computers console, right-click on Saved Queries in the console tree and select New –> Query. Type a name […]

To copy the IAS configuration to another server

To copy the IAS configuration to another server Open Command Prompt. At the command prompt, type netsh aaaa show config >path\file.txt. This stores configuration settings (including registry settings) in a text file. The path can be relative or absolute, or it can be a UNC path. Copy the file you created to the destination computer. […]

Error message when you create the trusted side of a trust between Windows Server 2003-based domains: "The parameter is incorrect"

http://support.microsoft.com/kb/930218 If the names of two domains collide, you can rename one of the domains. If the SIDs of the domains are duplicate, you have to remove one of the domains. Typically, this situation occurs when one of the following scenarios exists: One domain was cloned from the other domain. Before a computer became the […]

How to view and transfer FSMO roles in Windows Server 2003

This article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003.
Back to the top
FSMO Roles
In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:
Active Directory Schema snap-in
Active Directory Domains and Trusts snap-in
Active Directory Users and Computers snap-in
If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.
Back to the top
Transfer the Schema Master Role
Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll
Click Start, and then click Run.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
Click Start, click Run, type mmc in the Open box, and then click OK.
On the File, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema, click Add, click Close, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the Domain Naming Master Role
Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

How to remove data in Active Directory after an unsuccessful domain controller demotion

http://support.microsoft.com/kb/216498

DHCP server default permission settings in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip “Local service” Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE “NT Service\BFE” Full, Read (add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS “NT Service\Trustedinstaller” Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc “NT Service\NlaSvc” Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch “NT Service\MpsSvc” Query, Set Value (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy “NT Service\MpsSvc” Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy “NT Service\MpsSvc” Full, Read (add this […]