Blog - Title

May, 2010

  • New Directory Services KB Articles/Blogs 5/2-5/8



    Microsoft Advisory Services Engagement Scenario - Internet Explorer 7 and 8 Group Policy Deployment


    TCP connections fail intermittently when both endpoints are on the same computer in Windows Server 2003 SP2


    How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0


    IPv6 transition technologies, such as ISATAP, 6to4 and Teredo do not work on a computer that is running Windows Server 2008 R2 Server Core


    Friday Mail Sack – Tweener Clipart Comics Edition

    Why do I get ACCESS DENIED when running commands on a remote PS runspace?

    DsRemoveDsDomainW error 0×2015 (The directory service can perform the requested operation only on a leaf object.)

    NTLM V1… no, excuse me… NTLM V2… oh, no, you were right… it’s V1…

    Component Service MMC hangs if a remote computer is offline

    Windows 2008 R2 Recycle Bin support for FIM

    Group Policy Setting of the Week 24 – Remove Properties from the Computer icon context menu

    Update: Extend your Corporate Active Directory Boundary to your Blackberry!

    Available now: Active Directory Federation Services 2.0

    How to use Group Policy to configure home page – Part 3

    Windows Azure Platform. Inside the Cloud. Microsoft's Cloud World Explained Part 2.

    Linux Integration Services v2.1 Release Candidate Now Available

    ADSIEdit does not show all attributes!?

    Using BitLocker to Encrypt Removable Media (Part 3)

    New Networking-related KB articles for the week of April 25 – May 1

    Active Directory Mergers, Acquisitions, and Divestitures

    Server Core: Best Practice for Applications on Windows Server

    AD FS 2.0 Step-by-Step & How-To Guides

  • Friday Mail Sack – It’s About To Get Real Edition

    Hello Terra, it’s Ned here again. Before I get rolling, a big announcement:

    On May 16th all the MSDN and TechNet blogs are being migrated to a new platform. This will get us back in line with modern blogging software, and include new features, better search, more user customization, and generally remove a lot of suck. Because AskDS is a very popular blog – thanks to youwe rated extra sandbox testing and migration support and we believe things are going to go smoothly. The migration will be running for a week (although many sites will be done before then) and during this time commenting will be turned off; just email us through our contact form if you need to chat. You can read more about the new features and track progress on the migration here.

    On to this week’s most interesting questions.


    What happened to the GPMC scripts in Windows 7 and Win2008 R2?


    Those went buh-bye when Vista came out. They can be downloaded from here if you like and I’ll wager they’ll work fine on 7, but the future of scripting GP is in PowerShell. Recommended reading:


    KB832017 (Services Overview and Network Port Requirements...) lists port 5722/TCP as being used for DFSR -- but only on Server 2008 or Server 2008 R2 DCs.  What exactly happens over 5722/TCP?  KB832017 is practically the only time I've ever seen that port mentioned.


    There’s no special reasoning here, it’s a bug. :-) In a simple check to determine if a computer was a member client or member server, we forgot that it might also be a domain controller. So the code ends up specifying a port that was supposed to be reserved for some client code. Amazingly, no Premier contract customer has ever opened a DCR with us asking to have it fixed. I keep waiting…

    Nothing else weird happens here, and it will look just like normal DFSR RPC communication in all other respects – because it is normal. :)


    You can still change the port with DFSRDIAG STATICRPC <options> if you need to traverse a firewall or something. You are not stuck with this.


    I am missing tabs in Active Directory Users and Computers (DSA.MSC) when using the Windows 7 RSAT tools. I found some of your old Vista content about this, but you later said most of this has been fixed. Whiskey Tango Hotel?


    As is often the case with RSAT (a tool designed by committee due to all the various development groups, servicing rules, and other necessities of this suite), there are a series of steps here to make this work. I’ll go through this systematically:

    After installing RSAT on a domain-joined Windows 7 client, you add the Role Administration Tools for "AD DS Snap-ins and Command-line Tools":


    You then start DSA.MSC and examine the properties of a user. You notice that some or all of the following tabs are missing:

    Published Certificates
    Password Replication
    Attribute Editor
    Remote Control
    Remote Desktop Services Profile
    Personal Virtual Desktop
    UNIX Attributes

    1. Enable "Advanced Features" via the View menu. This will show at least the following new tabs:

    Published Certificates
    Password Replication
    Attribute Editor


    2. If still not seeing tabs:

    Remote Control
    Personal Virtual Desktop
    Remote Desktop Services Profile

    Add the following RSAT feature: "Remote Desktop Services Tools". Then restart DSA.MSC and if Advanced View is on, these tabs will appear.


    3. If still not seeing tab:

    UNIX Attributes

    Add the following RSAT feature: "Server for NIS Tools". Then restart DSA.MSC and if Advanced View is on, this tab will appear.


    4. The "Dial-In" tab will always be missing, as its libraries are not included in RSAT due to a design decision by the networking Product Group. If you need this one added, open a Premier contract support case and file a DCR. We’ve had a number of customers complain about this, but none of them bothered to actually file a design change request so my sympathy wanes. Until they do, there is no possibility of this being changed.


    What tools will synchronize passwords from AD to ADAM or ADLDS?


    MIIS/IIFP (now Forefront Identity Management 2010) can do that. We don't have any in-box tools or options for this. [Thanks to our resident ADAM expert Jody Lockridge for this answer. He’s forgotten more about ADAM than I’ll ever know - Ned]


    I am trying to script changing user home folders to match the users’ logon ID’s. I’ve tried this:

    dsquery.exe user OU=AD_ABC,DC=domain,DC=local | dsmod.exe user -hmdir \\servername\%username%

    But this only places the currently logged on username in all users profile. How can I make this work?


    DSMOD.EXE includes a special token you can use called $username$. It automatically uses the SAM account name passed in from DSQUERY commands and works with the –hmdir, –email, –webpg, and –profile arguments.

    So if I do this to locate all my users and update their home directory:


    I get this:



    When will the Windows Server 2008 Resource Kit utilities and tools be released?


    Never. If it didn’t happen 3 years ago, it’s not going to happen now. The books do include helpful scripts and such, but the days of providing unsupported out of band reskit binaries are behind us - and it’s for the best. If you want to buy the 2008 books, here’s the place:

    2008 Resource Kit -
    2008 GP Resource Kit -


    Something something something Auditing something something something.


    While I find Windows security auditing quite interesting and periodically write about it, if you want retroactive answers to every common audit question you need to visit Eric Fitzgerald’s  blog "Windows Security Logging and Other Esoterica”. Eric was once the PM of Windows Security auditing and helped design the new audit system in Vista/2008, then he moved on to helping design the Audit Collection Service, and gosh knows what he does now – he’d probably have to kill me after he told me. A million years ago, Eric was also a Support Engineer in my organization, so he knows your pain better than most Windows developers. Many questions I get asked about auditing have already been answered on his blog so give it a look before searching the rest of the Internet. Eric is also a funny, decent guy and a good writer – pick any blog post and you will learn something. I wish he wrote more often.


    Finally, we had a nice visit this week from Tim Springston – yes, that  Tim Springston. Tim’s been working on a new system designed to make it easier for you to open support cases and have them route correctly so he bored us to tears demo’ed all that to us. Make sure you stop by his blog and check it out.

    Until next time.

    Ned “fingers crossed on the blog migration” Pyle

  • Validating your AD Schema Prior to Upgrade (a Followup)

    Hi folks, Ned here for a quickie. Back in April I posted a short mail sack piece about Schema updating best practices. Something I couldn't talk about that the time is now public:

    Testing for Active Directory Schema Extension Conflicts

    This article walks through using some simple techniques and a script to validate that an application's schema update is not going to cause issues. Nearly all AD Schema issues are caused by incorrect changes made by third parties - this article will help you prevent those issues.

    Ned "shee-maa" Pyle

  • Migrated Users Get Prompted To Change Password at First Logon Even After Migrating Their Password with the PES

    Hello all, Jason (J4) here again. I recently experienced an issue with ADMT and the Password Export Service (PES) tool that I wanted to quickly bring to everyone’s attention. The new revision of the ‘ADMT v3.2 Migration Guide’ will include an update to the documentation, but wanting to post here as it’s also something relevant to both ADMT versions 3.0 and 3.1 - which won’t get updated.

    When one uses ADMT and the PES service to migrate passwords of user accounts, the migrated user accounts get the option “User must change password at next logon” enabled by default. Hence, when the user logs onto the new target domain they are required to change their migrated password at first logon.

    After some investigating and discussion with ADMT Program Managers and Developers, this is by-design type of behavior to prevent what is considered a security risk. ADMT and the PES service has no way of determining if the users migrated password is compatible with the target domains password policy; specifically the more sensitive password complexity settings.

    Here are a couple of options in maintaining the end users passwords that they were using in the source domain and commonly the end-goal/desire when using the PES service to migrate users passwords from the very beginning:

    1.) The obvious – manually toggle the “User must change password…” check box within the ‘Active Directory Users and Computers’ snap-in for the user account’s properties and prior to the end user logging into the target domain for the very first time. As represented here with the screen shot, this can also be done by multi-selecting the migrated accounts to check the far-left checkbox and remove the check for “User must change password at next logon”:


    2.) Use the free, excellent, and unsupported ADModify.NET tool:

    3.) Create a VBScript that toggles the pwdLastSet attribute of the migrated user accounts from the default of ‘0’ to ‘-1’. There are a number of samples here:

    4.) Scripting option with DSQUERY and DSMOD USER commands:

    DSQuery user “ou=foo,dc=contoso,dc=com” –scope subtree -limit 0 | DSMod User –mustchpwd no

    5.) And finally, AD PowerShell in Windows 2008 R2/Windows7 RSAT tools:

    Get–aduser –filter {pwdlastset –eq 0} –searchbase “dc=contoso,dc=com” –searchscope subtree | set-aduser –changepasswordatlogon $false


    -Jason (J4) Fournerat

  • Friday Mail Sack – Tweener Clipart Comics Edition

    Hey folks, Ned here again. For those keeping score, you’ve probably noticed the full-on original article content has been a bit thin in the past few weeks. We have some stuff in the draft pipeline so hang in there. In the meantime, here’s a weeks worth of.. stuff.

    I like to move it, move it.


    I am confused on what DFS features are different between Standard Edition and Enterprise Edition versions of Windows Server. This includes DFSN and DFSR.


    There are only two* differences:

    DFS Replication – Enterprise edition gives you the ability to use cross-file RDC. Cross-file RDC is a way to replicate files by using a heuristic to determine similar data in existing files on a downstream server and use that construct a file locally without the need to request the whole new file over the network from an upstream partner.

    DFS Namespace – A Standard Edition server can host only one root standalone namespace. It can, however, host multiple domain-based namespaces if running Win2003 SP2 or later. Nice bullet points here.

    * There was a third difference prior to Windows Server 2003 SP2 and in Windows 2000 SP4 – those Standard Edition servers can only run one DFS root namespace, no matter if domain-based or standalone. Since 2000 is nearly dead and you are not supported running Win2003 non-SP2, don’t worry about it further.


    Can I use the miguser.xml and migapp.xml from USMT 3.01 to migrate data using USMT 4.0?


    Yes, but with plenty of caveats. You would not have any errors or anything; the schema and migxml library are compatible. But you are going to miss out on plenty of new features:

    • New applications that were added will not migrate
    • New types of helper functions will not work
    • Updated migration features will not work
    • f you use an old config.xml it will be missing settings.

    Plus if you are using miguser.xml, you are not using the new migdocs.xml, which is vastly improved in most scenarios for what it gathers and for performance. It’s a much better idea to use the new XML files and simply recreate any customizations that you had done if 3.01 – if you still need to use them, that is. A lot of 3.01 customizations may be duplication of effort in 4.0.

    You can steer a car with your feet, but that doesn’t make it a good idea.


    Are there any free tools out there for reporting on AD? Stuff like number of objects, installed OS’s, functional levels, disabled user accounts, locked out users, domains, trusts, groups, etc. The gestalt of AD, basically.


    You can pay for these sorts of tools, of course (rhymes with zest!). If you dig around the intarwebs you will also find some free options. You could of course script any of this you want with AD PowerShell – that’s why we wrote it. One fellow on my team recommends this nice free UNSUPPORTED project that lives on CodePlex called “Active Directory reporting”. It’s a way to use SQL Reporting Server to analyze AD. Feel free to pipe up in the comments with others you like.


    Does USMT migrate file information like security & attributes? The “metadata” aspects of NTFS.


    USMT preserves the security (DACL/SACL) as well as the file attributes like hidden, read-only, the create date, etc. So if you have done this:

    clip_image001 clip_image001[4]

    It will end up migrating the same:

    clip_image001[6] clip_image001[8]

    Note that if you are using the /NOCOMPRESS option to a non-hard-link store, these permissions and attributes will not be set on that copy of the file. That extra data is stored in the migration catalog. So don’t use the data in an uncompressed store to see if this is working, it is not accurate. When restored, everything will get fixed up by USMT based on the catalog.

    Don’t confuse all this with EFS though – that requires use of the /EFS switch to handle.


    When I deploy new AD forests, should I continue to use an empty root domain?


    We stopped arbitrarily recommending empty forest roots a while back – but instead of saying that we just stopped talking about them. Documentation through omission! But if you read between the lines you’ll see that we don’t think they are a great idea anymore. Brian Puhl, the world’s oldest AD admin wishes they had never deployed an empty root in 1999. Mark Parris and Instan both provide a good comprehensive list of reasons not to use an empty root.

    For me, the biggest reason is that it’s a lot more complex without providing a lot more value. Fine Grain Password Policy takes care of differing security needs since Win2008. The domain does not provide enough admin separation to be considered a full security barricade, but merely a boundary of functionality – meaning you are now maintaining multiple copies of group policy, multiple SYSVOLs, etc. All with more fragility. Better to have a single domain and arrange your business via OU’s, if possible.

    PS: I mean that Brian runs the world’s oldest AD, not that he is old. Well, not that old.


    Is there a command-line way to create DFS links (i.e. “folders”)? I need to make a few hundred.


    In 2008/2008R2 & Vista/7 RSAT:

    dfsutil.exe link add

    In 2003/XP Support Tools:

    dfscmd.exe /map


    Finally – the clock is ticking down on Windows 2000 end of life – now just 7 weeks to go. If you have not begun planning your upgrade, migration, or removal of Windows 2000 in your environment, you are officially behind the eight ball. Soon you will be running an OS that does not get security updates. Then it will be immediately owned by some new malware that your AV vendor fails to catch.

    Then your boss will be all like


    and you will be all like


    and your users will be all like


    and your week will be all like


    and your company’s bottom line will be all like


    and you don’t want that. So get to our Windows 2000 portal and make your move to a supported operating system before it’s too late: Windows 2000 End-of-Support Solution Center. Also, Windows Server 2003 enters extended support the same day, so don’t bother asking for bug fixes after that. Get on Win2008/R2 and we’ll be all ears…

    Until next time,

    - Ned  “like”  Pyle

  • New Directory Services KB Articles 4/25-5/1



    You cannot generate FSRM reports in Windows Server 2008 if the policy for the United States FIPS compliant algorithms is enabled


    A Windows Server 2003-based terminal server stops responding after many users log on to it and log off from it


    A client cannot automatically join a domain that contains RODCs when a Windows Server 2008-based WDS server is used


    An update is available for Best Practices Analyzer for the File Services role in x64 editions of Windows Server 2008 R2


    Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2


    Description of an update for Remote Desktop Services BPA


    The April 2010 stability and reliability update for Windows 7 and Windows Server 2008 R2 is available


    You cannot access the shared files or folders that are hosted on a Windows Server 2008-based or Vista-based computer if the path contains a junction point


    Network connectivity for a Windows Server 2003-based Hyper-V virtual machine is lost temporarily in Windows Server 2008 R2


    Recommended hotfixes and updates for Windows Server 2008 R2-based server clusters


    An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or Windows Server 2008 R2


    Files do not go into the Recycle Bin when you delete more than 1000 files at the same time in Windows 7 or in Windows Server 2008 R2


    You cannot run a task that is associated with a business rule of Authorization Manager in Windows Server 2008


    Reliability Monitor displays no information in Windows Server 2008 and in Windows Server 2008 R2


    "SSL Certificate add failed, Error: 1312" error message when you try to add a CTL in Windows Server 2008 R2 or in Windows 7


    The Licensing Diagnosis tool returns a value of “0” for the number of RDS CALs that are available in Windows Server 2008 R2


    The Windows Remote Management service stops responding in Windows 7 or in Windows Server 2008 R2


    The "Invoke-WmiMethod" cmdlet dispatches incorrect results on a computer that is running Windows 7 or Windows Server 2008 R2


    RemoteApp applications are displayed as black windows when you restart the applications in a Remote desktop connection in Windows Server 2008 R2


    "A referral was returned from the server" error message when you use the IADsUser::ChangePassword method in Windows Server 2003 SP2


    Some IPsec packets are dropped unexpectedly on a computer that is running Windows Server 2008 or Windows Vista


    Win2008 R2 BPA Updates Released for April 2010 wave

    Friday Mail Sack – Cup Runneth Over Edition

    Inspecting AD replication facilities with LDAP searches

    Quick-Find, what domain-joined VMs you have?

    Volume Activation Management Tool 2.0 released

    Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

    How to mitigate the SharePoint XSS security issue with Group Policy – KB983438

    Key considerations for Hyper-V virtual machine deployments

    New Networking-related KB articles for the week of April 18 – April 24

    Network Monitor 3.4 Beta Released on Connect!

    Group Policy Hotfix Round Up – 22/4/2010 to 28/4/2010

    KB274274 Focus: The Cross-Forest program deployment problem using Group Policy

    Keep an eye on the Windows Server Information Experience Networking Team’s blog!

    Microsoft's new directory-federation services finally ready to roll

    How Microsoft Secures the Cloud Infrastructure

    Active Directory Domain Services Command Fu, Part 6

    Scripts to make your life easier

    64-bit Version of Acctinfo2.dll

    Active Directory Domain Services Command Fu, Part 5

    The Case of the Printing Failure

    Say goodbye to Windows logon scripts with Group Policy preferences

    Group Policy Setting of the Week 23 – Outlook 2003 RPC Encryption