MS-DOS bootable USB flash is still very useful today. It could be used to access a system that doesn't have any OS installed. Or, it's mostly used to flash BIOS or other firmwares from DOS mode.

There is an existing document in the sevenforum.com that gives you step by step instruction on how to create a MS-DOS bootable flash drive using HP USB Disk Storage Format tool. See link here:

http://www.sevenforums.com/tutorials/46707-ms-dos-bootable-flash-drive-create.html

However, this method may not work for all the USB flash drvies.

Ex: It does not work for my Kingston 4.0GB USB flash drive

Here is another workaround:

Step1: Download rufus utility, Rufus v 1.1.7 without FreeDOS Support (154KB) from here:

https://github.com/pbatard/rufus/downloads

Step2: Download win98_bootdisk.iso image from allbootdisks.com:

http://www.allbootdisks.com/download/iso.html

Step3: Run rufus_v1.1.7.exe

Step4: click the disk icon to the right of "Create a bootable disk using:", and selected the win98_bootdisk.iso you downloaded in step2.

Step5: click start, once you are finished. You could copy your BIOS upgrade files to this USB flash and run the executables in DOS mode.

Issue: Schedule Task failed to start randomly

Cause: There is a Domain Policy defined for “Logon as batch job”, this settings will overwrite all local account’s right.

Repro Step:

1.      Create a Schedule Task using local administrator account and password

2.      Test run these tasks

3.      Define “Logon as batch job” at domain level

4.      Run gpupdate /force at Server 2003

5.      Once we did apply this policy from Domain, try to run task, it will failed

       Failed with “could not start”

Workaround:

·         Include the default administrator account at “Logon as batch job” policy

Reference:

http://technet.microsoft.com/en-us/library/cc755659(v=ws.10).aspx

Log on as a batch job

In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and Windows Server 2003, the Task Scheduler automatically grants this right as necessary. The Task Scheduler injects this right for the user into the computer's effective policy immediately after the task is scheduled. If there is a contradictory group policy defining the Logon as a batch job user right, the effective policy settings will be overwritten by the group policy only upon policy refresh.

環境 & 問題描述
============
CA : Server 2008 SP1 Standard OS安裝Enterprise Root CA
DC : Server 2008 SP1 DC & Server 2003 SP2 DC
Server 2008 DCs本身的憑證 (Domain Controller範本申請的憑證)過期而沒有自動Renew , 但是Server 2003 DC會自行Renew

問題原因
============
1. 環境有透過GPO啟動Auto-Enrollment機制
2. 環境CA是Enterprise CA搭配Server 2008 Standard OS , 無法支援V2 憑證範本的Auto-Enrollment功能

解決方式
============

方法一

將Enterprise CA移轉至Server 2008 Enterprise OS或是Server 2008 R2 任何版本的OS
藉此讓Auto-Enrollment機制可以生效 (較建議的方式)

方法二

停用GPO的Auto-Enrollment設定 (因為目前環境無法針對V2憑證範本進行Auto-Enrollment , 所以此設定目前也不會生效)

詳細分析說明
============

預設DC 在沒有進行任何設定時 , 只要環境安裝了Enterprise CA (不管安裝在什麼SKU)

DC都會自動透過預設的設定跟Enterprise CA申請[Domain Controller]此範本的憑證 (此為V1的憑證範本 , 何謂V1 V2範本請閱底下參考資料)

此機制是透過Automatic Certificate Request Settings (ACRS)來進行動作 , 而不是我們目前常說的Auto-Enrollment
(ACRS是Windows 2000時代部屬憑證的方式)

Auto-Enrollment的部分是由Server 2003開始才有的技術 , 要使用憑證的Auto-Enrollment時需要達到底下需求

摘錄: http://technet.microsoft.com/en-us/library/cc783873(v=ws.10)
Windows Server 2003 schema and Group Policy updates
Windows 2000 Server domain controllers running Service Pack 3 or later
Windows XP Professional or Windows Server 2003 clients
Windows Server 2003, Enterprise Edition or Datacenter Edition running as an Enterprise CA

上述需求達成後 , 我們則可以透過GPO的方式將Auto-Enrollment啟動 , 讓Client端可以透過此方式針對V2的憑證範本進行自動申請動作

而如果啟動Auto-Enrollment的設定時 , DC在進行本身憑證的取得時依據OS版本會有不同的行為

Server 2003 DC的行為
==============

1. 啟動Auto-Enrollment後 , 系統在開機時或是GPO套用時針對底下V2的憑證範本進行申請 or 更新

    a. Domain Controller Authentication

    b. Directory Mail Replication

    c. Kerberos Authentication (如果Enterprise CA是裝在Server 2008之後的系統時才會有)

2. 如果上述動作可以成功時 , 則整個流程就完成

3. 假設上述因為某些因素無法申請 or 更新時 (如Enterprise CA裝在Server 2008 Standard OS時 or 權限不足)則會進行下一個動作

4. 透過內建預設的方式跟Enterprise CA透過Domain Controller此V1範本來進行憑證申請 or 更新

PS: 原先V1的Domain Controller範本於Server 2003時已經將其分割成上述a & b兩個V2憑證範本
而在Server 2008出來時又多一個Kerberos Authentication的V2憑證範本

Server 2008 DC的行為
==============

1. 啟動Auto-Enrollment後 , 系統在開機時或是GPO套用時針對底下V2的憑證範本進行申請 or 更新

    a. Domain Controller Authentication

    b. Directory Mail Replication

    c. Kerberos Authentication (如果Enterprise CA是裝在Server 2008之後的系統時才會有)

2. 如果上述動作可以成功時 , 則整個流程就完成

3. 假設上述因為某些因素無法申請 or 更新時 (如Enterprise CA裝在Server 2008 Standard OS時 or 權限不足 or 其他因素)
則不會進行後續動作 (不會像Server 2003一樣跟CA透過V1的Domain Controller範本進行申請 or 更新)

所以由此可以得知為何只有外點的Server 2003 DC沒有受到影響 , 而其他Server 2008 DC都有此問題

相關參考資料
==============

何謂V1 , V2 , V3 憑證範本?
我們從Certificate Template的管理畫面內可以看到底下資訊 , Minimum Supported CAs分別會有三種值
Windows 2000 -> V1 憑證範本 (內建 , 無法編輯內容)
Windows Server 2003 Enterprise -> V2 憑證範本 (最常用 , 將V1憑證範本進行複製後即可產生V2 Template , 可以修改裡面內容如年限 & Support Auto-Enrollment等)
Windows Server 2008 Enterprise -> V3 憑證範本 (涵蓋V2憑證範本的所有功能並多ㄧ些新功能)


詳細資訊可以參考底下網址
Designing and Implementing a PKI: Part III Certificate Templates
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx

Problem
=======
2003 使用NTbackup 備份資料事件檢視器出現 RSM (removable storage service) 服務警告

 
Event log
================
Event Type:   Warning
Event Source: Removable Storage Service
Event Category:       None
Event ID:       94
User:            N/A
Computer:     AAAAAAAA
Description:

RSM database IMPORT failed.  The import files might not exist or there may not be enough disk space.

Solution
======
修改登錄值

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NTMS 
value name: ImportDatabase
data type: REG_DWORD
String: 0

Issue: Hyper-V 中的guest machine的 DC時間同步的問題

Log Analyze:

·         系統事件不斷發生 Event 24, 29, 38的錯誤

Resolution:

·         參考KB976924的方法從Hyper-V介面把時間同步化的功能關閉

You receive Windows Time Service event IDs 24, 29, and 38 on a virtualized domain controller that is running on a Windows Server 2008-based host server with Hyper-V

http://support.microsoft.com/kb/976924/en-us

Disable time synchronization on the host by using Integration Services, and then configure the virtualized domain controller to accept the default Windows Time Service (W32time) domain hierarchy time synchronization. To do this, follow these steps:

1. Open Hyper-V Manager.
2. Click Settings.
3. Click Integration services.
4. Clear the Time Synchronization option.

1. Exit Hyper-V Manager.
2. Restart the server.

·         在其他的DC執行下面的指令與PDC主機同步

Net time /domain: 網域名稱

Or

·         Net time \\PDC主機 /set /y