Windows Tips & Tricks UPDATE, May 10, 2004 —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
This Issue Sponsored By
Exchange & Outlook Administrator
Sponsor: Argent Software
Free Download: Monitor Your Entire Infrastructure with ONE Solution
- Q. How can I reset the Directory Service Restore Mode Administrator password?
- Q. How can I avoid errors when I create Active Directory (AD) containers on a server that runs Microsoft Systems Management Server (SMS) 2003 in Advanced Security mode?
- Q. How can I enable the Microsoft Systems Management Server (SMS) 2003 Client Push Installation method? I've created a Client Push Installation account, but Client Push Installation still doesn't work.
- Q. How can I install the Microsoft Exchange Server version of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in?
- Q. Why can I use only the NetBIOS domain name and not the DNS domain name to join a computer to a domain that's been upgraded from Windows NT Server 4.0 to Windows Server 2003 or Windows 2000 Server?
by John Savill, FAQ Editor, firstname.lastname@example.org
This week, I tell you how to reset the Directory Service Restore Mode Administrator password, avoid errors when you create Active Directory (AD) containers on a server that runs Microsoft Systems Management Server (SMS) 2003 in Advanced Security mode, and enable the SMS 2003 Client Push Installation method. I also explain how to install the Microsoft Exchange Server version of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and how to use the DNS domain name to join a computer to a domain that's been upgraded from Windows NT Server 4.0 to Windows Server 2003 or Windows 2000 Server.
Correction: In the FAQ, "How can I create an Active Directory Service (ADS) set?", Windows Tips & Tricks UPDATE, May 3, 2004, "Active Directory Service" should be "Automated Deployment Services."
Sponsor: Exchange & Outlook Administrator
Try a Sample Issue of Exchange & Outlook Administrator!
Q. How can I reset the Directory Service Restore Mode Administrator password?
A. In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command
net user administrator *
to change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility's scripting options.)
In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps:
- Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
- Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument "set dsrm password" at the ntdsutil prompt:
ntdsutil: set dsrm password
- Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server thanos, enter the following argument at the Reset DSRM Administrator Password prompt:
Reset DSRM Administrator Password: reset password on server thanosTo reset the password on the local machine, specify null as the server name:
Reset DSRM Administrator Password: reset password on server null
- You'll be prompted twice to enter the new password. You'll see the following messages:
Please type password for DS Restore Mode Administrator Account: Please confirm new password: Password has been set successfully.
- Exit the password-reset utility by typing "quit" at the following prompts:
Reset DSRM Administrator Password: quit ntdsutil: quit
Q. How can I avoid errors when I create Active Directory (AD) containers on a server that runs Microsoft Systems Management Server (SMS) 2003 in Advanced Security mode?
A. SMS 2003's Advanced Security Mode removes the requirement for multiple accounts and instead relies on the Local System and Computer accounts for all security-related actions (such as interacting with the file system and updating AD). The Computer account therefore needs permission to parts of the AD directory when AD integration is enabled--specifically the System partition of the domain namespace. To grant this permission, perform the following steps:
- Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (click Start, Programs, Administrative Tools, Active Directory Users and Computers).
- On the View menu, click Advanced Features.
- Select the System branch from the snap-in window's treeview pane.
- Right-click the system container and select Properties.
- On the Security tab, click Advanced.
- Click Add.
- Click Object Types and ensure that only the Computers check box is selected. Click OK.
- In the "Enter the object name to select" text box, enter the name of the SMS site server. (Alternatively, you can click Advanced, then click Find Now and select the computer.) Click OK.
- The set of permissions is displayed. Ensure that in the "Apply onto:" list box, only "This object and all child objects" is selected.
- Under Permissions, select the "Full Control" check box under the Allow column. Click OK.
- Click OK to close the main System Properties dialog box.
You must also ensure that the computer account of the SMS site server that uses Advanced Security mode is always a member of the local Administrators group. To set the account in the local Administrators group, run the command
net localgroup Administrators <domain name> \<site server computer name>$ /add
(The command is shown on two lines because of space constraints.)
Q. How can I enable the Microsoft Systems Management Server (SMS) 2003 Client Push Installation method? I've created a Client Push Installation account, but Client Push Installation still doesn't work.
A. When you enable the SMS 2003 Client Push Installation method, in addition to setting a Client Push Installation account, you must specify an account for the SMS Software Distribution component, as follows:
- Start the SMS Administrator console (click Start, Programs, Systems Management Server, SMS Administrator Console).
- Expand Site Database, Site Hierarchy, <site name>, Site Settings, Component Configuration.
- Right-click Software Distribution and select Properties.
- On the General tab, under Advanced Client Network Access Account, click Set and select the account to use. Click OK.
- Click OK.
Q. How can I install the Microsoft Exchange Server version of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in?
A. The standard version of the Active Directory Users and Computers snap-in doesn't display all the Exchange property information and actions. To display all the Exchange property information, you need a special version of the snap-in, which Microsoft Exchange Server 2003 and Microsoft Exchange 2000 Server supply. You install the Exchange Server version of the Active Directory Users and Computers snap-in as follows:
- First install the Windows Server 2003 or Windows 2000 Server Administration Tools (adminpak.msi).
- Insert the Exchange 2003 or Exchange 2000 CD-ROM.
- Run setup.exe from the CD-ROM's setup\i386 folder.
- At the Welcome screen, click Next.
- From the Action drop-down list, select Custom, and from the Microsoft Exchange System Management Tools drop-down list (and, optionally, the Microsoft Exchange 5.5 Administrator drop-down list), select Install.
- Click Next repeatedly until you reach the final screen, then click Finish.
If you use the Exchange 2003 CD-ROM, you can install the snap-in from the main introduction screen by selecting "Exchange Deployment Tools" from the Deployment section, then selecting "Install Exchange System Management Tools Only."
Q. Why can I use only the NetBIOS domain name and not the DNS domain name to join a computer to a domain that's been upgraded from Windows NT Server 4.0 to Windows Server 2003 or Windows 2000 Server?
A. After you've upgraded an NT-based domain to Active Directory (AD), you should be able to use either the domain's NetBIOS name (e.g., savilltech) or its DNS name (e.g., savilltech.com) to join computers to the domain. If you can join a computer to the domain only by using its NetBIOS name, an incorrect DNS configuration might be the source of the problem. You can check a system's DNS configuration by entering the following lines at the command prompt. (The text that's enclosed in quotes represents messages that are displayed after you type the indicated commands.)
nslookup "Default Server: omega.savilltech.com Address: 10.0.0.1" set type=srv _ldap._tcp.savilltech.com "Server: omega.savilltech.com Address: 10.0.0.1" "_ldap._tcp.savilltech.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = omega.savilltech.com omega.savilltech.com internet address = 10.0.0.1" exit
Instead of _ldap._tcp.savilltech.com, enter _ldap._tcp, followed by your DNS domain name. If the nslookup command finds DNS records, your system's DNS configuration is probably correct. If nslookup finds no DNS records, check your DNS entries and, if they're correct, check the DNS server itself.
If your DNS configuration is in order, your domain controllers (DCs) might have the NT4Emulator registry entry enabled, which means they're emulating NT 4.0 DCs and thus won't respond to AD-style requests. You can test whether NT4Emulator is enabled on your DCs by configuring the neutralize NT4Emulator option on the client you're trying to join to the domain, as follows:
- Start the registry editor (regedit.exe).
- Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetlogonParameters subkey.
- From the Edit menu, select New and click DWORD Value.
- Enter the name NeutralizeNT4Emulator and press Enter.
- Double-click the value and set it to 1. Click OK.
- Close the registry editor.
You don't need to restart the computer or log off; just try again to join the computer to the domain by using the DNS domain name. If the computer joins the domain successfully, you must either disable NT4Emulator on the DCs or configure the NeutralizeNT4Emulator value on all machines on which you want to use the DNS name for the domain.
(from Windows & .NET Magazine and its partners)
Today a small business can be as agile as a large business by understanding which technology can be leveraged to create a centralized server environment. In this free Web seminar, you'll learn about the perils of peer-to-peer file sharing, backup and recovery, migration from desktop to servers, and Small Business Server basics. Register now!
You'll learn how to eliminate the top 5 email security threats including spam and viruses. Plus, get an inside look at how Enterprise Rent-A-Car reduced spam and viruses, improved its email security, and increased productivity. Don't miss your chance to get a free eBook, Web seminar, and white paper. Get your Email Security Toolkit now!
October 24-27, Orlando, Florida. Save these dates for the Fall 2004 Windows & .NET Magazine Connections conference, which will run concurrently with Microsoft Exchange Connections. Register early and receive admission to both conferences for one low price. Learn firsthand from Microsoft product architects and the best third-party experts. Go online or call 800-505-1201 for more information.
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
Take control of your workday! If you're supporting 24 x 7 operations by working around the clock instead of 9 to 5, learn how you can benefit from a sound service management strategy. In this free Web seminar, you'll learn practical steps for implementing service management for your key Windows systems and applications. Register now!
Comparison Paper: The Argent Guardian Easily Beats Out MOM
Microsoft(R) TechNet Webcasts: essential guidance, industry experts
Here's how to reach us with your comments and questions:
- About the newsletter — email@example.com
- About technical questions — http://www.winnetmag.com/forums
- About product news — firstname.lastname@example.org
- About your subscription — email@example.com
- About sponsoring UPDATE — firstname.lastname@example.org
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.