Disabling right click - (or the context menu) via Group Policy

To disable the right click you enable a setting in Group Policy called  "Remove access to context menu".

This option is available for Internet Explorer, Windows Explorer, Start Menu and Taskbar.

If you allow access to the right mouse button the students will be able to access other systems that might compromise the network at the school.

When changing settings to the Group Policy ensure you make changes to the relevent Group Policy object - such as "Student Security settings".

The settings in Group Policy for "Remove access to context menu" are in:

User Configuration | Administrative Templates | Start Menu and Taskbar

User Configuration | Administrative Templates | Windows Components | Windows Explorer

User Configuration | Administrative Templates | Internet Explorer | Browser Menus

Microsoft Office 2010 KMS Licensing

Taken from Microsoft Site:


Brief Description
Volume licensing editions of Microsoft Office 2010 suites and applications, Microsoft Project 2010 and Microsoft Visio 2010 require activation. Key Management Service (KMS) is a local volume activation method. To activate your Office 2010 client installations with KMS, you will need to set up a KMS host. KMS Licensing is recommended if you have 50 or more workstations.


Overview
An Office 2010 KMS host is required if you want to use KMS activation for your volume license editions of Office 2010 suites or applications, Microsoft Project 2010 or Microsoft Visio 2010. When Office 2010 volume edition client products are installed, they will automatically search for a KMS host on your organization’s DNS server for activation. All volume editions of Office 2010 client products are pre-installed with a KMS client key, so you will not need to install a product key.

The download contains an executable file that will extract and install KMS host license files. Run the file on either 32-bit or 64-bit supported Windows operating systems (Windows 7, Windows Server 2003 Service Pack 2, Windows Server 2008 R2). These license files are required for the KMS host service to recognize Office 2010 KMS host keys. It will also prompt you to enter your Office 2010 KMS host key and activate that key. After this is done, you may need to use the slmgr.vbs script to further configure your KMS host.

Microsoft Office KMS clients are only activated when five or more than five computers with MS Office installed attempt to get activated using the KMS host. In case of operating systems (e.g. Windows Vista and Windows 7), activation starts after 25 or more than 25 computers with Windows client request for activation.


Instructions
Follow these steps to set up a KMS host:

1. If you are running Windows Server 2003, you will need to perform this extra step. You will need to download and run the files below:
   Windows Server 2003 32-bit 
   Windows Server 2003 64-bit
2. Download and run the KeyManagementServiceHost.exe file on this page on a supported operating system.
3. Enter your Office 2010 KMS host key when prompted. 
4. Click OK to continue with activation. 
5. Open port 1688 and allow the KMS host service through the firewall.
   Windows 7 volume editions or Windows Server 2008 R2.
   Open Control Panel and click on the Windows Firewall icon.
   Click on the “Allow a program through Windows Firewall” link.
   Click on the Change Settings button.
   Check the box for Key Management Service. 
6. Read the documentation to learn more about configuring your KMS host (including activation by telephone) with slmgr.vbs at TechNet.

Associated link: Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool 

Installing additional drivers at setup via USB floppy

Installing Windows Server 2003 can fail if the disk controller hardware is relatively new and the drivers are not contained within the Windows Server standrad driver set. (i.e. SATA)

You will need to download the driver from the manufactures website and then copy the matching .sys, .cat, .oem and .inf drivers to a floppy disk.

If you are installing to a machine with out a floppy disk driver you will need to use an external USB floppy disk drive.

During the installation after you have configured the partitions, the installation will request the driver files again if the driver fails to load it may be that the driver .OEM is not optimised to look for the USB floppy drive.

You will need to edit the TXTSETUP.OEM file adding the following information:

[HardwareIds.scsi.MSAS2K3]
...
...
id = "USB\VID_03F0&PID_2001", "usbstor" #--HP
id = "USB\VID_054C&PID_002C", "usbstor" #--Sony
id = "USB\VID_057B&PID_0001", "usbstor" #--Y-E Data
id = "USB\VID_0409&PID_0040", "usbstor" #--NEC
id = "USB\VID_0424&PID_0FDC", "usbstor" #--SMSC
id = "USB\VID_08BD&PID_1100", "usbstor" #--Iomega
id = "USB\VID_055D&PID_2020", "usbstor" #--Samsung
id = "USB\Vid_0930&PID_6540", "usbstor" #--MY USB KEY

How to view and transfer FSMO roles in Windows Server 2003

This article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003.

FSMO Roles

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

• Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
• Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
• Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
• Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
• PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

• Active Directory Schema snap-in
• Active Directory Domains and Trusts snap-in
• Active Directory Users and Computers snap-in

If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

1. Click Start, and then click Run.
2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
3. Click OK when you receive the message that the operation succeeded.
   

Transfer the Schema Master Role

1. Click Start, click Run, type mmc in the Open box, and then click OK.
2. On the File, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.
   

Transfer the Domain Naming Master Role

1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
   NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
3. Do one of the following:
   In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
   -or-
   In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
   NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
3. Do one of the following:
   In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
   -or-
   In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.

Wireless Vista machines connecting to a Domain

This specifc case referes to Microsoft Vista workstations and users who are connecting to a Windows radius server, though it will be of use to users who are using other authenticating technicnologies.

The Radius server and workstations require a server certificate, this can be generated by using the SelfSSL obtained from the IIS Resource kit.

How To Install:

1. Download IIS 6.0 Resource Kit Tools (requires Windows Server 2003, Windows XP)
2. Install the resource kit (If you want hand-holding through these steps, read these instructions with screenshots by Jonathan Maltz)
3. From the Windows Start Menu, go to the "\Programs\IIS Resources\SelfSSL" folder and select "SelfSSL".
4. Instructions will be listed in a command prompt. Type "selfssl" to run the program.
5. Type "y" to confirm overriding/installing the certificate on the given site.
6. Test that it worked by visiting https://localhost/.
   

Additional instructions are available from the following blog.

We are going to manage the wireless connection at the workstations via Microsoft Group Policies.

"Wireless and wired clients running Microsoft® Windows Vista™ or Windows Server 2008 and wired clients running Windows XP with Service Pack 3 support enhancements that can be configured through Group Policy settings that are supported by domain controllers running Windows Server® 2008. To support these enhancements for an Active Directory® directory service environment consisting of domain controllers running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended."

Use the following guide to extend the schema:
Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy

Edit the Group Policy using Group Policy Management Console.

1. Create a Group Policy Object for the computers you want to configure wireless access. (i.e. called Wireless workstation settings)
2. Edit the Group Policy Object.
3. Expand Computer Configuration, Policies, Windows Settings, Security Settings.
4. Select Wireless Network (IEEE 802.11) Policies.
5. Click the right hand mouse button, in the right hand window and select Create a new Wireless Policy.
6. Enter an appropriate name and description, tick the Use Windows WLAN AutoConfig service for clients.
7. Click Add, then select Infrastructure.
8. In the Profile name enter an approprate name and the correct SSID
   Tick - Connect automatically when this network is in range.
   and tick - Connect even if the network is not broadcasting.
9. Click the Security tab
   In Authentication select WPA-Enterprise
   Encryption select - TKIP
   In Select a network authentication method: select Microsoft: Protected EAP (PEAP)
   Click on Properties:
   Tick on Validate server certificate
   In Trusted Root Certification Authorities - select your certificate. (Ensure it has been installed.)
   In Select Authentication Method: select Secured password (EAP-MSCHAP v2)
   Click Configure - In When connecting ensure Automatically use my Windows logon... is selected. - Click Ok, click OK on Protected EAP Properties.
   In Authentication Mode: select User re-authentication
   Max Authentication Failures: is set to 3.
   Tick Cache user information.
   Click Advanced.
   Ensure Enforce advanced 802.1x settings is not selected.
   Tick enable Single Sign on
   Select Perform immediatly before User Logon
   Max delay for connectivity set to 30
   Tick Allow additional dialogs to be displayed. Click Ok, click Ok to close Wireless network properties.
10. In the Network Permissions tab
11. Ensure the correct Network Name and network type is set with the permission set to Allow.
12. Tick the following - Allow user to view denied networks and Allow everyone to create all user profiles. - then click Ok.
13. Add the Group Policy object to the appropriate workstations.

On the workstation you need to install the certificate into the Trusted Root Certificate Authority.

On the workstation load the MMC and load Certificates and install the manually created certificate.

Links:
The Cable Guy - Wireless Group Policy Settings for Windows Vista

Blank page or page cannot be displayed when you view SSL sites through ISA Server

SUMMARY

If Microsoft Internet Explorer is configured to reference a server that is running Microsoft Internet Security and Acceleration (ISA) Server as a Web proxy server, when you try to view a Secure Sockets Layer (SSL) Web site on the Internet by using a port other than 443, a blank page may appear with "Page cannot be displayed" in the title bar. Or, you may receive the following error message:
Page cannot be displayed

For ISA Server 2000

The following Visual Basic Scripting Edition script (VBScript) is an example of how to add ports to the tunnel port range:

set isa=CreateObject("FPC.Root")
set tprange=isa.Arrays.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set tmp=tprange.AddRange("SSL 84443", 8443, 8443)
tprange.Save

Restart the Microsoft ISA Server Control service after you run the script.


For ISA Server 2004

Displaying the Existing Tunnel Port Ranges

The Microsoft Visual Basic® Scripting Edition (VBScript) code in ShowTPRanges.vbs retrieves the collection of tunnel port ranges defined in the containing array, iterates through the collection, and displays the names and port ranges for the tunnel port ranges. This script must be run on an ISA Server 2004 computer with the Microsoft Firewall service installed, but it can be modified to run on a remote management computer.

Usage: CScript ShowTPRanges.vbs

Script Listing: ShowTPRanges.vbs

' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.

' This script retrieves the collection of tunnel port ranges defined in the
' containing array, iterates through the collection, and displays the names
' and port ranges for the tunnel port ranges.

Sub ShowTPRanges()

' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

' Declare the other objects needed.
Dim isaArray ' An FPCArray object
Dim tpRanges ' An FPCTunnelPortRanges collection
Dim tpRange ' An FPCTunnelPortRange object

' Get references to the array object
' and the collection of tunnel port ranges.
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges

' If at least one tunnel port range is defined in the
' collection, display the names and port ranges for all
' the tunnel port ranges.
If tpRanges.Count > 0 Then
For Each tpRange In tpRanges
WScript.Echo tpRange.Name & ": " & tpRange.TunnelLowPort & _ "-" & tpRange.TunnelHighPort
Next
Else
WScript.Echo "No tunnel port ranges are defined."
End If
End Sub

ShowTPRanges


Creating a New Tunnel Port Range

The VBScript code in AddTPRange.vbs includes a subprocedure that creates a new tunnel port range containing a single user-specified port to allow clients to send requests, for example, SSL requests, to that port. This script must be run on an ISA Server 2004 computer with the Microsoft Firewall service installed, but it can be modified to run on a remote management computer.

Usage:
[CScript] AddTPRange.vbs RangeName TunnelPort

RangeName specifies the name of the new tunnel port range.
TunnelPort specifies the single port to be included in the new tunnel port range.

Example: CScript AddTPRange.vbs "SSL 8443" 8443

Note that the fResetRequiredServices parameter is set to True to restart the Firewall service.

Script Listing: AddTPRange.vbs

' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.

' This script creates a new tunnel port range containing a single user-specified
' port to allow clients to send requests, for example, SSL requests, to that
' port.
' This script can be run from a command prompt by entering the
' following command:
' CScript AddTPRange.vbs RangeName PortNumber

Option Explicit

' Define the constants needed.
Const Error_TypeMismatch = &HD
Const Error_AlreadyExists = &H800700B7
Const Error_OutOfRange = &H80070057

Main(WScript.Arguments)

Sub Main(args)
If(args.Count <> 2) Then
Usage()
Else
AddTPRange args(0), args(1)
End If
End Sub

Sub AddTPRange(newRangeName, newTunnelPort)

' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

'Declare the other objects needed.
Dim isaArray ' An ISA Server array object
Dim tpRanges ' An FPCTunnelPortRanges collection
Dim newRange ' An FPCTunnelPortRange object
Dim port ' An Integer

' Get a reference to the array and to
' the collection of tunnel port ranges.
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges

' Create a new tunnel port range.
On Error Resume Next
port = CDbl(newTunnelPort)
If Err.Number = Error_TypeMismatch Then
WScript.Echo "A number must be entered for the port to be included."
WScript.Quit
End If
Err.Clear
Set newRange = tpRanges.AddRange(newRangeName, port, port)
If Err.Number = Error_AlreadyExists Then
WScript.Echo "A port range with the name specified already exists."
WScript.Quit
ElseIf Err.Number = Error_OutOfRange Then
WScript.Echo "The range of permissible ports is from 1 through 65535."
WScript.Quit
End If
On Error GoTo 0

' Save the changes to the collection of tunnel port ranges
' with fResetRequiredServices set to True to restart the Firewall service.
tpRanges.Save True
WScript.Echo "Done!"
End Sub

Sub Usage()
WScript.Echo "Usage:" & VbCrLf _
& " " & WScript.ScriptName & " RangeName TunnelPort" & VbCrLf _
& "" & VbCrLf _
& " RangeName - Name of the tunnel port range to be added" & VbCrLf _
& " TunnelPort - Port to be included in the new tunnel port range"

WScript.Quit
End Sub


Deleting a Tunnel Port Range

The VBScript code in DelTPRange.vbs includes a subprocedure that deletes the tunnel port range having the name specified by the user. This script must be run on an ISA Server 2004 computer with the Microsoft Firewall service installed, but it can be modified to run on a remote management computer.

Usage:
[CScript] DelTPRange.vbs RangeName

RangeName specifies the name of the new tunnel port range to be deleted.

Example:
CScript DelTPRange.vbs "SSL 8443"
To delete the tunnel port range with the name specified by the user

Note that the fResetRequiredServices parameter is set to True to restart the Firewall service.

Script Listing: DelTPRange.vbs

' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.

' This script deletes the specified tunnel port range.
' This script can be run from a command prompt by entering the
' following command:
' CScript DelTPRange.vbs RangeName

Option Explicit

' Define the constant needed.
const Error_FileNotFound = &H80070002

Main(WScript.Arguments)

Sub Main(args)
If(args.Count <> 1) Then
Usage()
Else
DelTPRange args(0)
End If
End Sub

Sub DelTPRange(rangeName)

' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

'Declare the other objects needed.
Dim isaArray ' An ISA Server array object
Dim tpRanges ' An FPCTunnelPortRanges collection

' Get a reference to the array and to
' the collection of tunnel port ranges.
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges

' Delete the specified tunnel port range.
On Error Resume Next
tpRanges.Remove(rangeName)
If Err.Number = Error_FileNotFound Then
WScript.Echo "The tunnel port range specified could not be found."
WScript.Quit
Else
WScript.Echo "Removing the tunnel port range specified ..."
End If
On Error GoTo 0

' Save the changes to the collection of tunnel port ranges
' with fResetRequiredServices set to True to restart the Firewall service.
tpRanges.Save True

WScript.Echo "Done!"
End Sub

Sub Usage()
WScript.Echo "Usage:" & VbCrLf _
& " " & WScript.ScriptName & " RangeName" & VbCrLf _
& "" & VbCrLf _
& " RangeName - Name of the tunnel port range to be deleted"
WScript.Quit
End Sub

Links to detailed information:
http://support.microsoft.com/kb/283284/en-us
http://www.microsoft.com/technet/isa/2004/plan/managingtunnelports.mspx

Help and Support service not running

When I go into Manage Your Server and then click on 'More Tools', it gives me an error message.
It says that Windows cannot open Help and Support because a system service is not running.
It says to fix the problem, start the service named 'Help and Support'. When I go into Services, there is no such service name listed.

Answer:
How to add Help and Support service back into Service Manager

1. Open a command prompt.
2. Navigate to %windir%\PCHealth\HelpCtr\Binaries
3. Run “start /w helpsvc /svchost netsvcs /regserver /install”
4. Once this command completes the Help and Support service should now appear in services.msc
5. Start the Help and Support service

MMC Snap-in error in SQL 2000

Problem:
I get an error from SQL 2000 Enterprise Manager's MMC Console when I right-click on database properties for any database shown in the Enterprise Manager list, and Enterprise Manager freezes requiring me to close it and re-launch it.

Possible reason:
Only one SQL DMO dll can exist on the server and it has been replaced by the new SQL2005 version.

Solution:
Re-register sqldmo.dll fom the SQL Server 2000 directory.

regsvr32 "c:\program files\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll"

AMD PCnet network card drivers for VMware

Additional drivers are required when using Windows Deployment Services to deploy Windows Vista, while using VMware Workstation.

Two locations for AMD PCnet drivers:

• VMware NIC driver. The easiest way is to start up a VMware session and choose the “Install VMware Tools” option. Don’t worry if you already have them installed—all this does is mount a VMware Tools installation CD (which may autorun to perform an installation, for which you may just press “exit”). In the CD that appears in your VMware session, go to: E:\Program Files\VMware\VMware Tools\Drivers\vmxnet\win2k\ and copy these files to your host system. Now we can use the peimg utility to mount the driver.
• http://www.amd.com/us-en/ConnectivitySolutions/ProductInformation/0,,50_2330_6629_2452%5E2454%5E2486,00.html
  Use the Windows XP signed.
  

Update the WDS boot image to include the new third-party network driver

To do this, follow these steps:

Note: The following procedure assumes that the Windows Automated Installation Kit (AIK) is installed on the WDS server.

1. On the WDS server, click Start, click Run, type wdsmgmt.msc, and then press OK.
2. Under your WDS server, double-click Boot images.
3. Right-click the boot image that you want, and then click Disable.
4. Right-click the same boot image, click Properties, and then click General.
5. Note the name and location of the boot image that is displayed in the File name box.
6. From the Windows PE Tools Command Prompt, type the following:
   C:\program files\windows aik\tools\petools\copype.cmd x86 e:\windowspe-x86
   Note: Keep this command prompt window open for the next step.
   Imagex /info Drive:\remoteinstall\boot\x86\images\boot.wim
   Notes:
   Drive:\remoteinstall represents the path at which the Remoteinstall folder is installed.
   Boot.wim is the name of the boot image.
7. Note the boot index number of the bootable image that is displayed. To identify the boot index number, locate the line that contains "boot index: X."
   
   Note: X is the boot index number. The number indicates that image number X is marked as bootable and that the image is to be updated. The second image is the default image that you would typically modify. However, always verify which image is marked as bootable.
8. At a command prompt, type the following:
   Imagex /mountrw Drive:\remoteinstall\boot\x86\images\boot.wim 2 mount peimg /inf=driver.inf mount\Windows
   imagex /unmount /commit mount
   Notes:
   Drive:\remoteinstall represents the path at which the Remoteinstall folder is installed.
   Driver.inf is the name of the third-party driver.
   The Imagex /mountrw command mounts the specified image, with read/write permissions, to the specified directory.
9. Enable the boot image on the WDS server. To do this, follow these steps:

• On the WDS server, click Start, click Run, type wdsmgmt.msc, and then click OK
• Under WDS server, double-click Boot images.
• Right-click the boot image that you want, and then click Enable.
  
  Link: http://support.microsoft.com/kb/923834

Dcdiag - checking DNS

Dcdiag.exe is a command-line tool that most administrators know about. It's great for troubleshooting various domain and domain controller (DC) issues, and in Service Pack 1 for Win2003, it has picked up some new capabilities.

Run Dcdiag /TEST:DNS to test the health of AD's DNS infrastructure. By default, this tests both basic DNS functionality, forwarders or root hints, delegation, dynamic updates, record registration, external name resolution, and Internet host resolution (it checks for http://www.microsoft.com/ by default). This is a great one-command test to see how your entire DNS infrastructure is working.

A second is Dcdiag /TEST:CheckSecurityError, which looks for basic security problems.
As always, you can run Dcdiag right on a domain controller or from your client workstation (although you'll need to specify a server or naming context so that Dcdiag knows what to test; use the /s: argument to specify a DC server name).

Tool Location
The Dcdiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD. For more information about how to install Windows Support Tools, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270

To install Windows Support Tools

1. Insert the Windows CD into your CD-ROM drive.
2. Click No if you are prompted to reinstall Windows.
3. When the Welcome screen appears, click Perform additional tasks, and then click Browse this CD.
4. Go to the \Support\Tools folder.
   For complete setup information, refer to the Readme.htm file available in this folder.
5. Double-click suptools.msi.
6. Follow the instructions that appear on your screen.

Multiple computer names using one IP Address in DNS

If you have multiple computer names using the same IP address 2003 DNS

1. Configure DHCP to do all the DNS registrations for DHCP clients and to remove DNS registrations when the lease expires.
   - Always dynamically update DNS A and PTR records
   - Discard A and PTR records when lease is deleted
2. Configure DHCP with a dedicated user account with a non-expiring password. (Advanced tab of the server property sheet.It can also to enable Windows 2000 option 002 (Release IP lease on shutdown)
3. You may have to manually clear the DNS registrations before the DHCP server can update records because the record is owned by the client instead of the DHCP server.

The problem occurs when a dynamic client, such as a laptop, that registers its own record, is disconnected from the network without releasing its IP address and therefore is not deregistering its record. Since it owns the record no other computer can update the record.

Link: http://support.microsoft.com/default.aspx/kb/816592

Windows SharePoint Services 3

Useful Links:

• The official blog of the SharePoint Product Group
• Windows SharePoint Services 3.0 Technical Library
• Upgrading from Windows SharePoint Services 3.0 Beta 2 Technical Refresh to Release Version
• Nic Watters Sharepoint Services v3 (When running)

Editing Group Policy settings fails

If when editing Group Policy Object settings, you notice the settings are reverting to the previous settings - this could be because the policy is set as Read Only.

This can occur when importing group Policies from a CD Rom using Group Policy Management Console. This is because the Group Policy Object held on the CD Rom is only in Read Only format.

How to remove Read Only access to a Group Policy object

• In Group Policy Management Console, select the Group Policy Object, then on the right hand pane, select the Details tab and make a note of the Unique ID:
• In Windows Explorer browse to the domain Policies folder (i.e. c:\windows\sysvol\sysvol\FQDM\Policies)
• Right Click the Unique ID Folder then select Properties
• In the Attributes section of the General tab, remove the tick from Read Only, then click Ok
• Ensure Apply changes to this folder, subfolder and files is selected, then click Ok.

Note: The correct Read Only settings are reapplied.

How to reinstall a dynamic DNS Active Directory-integrated zone

SUMMARY
This article describes how to reinstall a dynamic DNS Active Directory-integrated zone.

MORE INFORMATION
Under the following situations you may want to reinstall the dynamic DNS in a Windows 2000 Active Directory:

• Multiple DNS errors have occurred and methods have been unsuccessful.
• Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. Also, the standard troubleshooting procedures have been unable to locate the exact cause of the problem.
• DNS had been built as a secondary DNS server or files copied from a DNS server do not support dynamic updates.
• To create a better name space design, such as, splitting the internal and external name spaces.

You have to remove DNS and the DNS cache. Then, you must rebuild one Active Directory DNS server to set up long term stability.

The following steps can remove the defective information in Active Directory-integrated DNS:

1. Go to the properties of the DNS zone files and change them to be a "Standard Primary".
2. In the %Systemroot%\Winnt\System32\DNS folder, delete the text DNS Zones files.
3. Delete the object in Active Directory Users and Computers.
4. On the View menu, click Advanced Features, expand the System folder, click MicrosoftDNS, and then delete the zone file objects.
5. For each Active Directory-integrated DNS server, repeat steps 1-3.
6. In the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of the first Active Directory-integrated DNS server, point it to itself. For any other DNS servers, point all of them to the first DNS server that you bring up.
   
   NOTE: Do not change the properties of any additional Active Directory-integrated DNS servers to point to themselves until you have confirmed that a full and complete zone transfer has occurred from the first Active Directory-integrated DNS server after the rebuild process.
7. To obtain proper resolution, you must clear the Caching Resolver, which is the DNS client on the DNS server. At the command prompt, type: ipconfig /flushdns.
8. Stop and restart DNS and the NetLogon service. Then, remove and re-add the DNS service.
   NOTE: You can use the net stop netlogon command and the net start netlogon command for the NetLogon service that registers information in DNS. Also, you can use the net stop dns and net start dns commands (to stop and start the DNS service) if DNS has not been totally removed. Or, you can stop and start the NetLogon service and the DNS service in Control Panel, in Services, or you can restart the computer.

You have completed the process to clear out a DNS server. You must complete the process for any additional DNS servers that you plan to integrate with Active Directory.

The following steps can assist you to build a strong foundation for DNS, Active Directory, and FRS:

1. Configure all DNS servers to point to the same DNS server in the domain or forest under TCP/IP properties in DNS: Right-click My Network Places, click Local Area Connection, right-click Local Area Connection, click Properties, select the properties of TCP/IP, and then point all DNS servers to the same DNS server. Also, click the Advanced DNS tab, and then confirm that secondary DNS servers are not configured.
2. Re-add the DNS service, or re-add the zones and configure them to be Active Directory integrated. For troubleshooting purposes, you may want to set "Allow Dynamic Updates?" to Yes. Later, you can change this setting to "Allow Only Secure Updates".
3. Stop the DNS service and the NetLogon service by using either a command or the Computer Management snap-in.
4. Run the ipconfig /flushdns command, and then run the ipconfig /registerdns comand. This command can help you to register your A resource record for DNS as well as your start of authority (SOA). You may want to run this command on any other servers that are critical to you.
   
   NOTE: The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to "start" and the "Start up" type set to "automatic." The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.)
5. Active Directory-integrated DNS is now working on your first Dynamic DNS server. You must point additional Dynamic DNS servers to the first DNS server under TCP/IP properties. You must confirm that a full and complete replication process has occurred before you change the TCP/IP properties to point to itself for any additional DNS servers.

http://support.microsoft.com/?kbid=294328

User Profile Hive Cleanup Service

Brief Description
A service to help with slow log off and unreconciled profile problems.

Overview
The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off. System processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending. This can result in problems when using Roaming User Profiles in a server environment or when using locked profiles as implemented through the Shared Computer Toolkit for Windows XP.

On Windows 2000 you can benefit from this service if the application event log shows event id 1000 where the message text indicates that the profile is not unloading and that the error is "Access is denied". On Windows XP and Windows Server 2003 either event ids 1517 and 1524 indicate the same profile unload problem.

To accomplish this the service monitors for logged off users that still have registry hives loaded. When that happens the service determines which application have handles opened to the hives and releases them. It logs the application name and what registry keys were left open. After this the system finishes unloading the profile.


http://www.microsoft.com/downloads/details.aspx?familyid=
1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

How to replace single domain controller in domain with a single domain controller?

Question
How to replace single domain controller in domain with a single domain controller?

Answer
The following article describe a guidelines to replace existing Windows 2003 Domain Controller with a new server.

The article assume the following pre-requirement settings.

1. There no Exchange/SQL server etc. on the current Domain Controller.
2. There only one domain, and there only one domain controller function as:DHCP/WINS/DNS/File Server/Print Server.
3. The source server using regular (No SBS) Windows 2003 Standard or higher.
   

The following steps need to be taken to replace the exiting Domain Controller.

1. Install the Windows 2003 Standard or higher on a new server.
   Tip: You will need to setup the current Domain Controller as DNS server.
2. Promote the new server to become Domain Controller (in the same domain).
   Step-by-Step Guide to Setting Up Additional Domain Controllers
   http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/technologies/directory/activedirectory/
   stepbystep/addomcon.mspx
3. Promote the new Domain Controller to be "Global Catalog" and reboot the server.Enable or disable a global catalog http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/library/ServerHelp/7b1c3e1c-ef32-4b8e-b4c4-e73910575f61.mspx
4. Install DNS server on the new Domain Controller.
   How To Integrate Windows Server 2003 DNS with an Existing DNS Infrastructure in Windows Server 2003
   http://support.microsoft.com/kb/323417
   How To Install and Configure DNS Server in Windows Server 2003
   http://support.microsoft.com/default.aspx?scid=kb;en-us;814591
5. Set the local IP of the new Domain Controller as DNS server.
6. Option - Install WINS service on the new Domain Controller and change the Domain Controller IP settings to point on the local IP as WINS server IP.
   Tip: You can migrate the current WINS database to the new server.How to migrate a WINS Database from Windows 2000-based WINS server to a Windows 2003-based WINS server
   http://support.microsoft.com/default.aspx?scid=kb;en-us;875419
7. Move FSMO rules to the new Domain Controller.
   How to view and transfer FSMO roles in the graphical user interface
   http://support.microsoft.com/default.aspx?scid=kb;en-us;255690
8. Demote the original Domain Controller from using as "Global Catalog" and reboot the server.
   Enable or disable a global catalog
   http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/library/ServerHelp/
   7b1c3e1c-ef32-4b8e-b4c4-e73910575f61.mspx
9. Demote the original Domain Controller from using as "Domain Controller".
10. Migrate printer settings from the old server to the new one by using "Windows Print Migrator 3.1" tool.
    Microsoft Windows Server 2003 Print Migrator 3.1
    http://www.microsoft.com/WindowsServer2003/
    techinfo/overview/printmigrator3.1.mspx
11. Migrate File Server settings from the old server to the new one by using "Microsoft File Server Migration Toolkit".
    Microsoft File Server Migration Toolkit
    http://www.microsoft.com/windowsserver2003/upgrading/
    nt4/tooldocs/msfsc.mspx
12. Install DHCP server on the Domain Controller and migrate the DHCP settings from the old server.
    How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;325473
    Tip: Don’t forget to set the new Domain Controller as DNS & WINS (Optionally) for the DHCP scope/s.
13. Edit users profiles and/or user logon scripts to point to the new Domain Controller as File Server and Printer server.
14. Uninstall unnecessary services from the old Domain Controller.
15. Install third party tools on the new Domain Controller (Backup Software, Antivirus etc.)
16. Re-register users computers in the new DHCP by using ipconfig /release and ipconfig /renew.

Replacing Root Hints with the Cache.dns File. Q249868

Replacing Root Hints with the Cache.dns File. Q249868
http://support.microsoft.com/default.aspx?scid=kb;EN-US;249868

Taken from http://mss.net/TechNotes/TechNotes.htm

dcpromo /forceremoval

If you have removed a DC from the domain, dcpromo w/out the /forceremoval switch will fail since it cannot contact the domain to notify of its demotion.
Don't forget after you do a /forceremoval you have to clean up your Active directory.
Also if that DC held any roles you will have to seize them to another DC.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Activehttp://support.microsoft.com/?id=332199

251307 HOW TO: Remove Orphaned Domains from Active Directory Without Demotinghttp://support.microsoft.com/?id=251307

216498 How To Remove Data in Active Directory After an Unsuccessful Domainhttp://support.microsoft.com/?id=216498

Also see http://www.petri.co.il/delete_failed_dcs_from_ad.htm

255504 Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controllerhttp://support.microsoft.com/?id=255504

Dcpromo.exe - "Failed to modify the necessary properties for the machine account. Access is denied."

When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied." error message.

SYMPTOMS
When you run Dcpromo.exe to create a replica domain controller, you may receive the following error message in Dcpromo.exe: Failed to modify the necessary properties for the machine account. Access is denied.

Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.

CAUSE
This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.

RESOLUTION

To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:

1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
4. Apply the policy using one of the following methods:

• At a command prompt, type gpupdate /force (Windows 2000 Server - secedit /refreshpolicy machine_policy /enforce).
• In the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.
  

To apply the updated policy, restart the domain controller.
http://support.microsoft.com/?kbid=232070
or
http://support.microsoft.com/?kbid=250874