Category Archives: Windows Server 2003

VMWare | “Unable to locate the required Sysprep files”

Yes the year is 2016! and Yes we are still converting Server 2003 onto VMware! (I know Server 2003 is dead and 13 years behind the times, but there are still some instances in our organisation that still require it for old bespoke software that can’t be easily moved to Server 2013/2016)

When converting a physical “Server 2003” machine to a virtual machine using VMware Converter this error displays:

“Warning: Unable to locate the required Sysprep files. Upload them under ‘C:\ProgramData\VMware vCentre Converter Standalone\sysprep\svr2003’ on the Converter server machine. See ‘Help’ for more details”

Continue reading

Windows Time Commands | Cheatsheet

Check time service is running (Local & Remote):

sc query w32time
sc \\HOSTNAME query w32time

Displays all local time information (Local & Remote):

w32tm /query /configuration
w32tm /query /configuration /computer:HOSTNAME

Display Windows Time service status (Local & Remote):

w32tm /query /status
w32tm /query /status /computer:HOSTNAME

Display Windows Time service source (Will return one line: local CMOS vs Server) (Local & Remote):

w32tm /query /source
w32tm /query /source /computer:HOSTNAME

Display a list of peers and their status:

w32tm /query /peers

Displays current time (local source)

Time /T

Resync local computer time against time server: (run on all servers, except time server)

w32tm /resync /rediscover 

Force local computer time to update against domain server (Local & Remote):

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover w32tm /resync
w32tm /config /syncfromflags:domhier /update /computer:HOSTNAME
w32tm /resync /rediscover w32tm /resync

Start time server via CLI (Local & Remote)

net start w32time
SC \\HOSTNAME net start w32time

Restore Windows Time Service (if it has been broken)

net stop W32Time
w32tm /unregister
w32tm /register
net start W32Time
sc query W32Time

Set Time Update NTP source

@echo off
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:
w32tm /config /reliable:yes
net start w32time
w32tm /query /peers

Event Viewer Error Message:

Event Type: Error 

Event Source: W32Time 

Event Category: None 
Event ID: 12

Description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

To resolve the eventID 12:

  • w32tm /register


Enable ICMP (Ping) & WMI | CMD Line

Without enabling ICMP ping requests will not get a reply from the server.

Enable ICMP using “netsh firewall” (Old Method):

netsh firewall set icmpsetting 8

Enable ICMP using “netsh advfirewall” (New Method):

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

Enable WMI using “netsh advfirewall” (New Method):

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

RSAT Across Domains | Security database on the server does not have a computer account for this workstation trust relationship

Problem when trying to use RSAT to remotely administer a different domain.

“Security database on the server does not have a computer account for this workstation trust relationship”

There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.

On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!

The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.

runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC"

Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.


AD LDAP Attributes | Common Entries

List of common LDAP AD fields which can be used with the “DSQuery” or other tools which lookup AD objects.

csvde -m -f c:\DSQueryUsers.csv -d "OU=Users,OU=UK,DC=domain,DC=localm" -r "(&(objectClass=*)(mail=*))" -l displayName,userPrincipalName

In order to simplify the process of creating LDAP queries you can use the SysInternals “Active Directory Explorer” tool to help with this process.

See Below for table:

Continue reading

Saving Windows Disk Space | Removing “Installer\$PatchCache$”

Running out of the diskspace on C:\ I found the C:\WINDOWS\Installer\$PatchCache$ to be massive! I used JamSoftware “treesize” to view what was taking up the space.

From research this folder can be safely deleted, however you MUST NOT delete the top level “Installer” folder “C:\WINDOWS\Installer” (only the sub-folders inside it)

A quick method for deleting this directory is:

Stop “Windows Installer Service”

net stop msiserver

Run the “Remove Directory” command (/q Quiet: /q | Removes all directories and files: /s)

rmdir /q /s %WINDIR%\Installer\$PatchCache$

Start “Windows Installer Service”

net start msiserver


“Migrating GPOs Across Domains with GPMC”

I’ve recently updated my Windows Server 2008R2 system to Windows Server 2012. Windows Server 2012 was a fresh install using a different domain name on a new system. My intention was to manually migrated all data from the existing 2008R2 server into the new domain, this included Hyper-V VMs, DHCP and GPOs. There is the option of using ADMT however I required a clean install.

These are the steps I took in order to migrate GPOs from the source server to the destination server with a different domain name.

(Although this was completed from a 2008R2 to 2012 server, the first set of screen shots where created on the new 2012 server for this guide)

Source WS2008R2: Backup the existing GPOs from the GPMC, you need to ensure that the “Group Policy Objects” container is selected for the “Backup Up All” option to be available.

Continue reading

Event ID1202 | Security policies were propagated with warning. 0x534

I don’t want to get into the habit of logging every single error and snag I find in the event viewer, but part of my work is closely tided to Group Policy and deployment, therefore thought this would be useful in the further.

I was getting this error listed in the event viewer:

Error: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Category: None
Type: Warning
Event ID: 1202

Continue reading

Show Host Name via VBS (ShowHost.vbs)

Simple script to show host name of the local machine in a popup window add code to “ShowHost.vbs”

Dim Shell
Dim CompName
Set Shell = WScript.CreateObject("WScript.Shell")
CompName = Shell.ExpandEnvironmentStrings("%COMPUTERNAME%")
Msgbox "Your Computer name is " & CompName

“You have been logged on with a temporary profile”

I see this error quite a few times when users logon to the Windows Server 2008 R2 RDS/TS server. The fix is pretty simple.

Use “regedit” and navigate to this entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Find the entry with .bak listed and delete it. When the user logs back in the profile will be recreated.

Source: KB947242

Rename Windows Workstation/PC remotely

In order to rename a Windows system remotely you need to use the NETDOM command:

The command has been knocking about for a while now and is standard in Windows 2008. In Windows 2003 you can find it in the Windows Resource Tool Kit


netdom renamecomputer old_name /newname:new_name /userd:domain_admin_login /passwordd:domain_admin_pwd
netdom renamecompuer domold-W7 /newname:domnew-W7 /userd:administrator /passwordd:Passw0rd

WinRM for Event Forwarding

Windows Remote Management (WinRM) required by Windows Remote Shell command-line tool, Winrs, event forwarding, and Windows PowerShell 2.0.

WinRM service starts automatically on Windows Server 2008, but must be started manually on Windows Vista.

  • Show WinRM Status: “winrm get winrm/config”
  • Show WinRM Help: “winrm help config”
  • Setup WinRM: “winrm qc” (Quick Config)

Performs the following operations:

  • Starts the WinRM service, and sets the service startup type to auto-start.
  • Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.
  • Defines ICF exceptions for the WinRM service, and opens the ports for HTTP and HTTPS. (Only for the current user profile)



Delegate Distribution List Modification to Users in Outlook.

I always wondered what the “Managed By” tab was when displaying the properties of a Distribution or Security Group in Active Directory. By adding a user to the “Managed By” tab they can then be delgated to modify distribution lists using Outlook, obviously this helps with admin tasks and people complaning at you when someone is not in the list!!

  1. My Computer -> Administrative Tools -> Users and Computers
  2. Select OU – I create a seperate “Distribution_Groups_OU”
  3. Select “Distribution Group” right click “Properties”

Checking what users are part of the Distribution group in Outlook

  1. Add Distribution in email using “to…”
  2. Simple click “+” to expand it:
  3. Note: This “+” does not apply on all distributions groups such as Dynamic groups so you may not see if. You will need to check AD to confirm what type of list it is.

Modifying Distribution group in Outlook (For the delegated user selected in the previous step “Managed By” tab)

  1. Open Outlook -> Tools -> Address Book
  2. Locate Distribution Group -> Right Click -> Properties
  3. Click “Modify Members”
  4. Click “Add”
  5. Select Member Click “OK”


HP Proliant Server (Safemode / DSRM)

After a bad day with a Windows Server 2003 AD failure I had to do a system state restore using Directory Services Restore Mode (DSRM)

How hard could it be?? F8 in the BIOS before the Windows start right? Wrong!

This was on a HP Proliant ML310 G5 with multiple RAID & ILO devices using F8 as their configuration options, therefore every-time I pressed F8 (trying not to miss my window) I’d simply keep going into these config screens.

The Fix:

Wait until the initial RAID & ILO has loaded and processed to the next item then keep pressing “F5”

Yes F5 not F8!

Groups in AD | Domain Local, Global, Universal

Domain Local: groups can contain users, global groups and universal groups from anywhere in the AD forest, but can only be used to secure resources within the same domain.

Global: groups can contain only users and groups from within the same domain, but can be used to secure resources anywhere in the forest.

Universal: groups can contain objects from anywhere in the forest, and can be used to secure resources anywhere in the forest.

Group Scope Can Contain Usage
Domain Local
  • User account from any domain in the forest
  • Global or universal from any domain in the forest
  • User accounts, global or universal groups from a trusted forest domain
  • Other domain local groups from the same domain
  • Resources in local domain
  • User accounts in the same domain
  • Other global groups from the same domain
  • Any domain in the forest or trusted forests
  • Users. Global groups or universal groups from any domain in the forest
  • Any domain in the forest or trusted forests

You can only convert from the following and this will only take place if the correct “member of” groups are related:

  • Domain Local to Universal
  • Global to Universal
  • Universal to Domain Local & Global



This is something we all overlook and it makes life so much easier if you have a copy just dumped to a network share!

GPO Backup:

GPO Restore:

DHCP Backup:


Bridgehead Servers, Intersite Links and RepAdmin

Bridgehead Servers

A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For inter-site replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.

Repadmin Sync: (Synchronizes DC with replication partners)

repadmin /syncall

Bridgehead Servers: (Displays bridgehead servers)

repadmin /bridgeheads


Seeing a number of KCC replication errors in the event log, no doubt there is something not configured correctly in “Site-&-Services”  This Microsoft document should give you a few tips. Troubleshoot with Repadmin

Continue reading