The following is a collection of expert responses to reader questions by Laura Hunter.
|Laura E. Hunter|
How can I reset our Active Directory Restore Mode password?
We have to set this while installing the AD through the DCPromo command. I was not working here when the previous administrator installed this Active Directory, so I don't know the Restore Mode password. Can you help me to reset it?
Laura Hunter: In Windows 2000, use the setpwd command as described here . For Windows 2003, you can use ntdsutil as described here. To automate setting the DSRM password across multiple domain controllers, go here for a script written by Directory Services MVP Dean Wells that will automate the process.
I have a problem regarding my Windows 2003 domain controller. I have configured this server as a DNS and DHCP server, too. All is running well, but the DHCP declined to be authorized. Every time I try to authorize it, it gives me this error saying "Access Denied". I'm the domain administrator. In event viewer I get event 1059 and 1046.
Looking forward to your response.
LH: You need to have Enterprise Admin credentials to authorize a DHCP server in Active Directory. Check this out to find more information.
I am running Windows 2000 Server as my primary domain controller and running Active Directory. I installed Windows 2003 Server tools on a Windows XP Pro computer to manage my users, etc. The XP machine is in the domain. However, when I try to start Active Directory Users and Computers from the XP computer, I receive a message saying "Naming information cannot be located because: The specified domain either does not exist or could not be contacted."
Can you help me fix this?
LH:In most cases, this error occurs because of improperly-configured DNS. Be certain that your XP workstation is pointing to a DNS server that can resolve the A and SRV records associated with your Active Directory domain, (and not, for example, pointing to your ISP's DNS server.)
What would be a good tool (free) to test DNS environments against any corruptions?
LH: My favorite is DNSLint, which is a free download from Microsoft and is really useful in diagnosing common name resolution issues. Other useful (free) tools include netdiag and dcdiag from the Windows Support tools.
Is there a tool I can use on my Exchange 5.5 server that will give me a report detailing permissions, delegations, etc., such as showacls.exe does in 2000?
LH:You can use a simple VBScript to return this, similar to the following:
On Error Resume Next
Set objGroup = GetObject _
arrMemberOf = objGroup.GetEx("member")
i = 0
For Each strMember in arrMemberOf
i = i + 1
My IP address is 169.254.***.*** ...and I guess that's causing some network problem for my desktop. I have found through research that I can reset it using a netshell utility. What exactly is a netshell utility and how does it work?
LH: An IP address of 165.254.*.* means that your PC is attempting to receive an IP address from a DHCP server, but it is unable to do so. Be sure that you can ping your DHCP server and that the DHCP server is active and handing out IP addresses on your subnet. You can find even more helpful information here.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at email@example.com.