Archive for the ‘Windows Server 2008 R2’ Category

Failed to gracefully demote domain controller

December 5, 2013 Leave a comment

I was getting ready to upgrade the hardware and server version on an old Windows Server 2008R2 domain controller when I ran into a interesting problem. After launching DCPROMO and going through the steps, I received an error that said “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles”.

After doing some research, it turns out that the domain controller has incorrect information as to the FSMO operation master owner. It is set to a domain controller that has been deleted or does not exist. In my case, the person before me must have improperly decommissioned a domain controller, leaving cruft behind in the AD. I launched ADSIEdit on the domain controller I was trying to remove and went to the infrastructure container and sure enough under “fSMORoleOwner” is had garbage.

When I tried to edit the value, I received an error stating “Operation Failed. Error code: 0x20ae The role owner attribute could not be read 000020AE: SvcErr: DSID-03152BF7, Problem 5003 (WILL_NOT_PERFORM) Data 0″. If you receive this error message when trying to change the value of “fSMORoleOwner”, you must change the value from the domain controller that holds the FSMO role. Once you change it there, depending on your replication scheme, the change should be updated on the domain controller you are trying to demote and it should now allow you to complete the process.

Command Line Activation Tools for Windows and Office

November 21, 2013 2 comments

If your a Windows Administrator, you should be familiar with the following tools. slmgr.vbs is a command line software licensing management tool for Windows. It works with Windows Activation (Retail and MAK) as well as Key Management Service (KMS). You can call it from anywhere in a command prompt. slmgr.vbs has many options including installing a product key, uninstalling a product key, displaying license information, and activating. For a complete list of options, visit the following TechNet article.

opss.vbs is also a command line software licensing management tool but for Microsoft Office. It also works with Windows Activation (Retail and MAK) as well as Key Management Service (KMS).

  • Office 2010 (32-bit) on a 32-bit version of Windows:
  • cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS"

  • Office 2010 (32-bit) on a 64-bit version of Windows:
  • cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS"

  • Office 2010 (64-bit) on a 64-bit version of Windows:
  • cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS"

  • Office 2013 (32-bit) on a 32-bit version of Windows:
  • cscript "C:\Program Files\Microsoft Office\Office15\OSPP.VBS"

  • Office 2013 (32-bit) on a 64-bit version of Windows:
  • cscript "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS"

  • Office 2013 (64-bit) on a 64-bit version of Windows:
  • cscript "C:\Program Files\Microsoft Office\Office15\OSPP.VBS"

For more information on opss.vbs visit the following TechNet article.

You can easily use these tools to install and activate a product key in a batch script and deploy it to a large number of machines.

How to Use a Command Prompt During GUI-Mode Setup

June 29, 2013 Leave a comment

In some cases, it may be helpful to have access to a command prompt during GUI-mode Setup for the purposes of troubleshooting, partitioning the disk, copying drivers, starting and stopping services, starting tools such as Task Manager, or other for other needs.

To gain access to a command prompt during GUI-mode Setup, press SHIFT+F10.

Using Network Time Protocol with Windows Server

April 2, 2013 1 comment

We all know that time synchronization is a crucial aspect for all the computers on the network, especially servers. In Windows, client computers obtain the time from domain controllers and the domain controllers obtain their time from the domain’s primary domain controller operation master. The primary domain controller obtains its  time from an external source, usually Microsoft ( If you would like to have your primary domain controller synchronize with a NTP server, the process is fairly simple. My department maintains our own SNTP servers but you could use one from the NTP Pool Project.

For my fellow administrators in the North American continent, you would use:


I recommend you use the DNS name instead of an IP address because the IP addresses may change in the future for what ever reason. Now lets configure our primary domain controller to synchronize with our NTP server.

      1. Sign into your primary domain controller with Administrator credentials. If you do not know which of your domain controllers is the primary domain controller, you can query a domain controller using netdom. Use the command ‘netdom /query fsmo’.
      2. Open a command prompt window.
      3. Stop the W32Time service by using the command ‘net stop w32time’.
      4. Now it is time to configure the external NTP source. Use the command: w32tm /config /syncfromflags:manual /manualpeerlist:<NTP Servers here> /reliable:yes
      5. Start the W32Time service again by using the command ‘net start w32time’.

NOTE: If you are going to use more than one NTP server, you must enclose them in quotes and delimit each entry with a space. Ex: “”.

The Windows Time Service should begin to synchronize the time with external NTP server you chose. You can view your current configuration by using the command ‘w32tm /query /configuration’ and check your Event Viewer for any error messages.

Google Chrome User Settings with Roaming Profiles

September 4, 2012 Leave a comment

Google Chrome is becoming increasingly popular among users. Google Chrome recently surpassed Internet Explorer in market share. According to numbers from StatCounter, Google’s browser finally averaged higher traffic than Internet Explorer for the first time over a full seven-day stretch. From May 14th through May 20th, the Google’s Web browser garnered a 32.76% share, ahead of Microsoft’s 31.94% and Mozilla Firefox’s 25.47% share. It has grown quite popular among students and professors at my university and among enterprise environments.

A problem was recently reported to me that Google Chrome was not storing user’s information once they logged out of a computer. Looking into the issue, I realized what was going on. Google Chrome stores information in the local application data folder of the user’s profile. This folder is not uploaded when the user logs off a computer.

Windows XP/2003:

C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default

Windows Vista/7:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default

I needed to be able to tell Google to save it’s user data in the Roaming folder which is uploaded when they log off, and not the local application data folder. This can be achieved by passing the user data directory as an argument when running Chrome’s executable but that would require making that change manually of hundreds of computers.

Luckily, Google has provided administrators with tools to make deployment and management easier.

I had recently installed the ADM template that Google provides administrators to set the home page as well as some other common settings for our public laboratory computers. In that ADM template, is the option to set the user data directory to one of your choosing. Google Chrome uses it’s own set of variables rather than using the standard Windows environmental variables.

The current list of Chrome variables on Windows includes:

  • %APPDATA% = ${roaming_app_data}
  • %LOCALAPPDATA% = ${local_app_data}
  • %USERNAME% =  ${user_name}
  • %COMPUTERNAME% = ${machine_name}
  • %USERPROFILE% = ${profile}
  • %PROGRAMFILES% =  ${program_files}
  • %WINDIR% =  ${windows}
  • ${documents} – The “Documents” folder for the current user. (“C:\Users\Administrator\Documents”)
  • ${global_app_data} – The system-wide Application Data folder. (“C:\AppData”)

So what I did was set the user data directory to the roaming data directory like so:

${roaming_app_data}\Google\Chrome\User Data

After performing a group policy update, the machines were correctly storing user’s data in their roaming profiles.

Activate Windows Vista, Windows Server 2008R2, and Windows 7 From the Command Line

August 28, 2012 3 comments

Beginning with Windows Vista, Microsoft introduced a powerful command line tool to handle Windows activations. This tool is called ‘slmgr‘. Slmgr works under Windows Vista, Windows 7, and Windows Server 2008 R2. The most common options you may need to use are ‘/ipk‘ which installs a product key, and ‘/ato‘ which tells Windows to try and connect to Microsoft’s servers and activate. This tool can also be used to manage remote clients. I have included below some more advanced parameters and examples.

NOTE: All actions (other than displaying status) require elevated administrator privileges. Slmgr.vbs script is not intended to work across platforms i.e. between Vista and Windows 7

slmgr [MachineName [Username Password]] [Option]

machinename   The machine to administer, by default the current local machine.

username      An administrator equivalent user account for the remote computer.

password      The password for the user account on the remote computer.

/ato   Activate Windows license and product key against Microsoft’s server.

/atp Confirmation_ID   Activate Windows with user-provided Confirmation ID

/ckms  Clear the name of KMS server used to default and port to default.

/cpky  Clear product key from the registry (prevents disclosure attacks)

/dli   Display the current license information with activation
status and partial product key.

/dlv   Verbose, similar to -dli but with more information.

/dti   Display Installation ID for offline activation

/ipk Key  Enter a new product key supplied as xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

/ilc License_file   Install license

/rilc               Re-install system license files

/rearm Reset the evaluation period/licensing status and activation state of the machine

/skms activationservername:port
Set the Volume Licensing KMS server and/or the port used for KMS activation
(where supported by your Windows edition)

/skhc  Enable KMS host caching (default), this blocks the use of DNS priority and
weight after the initial discovery of a working KMS host.
If the system can no longer contact the working KMS host, discovery will be attempted again.

/ckhc  Disable KMS host caching. This setting instructs the client to use DNS auto-discovery
each time it attempts KMS activation (recommended when using priority and weight)

/sai interval
Sets the interval in minutes for unactivated clients to attempt KMS connection.
The activation interval must be between 15 minutes and 30 days, although the default (2 hours)
is recommended.
The KMS client initially picks up this interval from the registry but switches to the KMS
setting after the first KMS response has been received.

/sri interval
Sets the renewal interval in minutes for activated clients to attempt KMS connection.
The renewal interval must be between 15 minutes and 30 days.
This option is set initially on both the KMS server and client sides.
The default is 10080 minutes (7 days).

/spri  Set the KMS priority to normal (default).
/cpri  Set the KMS priority to low.
Use this option to minimize contention from KMS in a co-hosted environment.
Note that this could lead to KMS starvation, depending on what other applications
or server roles are active. Use with care.

/sprt port
Sets the port on which the KMS host listens for client activation requests. The default TCP port is 1688.

/sdns  Enable DNS publishing by the KMS host (default).
/cdns  Disable DNS publishing by the KMS host.

/upk   Uninstall current installed product key and return license status back to trial state.

/xpr   Show the expiry date of current license (if not permanently activated)

Token-based activation:
/lil   List the installed token-based activation issuance licenses.

Remove an installed token-based activation issuance license.

/stao  Set the Token-based Activation Only flag, disabling automatic KMS activation.
/ctao  Clear the Token-based Activation Only flag (default), enabling automatic KMS activation.
/ltc   List valid token-based activation certificates that can activate installed software.
/fta Certificate Thumbprint [PIN]
Force token-based activation using the identified certificate.
The optional personal identification number (PIN) is provided to unlock the private
key without a PIN prompt when using certificates that are protected by hardware
(for example, smart cards).

C:\> cscript C:\windows\system32\slmgr.vbs wkstn64 administrator pa55w0rd1 -dli
C:\> cscript slmgr.vbs -skms
C:\> cscript slmgr.vbs -skms KMSServer:8090

Transfer or Seize Flexible Single Master Operations (FSMO) Roles

May 10, 2012 Leave a comment

There are five Flexible Single Master Operations (FSMO) roles for domain controllers. They are:

  1. infrastructure master
  2. naming master
  3. pdc (primary domain controller)
  4. rid master
  5. schema master

To transfer the five Flexible Single Master Operations (FSMO) roles we will use a tool called ntdsutil. NtdsUtil is a Directory Services Management Tool. NtdsUtil performs database maintenance of the Active Directory store, management and control of the Floating Single Master Operations (FSMO), and cleaning up of metadata left behind by abandoned domain controllers. Abandoned domain controllers are those which are removed from the network without being uninstalled properly. For more on NtdsUtil, visit: NtsdUtil

To transfer these roles to a different domain controller:
Logged in as Domain Administrator on the domain controller in which you want to transfer the roles from:

  1. Open a Windows CMD Shell.
  2. Type ‘ntdsutil’ You should be greeted with a “ntdsutil: ” prompt.
  3. Type ‘roles’ You should be greeted with a “fsmo maintenance: ” prompt.
  4. Type ‘connections’ You should be greeted with a “server connections: ” prompt.
  5. Type ‘connect to server <server_name_here>’ where server name is the name of the domain controller you wish to transfer the roles to. You should receive a confirmation stating that it is binding to the domain controller using the credentials of the locally logged on user.
  6. Type ‘q’ to exit server connections. You should be back to the fsmo maintenance prompt.
  7. Type ‘transfer infrastructure master’
  8. Type ‘transfer naming master’
  9. Type ‘transfer pdc’
  10. Type ‘transfer rid master’
  11. Type ‘transfer schema master’
  12. Type ‘q’ to exit fsmo maintenance
  13. Type ‘q’ to exit ntdsutil.
  14. Type ‘exit’ to close the CMD shell.

If the domain controller is dead you will need to use the command ‘seize’ to take the role back. Example: ‘seize infrastructure master’ and so on for the other four.

Useful Links: (Microsoft Support Article on Transferring or Seizing FSMO Roles)


Get every new post delivered to your Inbox.