Category: Windows Server 2008

Install Windows client and server without product key

I just want to share a quick tip about something really smooth that many IT staff seems to be unaware of. Windows Vista and Windows Server 2008 introduced the fact that you can install it without entering a product key. This was later introduced in Windows XP (with service pack 3 slipstreamed) and also later Windows Server 2003 R2 media. Nothing about this changes for Windows 7 or Windows Server 2008 R2. So to sum it up you can install all current as well as coming operating systems without entering a product key and you will then have up to 30 days to enter it.

Restore permissions on objects in Active Directory

Some time ago I had the unfortunate job to do some manual cleaning of an old and since long disconnected (and not decommissioned) Exchange Server in Active Directory using adsiedit.msc and this is not something one want to do I can promise you. Anyway during the testing phase I had to make sure that certain keys and values in adsiedit.msc were safe to be deleted and to accomplish this I removed all permissions on the keys to make sure that no one could read the information. You might think that restoring the permissions on objects in adsiedit.msc is the same as the management with file and folders but that is not the fact.

Instead use the command DSACLS to control the access control lists of Active Directory objects and run for example the following command to let the group Everyone get full permission on the object “First administrative group”.

DSACLS "CN=First Administrative Group,CN=Administrative groups,CN=CONTOSO,
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=LOCAL"
/G Everyone:GA

Beware when working in adsiedit.msc and be very certain about what you are doing before deleting stuff. Sometimes just removing all permissions on objects is the best way because then you can always use the above command to restore permission to the object(s).

Add users to local groups on the Windows clients easily

If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at

Use EBS migration tool to do a quick health check in your Active Directory

When preparing an existing Active Directory environment for migration to Windows Essential Business Server  one must run a tool which scan the environment and make sure that no errors exist before the migration can even start. This tool is called Windows Essential Business Server Preparation and Planning Wizards and can be downloaded from Microsoft Download Center without cost.

The thing is that this tool is a great utility to use in existing environments, even though they are not being migrated and never will be migrated to Windows EBs. The tool is a great health check and will most likely show errors or potential problems you had no idea existed in your server environment. It find problems with DNS, in Active Directory and replication and will guide you to recommended system changes and much more. I strongly recommend everyone to run it on your own environments to see what it finds.

Just a quick note related to scanning for errors and best practices is that the upcoming Windows Server 2008 R2 will include a number of best practices analyzers for roles such as DNS, Active Directory and many more. This is really slick!

Download Windows Essential Business Server Preparation and Planning Wizards

HOW TO: Clean out Windows\Installer folder correctly

When disk space is running out on a system disk, may it be on a server or a client, there are certain things to clean out. One of them being the %SYSTEMDRIVE%\Windows\Installer folder. You cannot under any circumstances delete files from this folder manually as this not only may but most likely will break software that is installed using MSI files, or Windows Installer files.

The %SYSTEMDRIVE%\Windows\Installer folder is a cache for installation files and patches (MSP files) and removing those will cause you to not being able to repair or uninstall applications, and in some cases not removing patches or applying new patches to software. In the event when you actually did delete this cache you can rebuild the files you need manually by extracting the files from original installation media, from patch packages etc but this is a time consuming and not that easy task to accomplish.

But let me get to the point. If you do want to free disk space you can clean out the %SYSTEMDRIVE%\Windows\Installer folder by downloading Windows Installer Cleanup Utility (NOTE: This tool has been retired and is no longer available from Microsoft) and then running the command

msizap.exe G!

When running this, the installer and patch packages are enumerated and unreferenced packages are considered to be safe to delete and are thereby also deleted. Depending on the age of the system and the number of applications installed, this action can free a significant amount of disk space.

Solution to have multiple SSL sites on port 443 in IIS

Today I faced a problem where I had to put different sites in IIS on the same SSL port which by default is 443. As you might know you cannot set more than one web site to use port 443 in the GUI of IIS Manager, and you can neither specify different host headers there. However you can put more than one web site on the SSL port by using the command line script as stated below. Run it from C:\inetpub\adminscripts but before you do, find out what the identifier for the site you want to enable SSL for is by clicking on “Web sites” in IIS Manager.

cscript.exe adsutil.vbs set /w3svc/1/SecureBindings

Make sure that the above command is put and run on one line and you are done. Please note that if you do not have a wildcard certificate installed (* you will receive certificate warnings for one of the sites, as the certificate name will not match the host name.

A bug in the DNS service in Windows Server 2008

I’ve seen quite an interesting behaviour of the DNS service in Windows Server 2008 for a long time without even thinking about the DNS service having a bug. Apparently there has been a fix for this issue out since summer time but it was not until Microsoft blogged about the bug a few days ago that it got my attention.

The problem is with secondary DNS zones that suddenly loses all (or many) records of the zone, which is not a very good thing I can tell you.

After reading through the description of the bug a couple of times I just sat there with my mouth open. This is exactly what I have been experiencing for some time now. So what is the moral of the story? Always check if it is bug!

Download and more info: KB953317 A primary DNS zone file may not transfer to the secondary DNS servers in Windows Server 2008

Troubleshoot and analyze Blue Screens of Death

TechRepublic has written a post on how to Extract troubleshooting info from Windows XP BSOD error messages. This is good, but I must say that extracting even more information from the memory crash dump file is even better. If you’ve missed my guide on how to do this you have it right here:

Troubleshoot and analyze Blue Screens of Death

Fix for automatic workflows in SharePoint WSS 3.0

So finally Microsoft have released the infrastructure update which once and for all fixes the problem with automatic workflows not working in Windows SharePoint Services 3.0.

More information: Description of the Infrastructure Update for Windows SharePoint Services 3.0: July 15, 2008
More information: Issues that are fixed in Windows SharePoint Services 3.0 by the Windows SharePoint Services 3.0 Infrastructure Update
More information: A declarative workflow that is configured to start automatically when e-mail enabled items are created does not start automatically after you install Windows SharePoint Services 3.0 Service Pack 1 

Source: SharePoint blog

Collection of best practices guides

Microsoft is providing best practice analyzers for most of their server products and I have gathered them on a list, for your convenience. These best practices analyzers are extremely good for troubleshooting and for making sure that the servers are performing at their best. Here is the link for the article: