DCPROMO fails with error “Access is denied”

Hi guys,

If you ever encounter the problem that you can’t demote a domain controller in your organization and you get the error that you don’t have the correct credentials to demote your DC then check if this option is enabled on your DC-object in the Active Directory “Protect object from accidental deletion”.

If so, then disable this and try the DCPROMO again.

In this case the DCPROMO is unable to modify and delete the object in the Active Directory because of this option.

Good luck.



PKI at Microsoft

Microsoft IT installed a public key infrastructure to implement a security-enhanced communications and remote authentication infrastructure. This enabled the use of S/MIME signatures and encryption, helped secure Web connections by using Secure Sockets Layer or Transport Layer Security, helped ensure the confidentiality of stored data by using Encrypting File System, helped ensure the confidentiality and integrity of transmitted data by using IPsec, and enabled strong network user authentication by using smart cards.

Download the document here.

unattended mode to install and remove ADDS on Windows Server 2008-based DC

The Active Directory Domain Services Installation Wizard (Dcpromo.exe) performs the following tasks:

  • Installs Active Directory Domain Services (AD DS) on Windows Server 2008-based workgroup servers and member servers
  • Removes AD DS from Windows Server 2008-based domain controllers

You can use this wizard together with an answer file to perform these tasks in unattended mode. Continue reading “unattended mode to install and remove ADDS on Windows Server 2008-based DC”

Centralizing Group Policy with Central Store

Hi guys,

This post from Jeremy Moskowitz is great to centralize GPO’s.

Here’s a piece of the article.

You’ve probably heard of the Group Policy Central Store, but didn’t know what it does, or where to start.

Kind of like Dorothy’s ruby slippers, it was right under your nose, the whole time, waiting for you to use it. So, before we get into that, let’s explore first what the Central Store tries to solve and where it was born from.

Microsoft had a format to describe “what’s possible” in Group Policy using a formatted, simple language called ADM files. ADM files were great because they were simple, quite readable plain text files. They described the policy setting, what the general parameters when edited, and what registry setting to control.

Microsoft shipped a handful of these in the box with Windows XP, and added more with utilities like Office and some others.

Group Policy Template and ADM Files

Let’s explore the “physics” of what would happen with Windows XP and ADM files. Let’s assume you created a new GPO from scratch:

You’d fire up the GPMC on Windows XP.”

Read more here.

Recommended Updates for Group Policy in Windows Client and Server Products

Hi guys,

This article summarizes the recommended hotfixes and updates for issues that occur in an Active Directory environment using Windows Group Policies or Windows Group Policy Preferences.

NOTE: The list below is not intended to act as a comprehensive list of all available hotfixes for Group Policy or Group Policy Preferences.
This list is an aggregate of common issues seen with Group Policy or Group Policy Preferences. Do not proactively install the following hotfixes unless needed. If you feel you are experiencing an issue listed below, install the hotfix for that specific issue.

Continue reading “Recommended Updates for Group Policy in Windows Client and Server Products”

One way file replication possible?

Hi guys,

Been busy at work with getting a one-way file replication to work. At last i found a MS article which states it is a best practice. How to set it up? Check these steps:

Is it a best practice to configure one-way File Replication Service (FRS) replication between DFS link targets? Continue reading “One way file replication possible?”

Enable Backup and Restore for Group Policy

Hi guys,

while surfing the net I found this cool blog about enabling backup and resoter for your group policies.

Jeremy Moskowitz wrote it and here’s a little preview of the article. On the end is the link to the complete article.

Continue reading “Enable Backup and Restore for Group Policy”

Why is synced time essential for Active Directory?

Windows AD needs timestamps for resolving AD replication conflicts and for Kerberos authentication. Kerberos uses them to protect against replay attacks—where an authentication packet is intercepted on the network and then resent later to authenticate on the original sender’s behalf.  Continue reading “Why is synced time essential for Active Directory?”

Microsoft stand alone system sweeper beta

Hello again,

Microsoft released the public beta of the stand alone system sweeper tool.

Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline can to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or Continue reading “Microsoft stand alone system sweeper beta”

Well known SID’s overview

A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.

This information is useful for troubleshooting issues involving security. It is also useful for potential display problems that may be seen in the ACL editor. A SID may be displayed in the ACL editor instead of the user or group name. Continue reading “Well known SID’s overview”