Archive for the 'Windows 2003 Server' Category

Bug introduced in Windows NT3.1 (1993) still affecting all subsequent releases of Windows!

Since NT was introduced, pure command line DOS was replaced with the Virtual DOS machine (VDM) that allows legacy DOS and 16-bit windows application to run on top of NT (all variants), XP, Vista and Windows 7.

It would seem the VDM engine has a major flaw!

Read more at and packet storm security

A summary of the issue is that it is possible for a limited user (i.e. a non administrator user) to gain administrative privileges via the VDM.

A workaround is to disable 16-bit applications as part of the Active Directory policy for your domain.


An alternative to WSUS and Windows Update

We manage a few standalone machines, and also a few machines that are on a network without access to the internet.

What is the alternative to WSUS and Windows Update?

Well, as I have to keep using a search engine to get this link, here it is:

This page links to a list of ISO images that contain the security patches for a given month.


Tips and Tricks - robocopy.exe and subinacl.exe

Ever wanted to copy a large file across the network and cope with resuming where you left off when the remote desktop session kills your copy?

Well now you can!

Robocopy is an excellent piece of kit, distributed as part of the windows resource kits for Windows 2k, XP Pro and 2003 Server.

Subinacl allows you to take ownership of your files in bulk!

Here is a neat trick from Solo Enterprises… I’ve stolen it (it copies the contents of a hard drive) and made some amendments below:


  • Windows 2000,XP Pro, 2003 Server
  • robocopy.exe- in the windows resource kits or download here (save as)
  • subinalc.exe- in the windows resource kits or download here (save as)


  • For this example we will assume that
  • robocopy.exe and subinacl.exe are in your local PATH
  • The C: drive is your main hard drive
  • I generally pull the harddrive out of the client computer and transfer the data from a workstion to our backup server using a removable drive tray.
  • the SOURCE is the F: Drive and is an NTFS file system. (if not NTFS, just remove the first line in the batch file below)
  • The SOURCE is NOT the partition that is running Windows currently.
  • the destination is a mapped network folder T:\test

Install both of these and then create a new text file called robocopy.cmd on your desktop.

Line 1 will use subinacl to take ownership of all the file on the SOURCE and give Everyone Full Control of the files and folders. I had to do this because some security settings will cause a failure copying files. Especially ones in application data and local settings.

start /wait subinacl.exe /errorlog="C:\errorlog.txt" /nostatistic
/subdirectories F: /Owner=user@machine.local /grant=Everyone=F

  • start /wait subinacl .exe //this starts the script and waits for it to complete before moving to the next line in the batch file
  • /errorlog="C:\errorlog.txt" //this saves an error log to the path specified
  • /nostatistic //this suppresses displaying the progress
  • /subdirectories //Makes it do all files and subdirectories in the path specified
  • F: //Path to hard drive
  • /Owner=user@machine.local //Who takes ownership of the files
  • /grant=Everyone=F //Grant Everyone Full Permissions
  • /objectexclude=*.tmp // no need wasting time on a file we aren’t going to copy.

Line 2 Will robocopy the entire contents of the harddrive expect: *.swp *.dmp *.tmp pagefile.sys hiberfil.sys "_RESTORE" "MSOCache" "Recycled" "RECYCLER" "Temporary Internet Files" "System Volume Information" "WUTemp"

I don’t copy those files because I have never run into a time when I needed anything in any the folders and it just wastes time to copy them.

start /wait robocopy.exe F:\ T:\test /E /ZB /COPY:DAT /IA:RASHNTCEO /X /V /FP /XF *.swp *.dmp *.tmp pagefile.sys hiberfil.sys /XD  "_RESTORE" "MSOCache" "Recycled" "RECYCLER" "Temporary Internet Files" "System Volume Information" "WUTemp" /R:1 /W:0 /LOG:"C:\robolog.txt" /TEE
  • start /wait robocopy .exe //this starts the script and waits for it to complete before moving to the next line in the batch file
  • F:\ //Source
  • T:\test //Destination

So now just double click robocopy.cmd on your desktop and away it goes…



Microsoft Support Lifecycle - .Net Framework 1.1, 2, 3 and SharePoint 2007 etc.

Just thought I’d post one last time before the new year as I want to be as far away from a computer as possible until the new year after today!

Microsoft Support Lifecycle policy provides consistent and predictable guidelines for product support availability at the time of product release. Microsoft will offer a minimum of 10 years support (5 years of Mainstream support and 5 years of Extended) for Business and Developer products.

For more detailed information on the policy or on lifecycle of a specific product, please go to the following web site:

Figure 1: the typical Microsoft application/product lifecycle

Microsoft publishes a document every quarter along with an excel spreadsheet.

The objective is to highlight the next main support deadlines (end of support and change of support phase) affecting the major products along with the updated MSL.xls file.

Key points:

Action you should have already taken:

.Net Framework 1.1 RTM and SP1 were officially mainstream retired on October 14th, 2008, however it has extended support until October 8th, 2013

Immediate action required:

Office 2007 RTM, SharePoint Portal Server 2007 RTM, Project Server 2007 RTM, Visio 2007 RTM will NO longer be supported from January 13, 2009. It is recommended to upgrade to Service Pack 1 as soon as possible before this date. I am not sure on the situation with WSS 3.0, if you know the score can you post it as a comment on this post :-)

.Net Framework 2.0 RTM will NO longer be supported from January 13, 2009. It is recommended to upgrade to Service Pack 1 as soon as possible before this date.

.Net Framework 3.0 RTM will NO longer be supported from January 13, 2009. It is recommended to upgrade to Service Pack 1 as soon as possible before this date.

Short term action required:

Windows Server 2003 SP1 and Windows Server 2003 R2 RTM (based on SP1) will NO longer be supported from April 14, 2009. It is recommended to upgrade to Service Pack 2 as soon as possible before this date.

All this information is delivered via a subscription that you can sign up for! As you can see, some of this information is really good to know to plan your future architectures and development strategies.

You can subscribe: here

There is also an excellent blog: here

Once again, Merry Christmas and a Happy New Year to you all.


The "The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly" saga… Part 2

We’ve looked into this in much detail… this is a continuation of a previous blog entry

If you are having similar issues, it worth looking at:

We’ve done all of the above…. hopefully today we’ll do a test and check to see if it has been resolved


When the Delegation tab is missing in Windows 2003 Active Directory Users and Computers

So you’ve been investigating Kerberos, and you’ve done the command ’setspn.exe’ setup (part of the Windows 2003 support tools install) of your Security Principle Names for your domain controller… but when you try to assign a user account some delegation rights… the damn delegation tab is missing!

The first thing to do is to check that your domain controller is operating in Windows 2003 mode. By default you’ll find your system will operate in the Windows 2000 compatible mode.

To do this, look at the screenshot below, you’ll need to go to active directory users and computers, right click on your domain, and click ‘Raise Domain Functional Level’


This will give you something like this:


This dialog box tells me that my domain controller is operating in the correct mode for the Delegation tab to be displayed in the active directory settings. If your server is running in Windows 2000 compatible mode, you’ll be given the option to raise it’s functional level - you should do this if you want the delegation tab to appear! I’m guessing, as I’ve never tried it out, that if you want the server to be a domain controller with Windows 2000 and lower machines it wont work when you change this setting, so beware, as once you’ve done it… there’s no going back!

And there you have it… my server now has a delegation tab:


I hope this helps you out, as when I googled for this issue, I found nothing… please add any links to more descriptive discussion of this issue you you know of any.



Problems Experienced with Windows 2003 Server SP2

Having had a visit from the nice fella from K2 [blackpearl] we discovered that our present network set up had a few issues.

K2 requires that we have Kerberos enabled on our Active Directory, we spoke to the guys who head up our network infrastucture and they assured us that Kerberos was enabled, and a KDC was available. Brilliant… K2 should just work then… well…. no actually.

We think,….. and it’s a big *think* that because our Domain Controllers are running Windows 2003 Server SP1… whilst our servers run SP2 (… because MOSS 2007 requires this as a prerequisite)… there are some incompatability issues.

Itwould seem that services that run as “LOCAL SYSTEM” pre SP2, but now run as “LOCAL SERVICE” under SP2. This is screwing with our Windows Time Service…. the Kerberos tokens are then expiring and not being renewed. This results in K2 not functioning correctly as it needs Kerberos to work!

Please comment on any of this, as I may have got the wrong end of the stick!

It’s not an option right now to upgrade our entire server infrastucture to SP2…. there are of course… many implications, and we have many applications to support, not only MOSS and K2.

We’ll keep digging and hopefully get to the bottom of this


Enabling Kerberos Authentication

Following the training course, its been put to me that we should really be using Kerberos for our authentication model, especially as its going to solve lots of the multi-hop authentication issues.

I need to look into how Service Principle Names (SPNs) are used.

The command:

setspn.exe -A HTTP/servername ADDomain\usernameidentityforapppool

Will enable kerberos authentication, once we’ve configured a web application that will utilise kerberos.

According to sources, NTLM and Kerberos will work together, with NTLM taking precidence when the Key Distribution Center (KDC) is unavailable or if a client machine has an unsyncronised clock.

There is a KB article on this subject:
Microsoft KB Article


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.