technical solutions and commentary

This is an issue I ran into a couple of years ago. I suspect using Office 2000 Server Extensions (the predecessor to SharePoint Team Services) is rare, but may still happen. This took MS Support about 4 days, and about 6 hours on the phone to come up with a fix. So hopefully this will still help someone that runs into this or something like it.

Users get an error message when they try and access a page with dynamic content provided by the Office 2000 Server extensions on a Windows 2003 Server. This is because of the changes made in Windows 2003 to how IIS handles security by default.

“70:Permission denied This Virtual Directory cannot be accessed. This error can be caused if
Directory browsing has not been enabled for the directory, or if read Permissions have not been set. Please contact the Web server’s Administrator if the problem persists.”

The administrator can access the dynamic content without any problem

To resolve this:

Sometimes when you are upgrading a NT 4 DC to Windows 2000/2003, the computer name will not change properly. The server name may update to not include the full domain, such as:

Full Computer Name: srvnt1.myco.
Domain: myco.local

In order to enable DNS to function properly on this upgraded machine, the computer name must be a FQDN. The only supported option to fix this issue is to (1) demote this machine as a Domain Controller, (2) change the computer name, and (3) promote the server again. This is fine if you have more than one Windows 2000/2003 Domain Controller. If you only have a single Domain Controller, or even a single server this is not really an option.

There is a VB script that will assist with fixing the server name, in this scenario. As far as I know, using this script to modify the server name is not supported by Microsoft. Make sure your backups are good before using this script, just in case you have any problems. After running the script you will have to reboot your server.

After you run the script, your computer name should look like this:

Full Computer Name: srvnt1.myco.local
Domain: myco.local

The script can be found here.

With the changes made to the new TS license options this last year, user or devices based CAL, you may need to modify the Terminal Services License Configuration if you moved to the per user based model. Microsoft allows a one time change if you alreay bougt per device CALS and want to switch to per user CALS. In order to make that change on the TS license server, modifications need to be made to the registry.

To change licensing back to Per user or to set it to per-user via registry see MS KB 834651

This doesn’t apply directly to the modification of the TS CAL type. However, TS server occasionally will lose the ability to auto locate TS license servers on te domain. To overcome this issue if it arrises to can see

To force connection to a specific license server:

In Windows 2000 Terminal Services, one of the recommendations to control user program access was to redirect the ‘Start Menu’ to a file share on the network. The Menu Folders and Icons where then placed in this folder and users given access to read the folder. The GPO for the Terminal Server was then modified to use Start Menu redirection to use this share.

If this redirection is implemented on a Windows 2003 Terminal Services, the user will be prompted to ‘Open’ or ‘Cancel’ when they click a program icon from the start menu. There is a work around to fix this behavior on a Windows 2003 Terminal Services found in the Microsoft KB 303650 - “Intranet site is identified as an Internet site when you use an FQDN or an IP address”

When attempting to join a server (client applies here too) to the domain there may be problems if the DC the the machine is trying to authenticate against has with 2 network cards. You may receive an error such as, “Error Validating the domain name or no domain controllers available to logon” or even soemthing like this “the following error occurred validating the domain name mycompany.com the following server either does not exist or could not be contacted.”

The cause of this is a invalid NetBios entries of the Domain Controller or registered with WINS
or resolving inmproperly using computer browsing. The client machine ends up qeurying the wrong IP address for DNS or NETBIOS resolution to process the logon request.

Working through these error messages, we discovered that network traces revealed that the
queries were being made to two IP addresses. In order to resolve this issue you need to, (1) disable the second network card (this may be able to be skipped), (2) change the Binding settings to move the primary network card to the top of the binding order, (3) restart the DC, and (4) on the client side flush the DNS and NETBIOS cache, and join the domain.

Backup software will not run on Exchange 2000. Is issue occured by following an outdated
Microsoft whitepaper on hardening you Exchange and Windows environment. Specifically related to hosting multiple companys, or divisions, on a Single Exchange organiization. To fix this and a few other issues with running Exchange process, a group had to be added back into the environement. Thsi was entered on the cmd line to update the security groups

‘NET LOCALGROUP “Pre-Windows 2000 Compatible Access” everyone /add’

This resolved the issue of the backup software (NetBackup) not running against the Exchange Information Store. I believe the software had issues because it couldn’t read all of the Lists in the GAL, but I could be wrong on that.

By default Windows NT/2000/2003 auto created shares such as C$, ipc$, admin$. If you disable these using the GUI and reboot the server they are auto shared again. There is a way to change this behavior. To Disable AutoShares in Windows 2000/2003 Server, add a ‘DWORD’ entry with a value of 0 to the key:

(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters)
'AutoShareServer=0'

Reboot the server.

In looking at an Exchange implementation, I noticed that all the Domain Controllers in the
environment where not listed in the Directory Access tab in Exchange System Manager. This may not seem like a big deal at first glance. But if there are only two DC on the network, users
may not be able to use Exchange server if the DC that is listed in the Directory Access tab is being rebooted or down for maintenance.

This issue may also point to the bigger issue of replication between domain controllers not
functioning correctly. I ran into this when a systems state restore was performed on a DC to
recover an object and the other DC wasn’t replicating the changes.

I found that there was a registry value enabled that prevented DNS from being dynamically updated.

(HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID of virtual NIC}\DisableDynamicUpdate)

This is an issue even if you use a statically assigned IP address and static A record for the server. This is likely because the Net Logon service on a DC needs to update it’s SRV and location records at startup and at scheduled intervals. By enaabling Dynamaic uodated through registry (it may not display te correct property in the GUI) and rebooting the server, the issues described where resolved.

Active Directroy (AD) Replication not working after applying Windows Server 2003 SP1 to a Domain Controller connected using VPN.

Microsoft KB 899148 “Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers” assisted in resolving this issue.

The article explains that the issue occurs because Windows Server 2003 SP1 adds support for some new transfer syntaxes to the RPC implementation. Firewalls and VPN products that do permit more than one presentation context to be present in a bound RPC protocol data unit (PDU) may cause either of the following symptoms:

There are a couple of different options to resolve this issue:

During Active Directory promotion of a DC you get an error that the operation failed because Access Denied. Or you may have an issue where AD replication isn’t working and could be related to the same thing.

To resolve this we (1) Removed external DNS reference from the TCP/IP properites of the active network adapter. (2) Corrected the user rights in the Default Domain Controllers Policy in the domain. We did this by changing the settings:

Related KB Articles:

Additonal Resources for the most common Event ID errors: