SBS migration fails with error “This server has a trust relationship with Domain_name.local”

Method one in the below article resolved this issue for me. Seems to happen on DELL’s a fair bit.

This is related to KB article KB909639.;en-us;909639&sd=rss&spid=3208

Consider the following scenario. You perform a recovery or migration of Microsoft Windows Small Business Server 2003 (Windows SBS). Then, you try to join an existing domain, as described in the following Microsoft Knowledge Base article:
884453 ( ) How to install Small Business Server 2003 in an existing Active Directory domain
When you run an integrated setup in this scenario, you receive an error message that is similar to the following, where Domain_name.local is the name of the local domain:
This server has a trust relationship with Domain_name.local.
This problem occurs when the following conditions are true:
• The original Windows SBS installation was preinstalled by an OEM.
• The domain on which Windows SBS is installed has a second domain controller.
Note Windows SBS does not support trusts. This article applies only if the error references your own domain and if that domain was originally preinstalled by the OEM.

This problem occurs because one of the domain GUIDs in the registry for Windows SBS is incorrectly referenced as part of the Windows SBS preinstallation process.

To resolve this problem, contact Microsoft Product Support Services.

As you can guess I called Microsoft. After being on hold for a while I went to my plan B and was able to resolve the original server issues.

But the resolution for the issues was answered today after I called MS and they gave me the answer to the issue.

Method 1: Bypass the trust check
1. Start the Windows SBS integrated setup process from the Windows SBS CD-ROM.
2. Cancel the setup process.
3. Locate the Sit xxxx .tmp folder in the system temp folder (%temp%).
Note The xxxx represents a random number that is generated by Setup.
4. In the Sit xxxx .tmp folder, use Notepad to open the Setup.sdb file.
5. In the Setup.sdb file, comment the trust check line by typing a semicolon at the start of the line.
6. Save the file, and then quit Notepad.
7. Restart the Windows SBS integrated setup process from the Sit xxxx .tmp folder.

Method 2: Change the GUID on the replica domain controllers
1. Change the permissions for the SECURITY hive. To do this, follow these steps:
a. Start Registry Editor, and then expand HKEY_LOCAL_MACHINE.
b. Under HKEY_LOCAL_MACHINE, right-click SECURITY, and then click Permissions.
c. Under Group or User Names, click Administrators. Under Permissions for Administrators, click to select the Allow check box in the Full Control row, and then click OK.
d. Quit Registry Editor.

2. Find the Active Directory domain GUID. To do this, follow these steps:
a. On a domain controller on which the Windows Support Tools component is installed, open a command prompt.
b. Change to the following directory: Drive_letter \Program Files\Support Tools
c. At the command prompt, type nltest/domain_trusts/all_trusts/v , and then press ENTER.
d. From the output, record the domain GUID string. You can locate the domain GUID string in the line of output that starts with “Dom Guid.” For example, the domain GUID string may appear as follows:
e. In this example, record the registry entry as follows:
f. Close the Command Prompt window.

On each domain controller, change the value of the following registry entry to the value that you recorded in step 2e:

Important You must change this registry entry on all domain controllers. Make a system state backup of all computers on which you will make this registry change. Verify that you have working backups. You must also restart all domain controllers, member servers, and workstations after you make this registry change. Additionally, you must restart the member servers and the workstations to receive the LSA GUID.

4. In Registry Editor, change the permissions on the SECURITY hive back to their original settings.

Reset HP iLO Administrator Password

So I forgot the iLO password .. and rather than opening up the machine and flipping the switch thingy, I gave the advice in this article a whirl .. and what do you know, it worked fine!

And for those running 2003 64bit, you can grab the Lights-Out Online Configuration Utility from here.

VB Script to check disk space and email results

Here is a script I hacked together that checks disk space of your servers and emails it to an address. This can be scheduled using Windows Task Scheduler.

- Needs to be run under administrative rights

‘ Sample code for monitoring windows disk space

‘ This script reports the drive usage of all fixed drives on the systems
‘ specified. The report will be sent via plain text email to a specified
‘ recipient address (see last line in file).

‘ This sample can be used in a production environment to set up an
‘ unattended disk utilization report system.

‘ Modified from the original by Adiscon at

‘ Modified by Burnsie

‘ Constants for drive types
Const Unknown = 0
Const Removable = 1
Const Fixed = 2
Const Remote = 3
Const CDROM = 4
Const RAMDisk = 5

Const MailServer = “” ‘ Mail Server to use (SMTP)
Const MailServerPort = “25″ ‘ SMTP Port used at Mail server (25 is default)


‘ Send a mail message
Sub SendMail(Sender, Recipient, Subject, Message)
Set objMessage = CreateObject(“CDO.Message”)
objMessage.Subject = Subject
objMessage.From = Sender
objMessage.To = Recipient
objMessage.TextBody = Message

objMessage.Configuration.Fields.Item _
(“”) = 2

‘Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
(“”) = MailServer

‘Server port (typically 25)
objMessage.Configuration.Fields.Item _
(“”) = MailServerPort


End Sub

‘ get current computer name (from system environment variables)
Function GetCurrentComputerName
set oWsh = WScript.CreateObject(“WScript.Shell”)
set oWshSysEnv = oWsh.Environment(“PROCESS”)
GetCurrentComputerName = oWshSysEnv(“COMPUTERNAME”)
End Function

‘ Begin main code
str = “”

‘Only enumerate physical disks (Not Network Drives)
Const HARD_DISK = 3

‘ Server Server1
strComputer = “Server1″
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2″)

Set colDisks = objWMIService.ExecQuery _
(“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

str = str & “Server: ” & strComputer & vbcrlf
For Each objDisk in colDisks
str = str & “Disk: “& objDisk.DeviceID & vbTab
str = str & ” Free Disk Space: “& FormatNumber(CLng(objDisk.FreeSpace / 1024 / 1024),0,,,-1) & ” MB” & vbcrlf

str = str & vbcrlf

‘ Server server2
strComputer = “server2″
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2″)

Set colDisks = objWMIService.ExecQuery _
(“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

str = str & “Server: ” & strComputer & vbcrlf
For Each objDisk in colDisks
str = str & “Disk: “& objDisk.DeviceID & vbTab
str = str & ” Free Disk Space: “& FormatNumber(CLng(objDisk.FreeSpace / 1024 / 1024),0,,,-1) & ” MB” & vbcrlf

str = str & vbcrlf

‘ Server server3
strComputer = “server3″
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2″)

Set colDisks = objWMIService.ExecQuery _
(“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

str = str & “Server: ” & strComputer & vbcrlf
For Each objDisk in colDisks
str = str & “Disk: “& objDisk.DeviceID & vbTab
str = str & ” Free Disk Space: “& FormatNumber(CLng(objDisk.FreeSpace / 1024 / 1024),0,,,-1) & ” MB” & vbcrlf

str = str & vbcrlf

‘ Server server4
strComputer = “server4″
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2″)

Set colDisks = objWMIService.ExecQuery _
(“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

str = str & “Server: ” & strComputer & vbcrlf
For Each objDisk in colDisks
str = str & “Disk: “& objDisk.DeviceID & vbTab
str = str & ” Free Disk Space: “& FormatNumber(CLng(objDisk.FreeSpace / 1024 / 1024),0,,,-1) & ” MB” & vbcrlf

str = str & vbcrlf & vbcrlf & “Disk Space script hacked together by Burnsie and his good friend Google”

‘Send the email
SendMail “”, “”, “Client Name ” & strComputerName & “: Drive Space Report”, str

This code sends an email to the specified address that looks like this:

SUBJECT:Client Name: Drive Space Report
Server: server11
Disk: C: Free Disk Space: 10,219 MB
Disk: D: Free Disk Space: 39,387 MB

Server: server2
Disk: C: Free Disk Space: 1,920 MB
Disk: D: Free Disk Space: 9,875 MB
Disk: F: Free Disk Space: 17,207 MB
Disk: M: Free Disk Space: 9,875 MB

Server: server3
Disk: C: Free Disk Space: 8,857 MB
Disk: D: Free Disk Space: 6,320 MB
Disk: E: Free Disk Space: 28,497 MB
Disk: F: Free Disk Space: 16,437 MB

Server: server4
Disk: C: Free Disk Space: 35,073 MB
Disk: E: Free Disk Space: 731 MB

Disk Space script hacked together by Burnsie and his good friend Google

JRNL_WRAP_ERROR on Single Domain Controller environment

When faced with the following issue on a single domain controller environment

The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR.

Replica root path is : “c:\windows\sysvol\domain”
Replica root volume is : “\\.\C:”
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

[1] Volume “\\.\C:” has been formatted.
[2] The NTFS USN journal on volume “\\.\C:” has been deleted.
[3] The NTFS USN journal on volume “\\.\C:” has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on “\\.\C:”.
Setting the “Enable Journal Wrap Automatic Restore” registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run “net stop ntfrs” followed by “net start ntfrs” to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

Perform the following steps:

To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.

When the FRS service restarts, the following actions occur:
• The value for BurFlags registry key returns to 0.
• Files in the reinitialized FRS folders are moved to a Pre-existing folder.
• The FRS database is rebuilt.
• The member performs an initial join of the replica set from an upstream partner or from the computer that is specified in the Replica Set Parent registry key if a parent has been specified for SYSVOL replica sets.
• The reinitialized computer performs a full replication of the affected replica sets when the relevant replication schedule begins.

Promoting a Domain Controller over an IPSEC VPN

Over the weekend I was involved in Joining a Windows 2003 server in the US to our domain here in Sydney over an IPSEC VPN. Due to MTU limitations imposed by the T1 connection, and the additional overhead of the ipsec encryption, it seemed that machines could join the domain, but when we tried to promote a machine to a Domain Controller, it failed every time.

It seemed to be a packet size issue, due to the low MTU (1410). This article from microsoft describes the problem:

I’ll quote the section which describes the issue and the fix;

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1.     Start Registry Editor.
2.     Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters

Note If the Parameters key does not exist, create it now.
3.     On the Edit menu, point to New, and then click DWORD Value.
4.     Type MaxPacketSize, and then press ENTER.
5.     Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.     Quit Registry Editor.
7.     Restart your computer.

This was a much better solution than building the DC in Sydney, and then shipping it over!


System Restore under Windows Server 2003

Thanks to gosh at who posted a guide on how to install system restore on a Windows 2003 server. We have quoted the post for further reference incase the original thread gets removed.

This thread describes how to install system restore on server 2003. It is not a thread for talking about WHY you might want to do this, that belongs to another thread :)

Below i will show how to do this after server 2003 is installed. I haven’t tried slipstreaming this, but i imagine it could be done easily. If there’s enough interest i might show how to slipstream system restore into server 2003.

Before we begin, you’ll need an XP CD. Doesn’t matter if it’s home or pro. It shouldn’t matter if it has a service pack on it, since all the files will be the same source. In testing i used a slipstreamed cd that already had sp1 on it.

In XP, system restore is installed in syssetup.inf under the inf.always section. If you have XP installed, you can open up %windir%\inf\syssetup.inf and search for [Infs.Always], you’ll see the section xp looks at for installing system components. You’ll notice it has sr.inf, this is the inf for system restore. For server 2003, if you look at syssetup.inf you won’t find sr.inf. This doesn’t mean system restore won’t work in server 2003, it just means they didn’t install it.

So first what we’re going to need to do is right click on sr.inf and select ‘install’, to install it on server 2003. If you have xp installed on another computer/partition you can just right click on it. If you don’t, then extract \i386\sr.in_ from the XP cd to your desktop, then right click on it and select ‘install’. It’ll prompt you were the files are, point it to the XP CD. Once done, it’ll prompt to restart, say yes.

That was easy, the next part is the tricky part. After restarting you’ll get an error saying the service couldn’t start. Specifically the error is error 1068. I searched google and found this link – The error basically means it cannot run under the service it’s on. In system restore’s case, it runs under the network service. I know this because in services.msc, for path to executable, it says this: C:\WINDOWS\system32\svchost.exe -k netsvcs. This got me thinking so i opened up sr.inf, and found this line:

HKLM,”Software\Microsoft\Windows NT\CurrentVersion\SvcHost”,”SRGroup”

I opened up regedit, and this registry key didn’t exist. So it seems the sr.inf doesn’t register system restore to run under the network services group. Using the above registry key as an example, i opened regedit and went to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

On the right hand side i saw netsvcs. I double clicked on it, but saw SRService no where (SRService is the name for system restore). On a hunch, at the bottom i added SRService, rebooted, and this time got no error on startup. I opened up rstrui.exe, and system restore opened fine. I also had a System restore tab in system properties now too. I was able to make a restore point fine, then restore the computer to it without any problems. So in the above key, you want to double click on netsvcs, and at the bottom of the list, you want to type in SRService (probably case sensitive).

If you’re not good with the registry you can save the following as a whatever.reg file and import it, but because it’s binary i can’t say if it’ll work. I recommend manually adding SRService to the netsvcs key.

—copy below to whatever.reg then double click on it —–

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

— copy above ——————————————————–

That’s it! Remember to restart both times.

Outlook 0x9004010f error

Upon trying to add an exchange account to your outlook 2003, the error code “0x9004010f” may appear.

Try the following. (Windows XP only)

Solution 1
1) Click the start menu, then control panel
2) Select “mail”
3) Select “show profiles”
4) Remove any profiles that are currently listed. (Ensure you have backed up your mail)
5) Select “add” and give your profile a new name.
6) The outlook email accounts dialog will now show, follow the prompts to setup your exchange mailbox as per usual.

Printer Migration Tool

FYI, extremely useful tool for migrating network printers. You run this tool on the source server and run a “backup�. It dumps all printer settings into a single .cab file. On the target machine you do a “restore� from the .cab and it recreates the printers EXACTLY the same on the target server. It copies Drivers, Ports, Sharenames, Permissions… everything.
Read more at the Microsoft Website

New “features” of RPC over HTTPS for Exchange 2003 introduced in SP2

Only the client end when putting in the “exchange server� address you need to put in the local FQDN e.g. mydomain.local even if you are outside the network and it cannot be resolved. THEN you put in the external FQDN in the “connections� tab. Once the connection has been made to the RPC proxy on IIS it then tries to use the information in the “exchange server� field to access the Exchange server.

Information in this article works fine


Microsoft implemented a new security feature (I am assuming) that in order to connect into an RPC Proxy enabled Exchange server from the internet via HTTPS tunnel you first need to create the Outlook profile in house on the clients LAN (or VPN in if possible) where it can talk to the Exchange box on standard RPC (TCP 135) only then will it let you connect in via RPC over HTTPS externally…

Just so you don’t waste 5 ½ hours of your life like I just did. :)


“You may not be able to create a new profile or edit an existing profile if client is not on the LAN with access the Exchange Server using RPC via TCP 135. The profile has to be configured to use RPC over HTTP while the client is connected to the internal network and can access the Exchange Server via TCP port 135. If you are using ISA 2004, the publishing rule that was created to allow RPC over HTTPS takes care of this concern, however if you are using a different firewall you need to be aware of this.�

You do not have permission to send to this recipient

When granting another user access to an exchange mail account you must also grant them permission to “send on behalf”. This is the error you may receive when trying to reply to mail on another users exchange mailbox.

“You do not have permission to send to this recipient.”

The solution is to grant the user you want to send on behalf, access to your exchange account.

1) Open up Active Directory
2) Right click on the users name, select properties
3) Select the “Exchange General” tab
4) Click the “Delivery Options” button
5) Click the “Add” button
6) Enter in the user you wish to grant “sending/replying” permission
7) Select ok

The user should now have permission to send email on behalf.

Note: If you want it to look like you are the person you are sending on behalf, use this link.

Modifing Regional Settings

Did you install windows with the incorrect regional settings, only to find that if you modify them after the install, they don’t change?!?!?!

Under control panel, regional settings, advanced tab – make sure you tick the checkbox that says

“Apply all settings to the current user and to the default user profile�

Active Directory LDAP Query Fields

LDAP Query Fields

CN: Common Name (made up of givenName and SN
displayName: Display Name
givenName: Given/First Name
SN: Surname
homeDrive: Home Drive
c: Country or Region
company: Company or organization name
homephone: Home Phone number
l (Lower case L) L = Location. City ( Maybe Office
manager: Boss, manager
mobile: Mobile Phone number
ObjectClass: Usually, User, or Computer
O: Organizational unit. See also DN
postalCode:Zip or post code
st: State, Province or County
streetAddress: First line of address
telephoneNumber: Office Phone