My Virtual Business Card

Tuesday, October 22, 2013 Now promoted on The Master Blog

Today my blog ( got linked on “The Master Blog” – a website providing news and information from the Microsoft Certified Master (MCM) and the Microsoft Certified Solution Master (MCSM) team.

You can see it at under the “Blogs – Directory Masters” section:

Saturday, October 19, 2013

How to use PowerShell (2.0/3.0) to retrieve AD FSMO roles

Recently I was asked the question whether one could easily retrieve the the FSMO roles in an AD Forest/Domain.

The old school way of retrieving the FSMO roles using the command line is well documented here and summarized below:

Forest-wide roles:
dsquery server -forest -hasfsmo name
dsquery server -forest -hasfsmo schema

Domain-specific roles:
dsquery server -hasfsmo infr
dsquery server -hasfsmo pdc
dsquery server -hasfsmo rid

Single Command:
netdom query fsmo

With the introduction of ActiveDirectory module in PowerShell 2.0, you can use the results from Get-ADDomain or Get-ADForest to easily extract the information.  (Note: In PowerShell 3.0, it is not necessary to import the Active Directory module prior to running the command as you need to in PowerShell 2.0)

Forest-wide roles:

Domain-specific roles:

One thing to note is that the Forest or Domain targeted by the above cmdlets defaults to the security principal the PowerShell is process is running under which is usually the LoggedOnUser.  To override the defaults and specify a different domain or forest, just supply the FQDN of a DC in the target domain/forest.  I usually just use the target domain/forest FQDN instead as it has DNS A records for read-write DCs by default. (Note: Use $Cred = Get-Credential to specify alternate PSCredentials object via the -Credential flag to the cmdlets below if needed.)

So the modified cmdlets to use in such cases would be:
Forest-wide roles:
(Get-ADForest -Server ForestFQDN).DomainNamingMaster
(Get-ADForest -Server ForestFQDN).SchemaMaster

Domain-specific roles:
(Get-ADDomain -Server DomainFQDN).InfrastructureMaster
(Get-ADDomain -Server DomainFQDN).PDCEmulator
(Get-ADDomain -Server DomainFQDN).RIDMaster

If you want to get the retrieve the roles in one command, you could use:
Forest-wide roles:
Get-ADForest -Server ForestFQDN | format-list -Property DomainNamingMaster,SchemaMaster

Domain-specific roles:
Get-ADDomain -Server DomainFQDN | fl -Property InfrastructureMaster,PDCEmulator,RIDMaster

Friday, October 18, 2013

Microsoft has released hotfix KB2885698 to support Win 2012/Win 8.1 activation on legacy KMS hosts

You can download the hotfix at

Please note that the "Software Licensing Service" was renamed to the "Software Protection" service in Windows 2008R2.  So the commands listed in the the KB article need to be changed to reflect the new service name.  So use "net stop sppsvc && net start sppsvc" instead.

Next since everything is about Powershell these days, I decided to document the set of commands to install the Windows 2012 R2 product key, activate the key, restart the Software Protection service, verify KMS activation all in Powershell.

1. Install Product Key
    cscript $env:windir\system32\slmgr.vbs /ipk <KMS Key>

2. Activate New KMS Key
    cscript $env:windir\system32\slmgr.vbs /ato

3. Restart Software Protection Service
    Restart-Service -Name sppsvc -Verbose

4. Verify Software Protection Service Started
    Get-Service -Name sppsvc | fl

5. Verify KMS Host servicing clients and Windows 2012 R2 KMS key 
    cscript $env:windir\system32\slmgr.vbs /dlv

Sunday, August 12, 2007

Windows Update Agent Error Codes

The following error codes that can be returned by the Windows Update Agent (WUA) is documented at It helps explains the cause of any Windows Update failures.


Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - The proxy server or target server name cannot be resolved.


Same as HTTP status 400 – the server could not process the request due to invalid syntax.


Same as HTTP status 401 – the requested resource requires user authentication.


Same as HTTP status 403 – server understood the request, but declines to fulfill it.


Same as HTTP status 404 – the server cannot find the requested URI (Uniform Resource Identifier).


Same as HTTP status 405 – the HTTP method is not allowed.


Same as HTTP status 407 – proxy authentication is required.


Same as HTTP status 408 – the server timed out waiting for the request.


Same as HTTP status 409 – the request was not completed due to a conflict with the current state of the resource.


Same as HTTP status 410 – requested resource is no longer available at the server.


Same as HTTP status 500 – an error internal to the server prevented fulfilling the request.


Same as HTTP status 501 – server does not support the functionality required to fulfill the request.


Same as HTTP status 502 – the server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.


Same as HTTP status 503 – the service is temporarily overloaded.


Same as HTTP status 504 – the request was timed out waiting for a gateway.


Same as HTTP status 505 – the server does not support the HTTP protocol version used for the request.

Thursday, July 19, 2007

How to increase number of simultaneous downloads in Internet Explorer

I have always been frustrated by the limitation of the of the HTTP1.1 specification in RFC 2616 that states:
"A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy."

Internet Explorer (IE) adheres to this specification of not maintaining more than two active connections. So when downloading content IE limits the user to two (2) simultaneous downloads and one (1) queued download.

Fortunately, you can get around this limitation with some registry tweaks. Please read KB282402 for more details.

To increase the number of active connections to say 12, do the following:
1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
3. On the Edit menu, point to New click DWORD Value, and then add the following registry values:

Value name: MaxConnectionsPer1_0Server
Value data: 12
Base: Decimal

Value Name: MaxConnectionsPerServer
Value data: 12
Base: Decimal

4. Quit Registry Editor.

Sunday, October 15, 2006

Restoring Quick Launch Toolbar in Windows XP

When you try to enable the Quick Launch toolbar from the task bar properties (shown on the right) and if you get the error "Cannot create Toolbar", it mostlikely means that the Quick Launch folder is missing from its default location in the profile directory (which is at -> %Appdata%\Microsoft\Internet Explorer\Quick Launch).

Rather than try to recreate the folder and associated files manually, type the following command from Start, Run dialog:


ie4uinit.exe is the Internet Explorer Repair Tool (you can read about it here) and running the tool recreates the Quick Launch folder automatically if it is missing in the above location. After the repair, try to enable the Quick Launch bar.

Saturday, September 02, 2006

DCOM Error | 2A6D72F1-6E7E-4702-B99C-E40D3DED33C3

You may see the following error on a system that has McAfee AV product installed after installing Windows 2003 Service Pack. In this particular case, the system is EPO managed and the error can be resolved by either upgrading the Common Management Agent to the latest version (see here) OR by reinstalling the EPO agent.

Event Type: ErrorEvent
Source: DCOMEvent
Category: None
Event ID: 10021
Date: 9/3/2006
Time: 3:56:35 AM
User: N/A
Computer: GEAPENPC
Description:The launch and activation security descriptor for the COM Server application with CLSID {2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Sunday, August 27, 2006

Windows 2003 | SP1 | Highly recommended MTU patch that should be mandatory

I highly recommend that all Windows 2003 SP1 systems have the post-SP1 MTU patch (KB898060) mandatorily installed soon after Service Pack 1 is installed.

Unfortunately, Micrososft does not include this as a critical required hotfix for systems with just SP1 installed.

But its been my experience that if you have systems distributed across the WAN or private VPN links (with custom MTU settings), then you will encounter the issues listed in the KB article. In addition, you may have issues browsing to certain websites without the hotfix.

You may download this hotfix here.

Friday, August 25, 2006

DNS | AD | Very useful pre-DCPROMO steps

Very often it is said that if you have an Active Directory (AD) issue, the first place to look to troubleshoot is DNS. This underlines AD's critical dependency on DNS.

Although DCPROMO has a lot of DNS checks built-in, I prefer to run preparatory tests to ensure the DNS infrastructure is read to support a server's promotion to domain controller (DC)before you run DCPROMO. To do so, you need dcdiag.exe which is installed as part of the Windows 2003 Support Tools (click here to download).

The two tests I like to run are:

1] dcpromo
2] registerindns

See syntax below:

To test creating the first DC for a new forest, run
dcdiag /test:dcpromo /dnsdomain:[DOMAIN's FQDN] /NewForest

To test creating the first DC for a new child domain, run
dcdiag /test:dcpromo /dnsdomain:[DOMAIN's FQDN] /ChildDomain

To test creating the first DC for a new domain in an existing forest but in a new tree (domain DNS name does not contain forest root domain name), run
dcdiag /test:dcpromo /dnsdomain:[DOMAIN's FQDN] /NewTree /ForestRoot:[FOREST ROOT DOMAIN's FQDN]

To test adding a new DC to an existing domain, run
dcdiag /test:dcpromo /dnsdomain:[DOMAIN's FQDN] /replicadc

To test the ability to dynamically register the DC's name in DNS (in other words ensuring dynamic DNS is available), run
dcdiag /test:registerindns /dnsdomain::[DOMAIN's FQDN]

C:\Program Files\Support Tools>dcdiag /test:dcpromo /dnsdomain:corp.eapeninfo.local /replicadc
Starting test: DcPromo
The DNS configuration is sufficient to allow this computer to be promoted
as a replica domain controller in the corp.eapeninfo.local domain.

Messages logged below this line indicate whether this domain controller
will be able to dynamically register DNS records required for the
location of this DC by other devices on the network. If any
misconfiguration is detected, it might prevent dynamic DNS registration
of some records, but does not prevent successful completion of the Active
Directory Installation Wizard. However, we recommend fixing the reported
problems now, unless you plan to manually update the DNS database.

DNS configuration is sufficient to allow this domain controller to
dynamically register the domain controller Locator records in DNS.

The DNS configuration is sufficient to allow this computer to dynamically
register the A record corresponding to its DNS name.

......................... us-aus-dc01 passed test DcPromo

C:\Program Files\Support Tools>dcdiag /test:registerindns /dnsdomain:corp.eapeninfo.local
Starting test: RegisterInDNS
DNS configuration is sufficient to allow this domain controller to
dynamically register the domain controller Locator records in DNS.

The DNS configuration is sufficient to allow this computer to dynamically
register the A record corresponding to its DNS name.

......................... us-aus-dc01 passed test RegisterInDNS

Thursday, August 24, 2006

Microsoft support policy for machines running in Virtualization hardware

On non-MS hardware virtualization software (VMWare) if you have Premier-level support.

On MS Virtual Server 2005 R2

Just keep these in mind (from a support standpoint) as you plan on what types of VM to put into production.