Category Archives: Active Directory

Working with ADMT tool

Dear All

When we need to tranfer multiple PC’s from one Child Domain say A to another child domain say B in same forest. Instead of creating teh User account and computer account again we can use ADMT tool to migrate user acount and computer account from A to B.

Benefit of using ADMT tool is all users settings will also get migrated so when user will log into new Child domain he will not face any issue only he will be sitting in new place but working with old settings.
Even when we use ADMT tool exchange server mailboxes also get transfered. which is also a good feature.

Downlaod ADMT tool from Microsoft site and install it on Source or target Domian controller and foillow the next steps

Here it will show us the no of user / computer accounts migrated.


Prashant Deshpande


Leave a comment

Filed under Active Directory, Server Application

Remove Mailboxes from exchange server 2007 for corrupted Domain

Dear All

As the Branch Domain controller had some issues, so the users of that domain had to be freshly created on other child domain FS which has resolved the login issue for the users in domain and Pop3 account was configured for them, they were able to send the emails. As the mailboxes are present on exchange server, all the emails for those users are collected by exchange server and those users were unable to receive emails which was a major issue.

As exchange server mailboxes were already created for old child domain so when we were trying to delete these mailboxes in exchange server, it was trying to contact the old child domain controller. Due to some issues in the old child domain controller it was unable to contact it and we were not able to delete those mailboxes from exchange server.

So I tried by restoring System State Backup on another server but as the hardware configuration mismatched the windows 2003 OS crashed after restoring system state backup . Tried the same for multiple times with multiple systems.

Then I thought that, as users are logging from new child domain and exchange server is also not able to contact the old child domain why don’t we remove the child domain entry from forest.

SO I then copied ADSIedit from Support Tools folder of windows 2003 CD and pasted it in c:\windows of root domain controller of forest with enterprise admin and schema admin rights . To use adsiedit tool we need to register the adsiedit.dll as

(I am not including the screen shots for security reasons)

Start -> run -> regsrv32 adsiedit.dll


Start -> run -> adsiedit.msc

Step 1

Explore the tab CN=configuration from left panel

Explore CN=Sites and from the specific site Select CN=servers tab

Here delete domain controller name of the old child domain

Step 2

Explore the tab CN=configuration from left panel

Explore CN=partitions you will see two records ( one is DNS , other is active directory partion ) for each of the Domain present in forest, delete both the records for the old child domain.

 After few minutes it will get replicated to the complete forest and automatically all the mailboxes associated to that domain will be removed from exchange server and even when we press ALT + CTRL + DEL, to login, you will not see the old child domain name in the Domain List  :).

Please use ADSIedit carefully as it explores all Schema data of Forest


Prashant Deshpande


Filed under Active Directory, Server Application

Create a new Domain Controller with the same domain

Dear All

Please downlaod and read the attached document whcih shows how to create a new Domain Controller with the same domain in existing forest.

I have used this technique when my Domain controller is crashed with all FSMO roles.

Download the document

Prashant Deshpande

Leave a comment

Filed under Active Directory, Operating System, Uncategorized

Folder Redirection in Windows

Dear All

Windows provides the ability to redirect specific user folders to server locations, using a group policy extension called Folder Redirection.

A way that a user’s folders are automatically redirected to a newly created folder for each user. This video Document shows how to redirect to the new folder location

Click to view Demo


Prashant Deshpande

Leave a comment

Filed under Active Directory, Server Application

Working with FSMO Roles

Seizing of  FSMO roles

The five FSMO roles are:

  • Schema master – Forest-wide and one per forest.
  • Domain naming master – Forest-wide and one per forest.
  • RID master – Domain-specific and one for each domain.
  • PDC – PDC Emulator is domain-specific and one for each domain.
  • Infrastructure master – Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:




Original must be reinstalled

Domain Naming


PDC Emulator

Can transfer back to original


Another consideration before performing the seize operation is the administrators group membership, as this table lists:


Administrator must be a member of


Schema Admins

Domain Naming

Enterprise Admins


Domain Admins

PDC Emulator


To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.



  1. Type roles, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER.

fsmo maintenance: connections

server connections:

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100

Binding to server100 …

Connected to server100 using credentials of locally logged on user.

server connections:

  1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q

fsmo maintenance:

  1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master

  1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)

, data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde

r could not be contacted.)


Depending on the error code this may indicate a connection,

ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure …

Server “server100” knows about 5 roles

Schema – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

  1. Repeat steps 6 and 7 until youve seized all the required FSMO roles.
  2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

With Regards

Prashant Deshpande

Leave a comment

Filed under Active Directory