In this post we will discuss some issues we had when using Microsoft Management Consoles to manage DNS (dnsmgmt.msc), Group Policy Objects (rsop.msc, gpmc.msc) and AD accounts (dsa.msc). No, we don’t use just powershell or command line tools to manage a Microsoft infrastructure: We click a lot Image may be NSFW.
Clik here to view.
DNS
- You cannot manage a Windows 2008R2 DNS server with dnsmgmt.msc running on a Windows XP/2003 computer. This is because on a Windows 2008R2 DNS server the RPC security has been raised by requiring an integrity test, read this KB for more details. The command line tool dnscmd.exe running on a Windows 2003/XP will also fail to run properly, don’t forget to update any scheduled task or script when migrating your DCs to 2008R2.
- Under Windows 2008R2 the DNS management console will freeze when deleting glue records, use (the right version) of dnscmd.exe to accomplish this task.
GPOs
- Group Policy Preferences settings are not displayed when using rsop.msc on a target computer. However, if you use gpmc.msc to find out what Group Policy settings are applied you will get this information. Just use the Group Policy Results Wizard:
Image may be NSFW.
Clik here to view.
- You cannot install gpmc.msc on a Windows 2003 x64 server, unless you edit the MSI package with a tool like Orca. VBS sample scripts located under %Programfiles%\Microsoft Group Policy\GPMC Sample Scripts\ will not work correctly, when calling CreateObject(“GPMGMT.GPM”) you will get the following error:
Microsoft VBScript runtime error: ActiveX component can’t create object: ‘GPMGMT.GPM’
Registering gpmgmt.dll did not solve this problem, if you know any workaround, do not hesitate to post it.
ADAC or DSA.MSC
When you use the RSAT dsa.msc you have a new tab called attribute editor which allows you almost to get rid of the good old adsiedit.msc console:
- If you manage an AD 2000/2003 forest with the RSAT you will not see this tab when editing an object, unless you modify the Configuration directory partition.
- In an AD 2008R2 forest this tab shows up in ADUC only when browsing, if you do a search and then open the object, the tab will not be available. However if you use ADAC, you will see the attribute editor tab in the “Extensions” section after performing a search.
Nevertheless I still like to manage my servers with a friendly GUI, otherwise I will be deploying Windows Server Core only, even for servers dedicated to administration… Hopefully I do not need to save that much storage (see Less disk space required chapter) Image may be NSFW.
Clik here to view.
