Monday, March 18, 2013

Promoting a Windows 2012 Server Into a Server 2003 Domain Function Level Environment

Last week I was tasked with the wonderful job of transitioning a Windows Server 2000 domain to Windows 2012.  Obviously this upgrade path is not supported unless you move to 2003 first.  Once this was completed, which was an adventure onto it's own, I thought I'd be in the clear.  Just fire up AD-DS in 2012 and allow it to reach into the 2003 server to automatically perform the ADPREP.  Boy was I wrong.  During the AD-DS wizard's prerequisite check, it failed with the following error:

Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain corp.local.
Exception: Access is denied.
Adprep could not retrieve data from the server server2003.corp.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\RandomNumbers directory for possible cause of failure.

The log files provided no additional guidance whatsoever.  So after hunting for a few days, here is what I concocted to resolve the issue:

On the Server 2003 machine, check permissions of the WMI Mangement Interface - Navigate to computer management (Start, run, compmgmt.msc) Expand Services and Applications, right-click and select properties of WMI Control.  See if you’re able to successfully open the WMI Controls Properties, if not perform the following:

Execute a system-wide security settings reset from elevated command prompt
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  If connection fails perform the following:

Create a batch script from the script below and save it in the following directory: C:\Windows\System32\Wbem. Open an elevated command prompt and cd into the aforementioned directory to run the script.

@echo off
sc config winmgmt start= disabled
net stop winmgmt /y
cd %windir%\system32\wbem
for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
wmiprvse /regserver 
winmgmt /regserver 
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s

Reboot the machine and test WMI again.  If the connection fails again,  execute the security settings reset once again. (from elevated command prompt)

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  You should now have access to WMI control.  If not, you may have to jump to a server 2008 domain controller first.  If so, continue with the DC promotion.

Saturday, August 14, 2010

Disinfecting your PC.

Required tools:
USB memory drive
Access to a spare computer

Start by downloading the files listed above onto a spare computer and copy them to a USB flash memory drive.  Then boot the infected PC into 'Safe Mode with Networking' by powering on the PC and repeatedly tapping the F8 key until you are presented with boot options.  You may have to reboot the computer several times and reattampt as it is sometimes difficult to get this prompt.
Once booted into 'Safe Mode with Networking', insert the flash drive and browse to the downloaded files located on the flash drive.  note: If you are running Windows 7 or newer, you will need to right-click and select "Run as Administrator" instead of just double-clicking the files: Run Combofix and agree to it's prompts. Combofix will step through a 50 stage checkpoint. After stage 50, Combofix will begin deleting infected files.  After the infected files are deleted, the PC will automatically reboot.  Upon logging back into windows, Combofix will generate a log file. Once this completes, browse to the flash memory drive, run the Malwarebytes installer.  Update Malwarebytes and perform a full system scan.  This may take 20-30 minutes, so take a break and come back once the scan completes.  
If you have difficulties updating Malwarebytes and/or accessing the Internet, go to Start, Control Panel, Internet Options. Then select the connections tab and choose LAN settings. Ensure all check boxes are unchecked.