Microsoft KB Archive/925639

From BetaArchive Wiki
Knowledge Base


The shortcut to the Domain Security Policy tool or the shortcut to the Domain Controller Security Policy tool is missing or is broken after you upgrade a Windows 2000-based domain controller to a Windows Server 2003-based domain controller

Article ID: 925639

Article Last Modified on 10/11/2007



APPLIES TO

  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems



SYMPTOMS

After you upgrade a Microsoft Windows 2000-based domain controller to a Microsoft Windows Server 2003-based domain controller, you experience one of the following symptoms:

  • The shortcut to the Domain Security Policy tool (Dompol.msc) is missing from the following Administrative Tools folder:

    %allusersprofile%\Start Menu\Programs\Administrative Tools

  • The shortcut to the Domain Controller Security Policy tool (Dcpol.msc) is missing from the Administrative Tools folder.
  • When you click the shortcut to the Domain Security Policy tool or the shortcut to the Domain Controller Security Policy tool in the Administrative Tools folder, you receive the following shortcut error message:

    This action is only valid for products that are currently installed.


CAUSE

When you use the Active Directory Installation Wizard (Dcpromo.exe) to install the Active Directory directory service on a Windows 2000-based computer, the Active Directory Installation Wizard also installs the Windows 2000 Administration Tools. The Windows 2000 Administration Tools are contained in the Windows 2000 Adminpak.msi package. Additionally, the Windows 2000 Administration Tools include the shortcut to the Domain Security Policy tool and the shortcut to the Domain Controller Security Policy tool.

When you upgrade a Windows 2000-based domain controller to a Windows Server 2003-based domain controller, the Windows Server 2003 Setup program detects that the Windows 2000 Adminpak.msi package is installed. The Restore System Compatibility dialog box is displayed. The Restore System Compatibility dialog box lists a compatibility warning for the Windows 2000 Administration Tools.

If you view the details of the compatibility warning for the Windows 2000 Administration Tools, you see the following information:

Setup has detected Windows 2000 Administration Tools on your computer. Windows 2000 Administration Tools are incompatible with Windows Server 2003 family of operating systems. Do one of the following:

  • Cancel this upgrade, uninstall Windows 2000 Administration Tools, and then restart the upgrade.
  • Complete this upgrade, and then install Windows Server 2003 Administration Tools Pack by running the adminpak.msi Windows Installer package file. Adminpak.msi is located in the \i386 directory of your Windows Server 2003 compact disc.


Two methods are listed to deal with the compatibility issue. If you use the first method, the Windows 2000 Administration Tools uninstaller deletes the shortcut to the Domain Security Policy tool and the shortcut to the Domain Controller Security Policy tool from the Administrative Tools folder. Therefore, these shortcuts are missing after the upgrade.

If you use the second method, the shortcut to the Domain Security Policy tool and the shortcut to the Domain Controller Security Policy tool are not deleted from the Administrative Tools folder. Additionally, these shortcuts are not broken. However, if you subsequently install Windows Server 2003 Administration Tools Pack, these shortcuts are broken. Therefore, you obtain the shortcut error message when you click one of these shortcuts.

If you do not use either of these two methods and then continue the Windows Server 2003 installation, the Windows Server 2003 Setup program randomly performs one of these two methods.

RESOLUTION

To resolve this problem, delete the broken shortcuts if the broken shortcuts are present. Then, re-create the shortcuts manually. To do this, follow these steps:

  1. Delete the broken shortcuts. To do this, follow these steps:
    1. Click Start, click Run, type %allusersprofile%\Start Menu\Programs\Administrative Tools, and then click OK.
    2. Delete the shortcut to the Domain Security Policy tool and the shortcut to the Domain Controller Security Policy tool.
  2. In the Administrative Tools folder, re-create the shortcut to the Domain Security Policy tool. To do this, follow these steps:
    1. To create a new shortcut in the Administrative Tools folder, click File, point to New, and then click Shortcut.
    2. On the Create Shortcut page, type %windir%\system32\dompol.msc in the Type the location of the item box, and then click Next.
    3. On the Select a Title for the Program page, type Domain Security Policy in the Type a name for this shortcut box, and then click Finish.
    4. Right-click the newly created Domain Security Policy shortcut, and then click Properties.
    5. In the Domain Security Policy Properties dialog box, click the Shortcut tab, and then type the following in the Target box:

      %windir%\system32\dompol.msc /gpobject:"LDAP://CN={31B2F340-01 6D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DomainName1 ,DC=DomainName2,DC=DomainName3"

      Note DomainName1, DomainName2, and DomainName3 are placeholders for the names of the domains. If you have more than one domain, you must specify all the domains in the DC=DomainName format. Additionally, you must separate every domain by a comma. You must specify the domains in the same order that you specify the domains in your fully-qualified domain name (FQDN).

      For example, if your FQDN is headquarters.example.microsoft.com, type the following in the Target box:

      %windir%\system32\dompol.msc /gpobject:"LDAP://CN={31B2F340-01 6D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=headquarters ,DC=example,DC=microsoft,DC=com”

      To verify your FQDN, follow these steps:

      1. In Control Panel, open System.
      2. In the System Properties dialog box, click the Computer Name tab.
      3. Notice the domain information.
    6. In the Domain Security Policy Properties dialog box, click Change Icon.
    7. In the Change Icon dialog box, type the following in the Look for icons in this file box, and then click OK:

      %systemroot%\system32\wsecedit.dll

    8. In the Domain Security Policy Properties dialog box, click OK.
  3. In the Administrative Tools folder, re-create the shortcut to the Domain Controller Security Policy tool. To do this, follow these steps:
    1. To create a new shortcut in the Administrative Tools folder, click File, point to New, and then click Shortcut.
    2. On the Create Shortcut page, type %windir%\system32\dcpol.msc in the Type the location of the item box, and then click Next.
    3. On the Select a Title for the Program page, type Domain Controller Security Policy in the Type a name for this shortcut box, and then click Finish.
    4. Right-click the newly created Domain Controller Security Policy shortcut, and then click Properties.
    5. In the Domain Controller Security Policy Properties dialog box, click the Shortcut tab, and then type the following in the Target box:

      %windir%\system32\dcpol.msc /gpobject:"LDAP://CN={6AC1786C-01 6F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DomainName1 ,DC=DomainName2,DC=DomainName3"

    6. In the Domain Controller Security Policy Properties dialog box, click Change Icon.
    7. In the Change Icon dialog box, type the following in the Look for icons in this file box, and then click OK:

      %systemroot%\system32\wsecedit.dll

    8. In the Domain Controller Security Policy Properties dialog box, click OK.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Keywords: kbtshoot kbactivedirectory kbprb kbexpertiseadvanced KB925639