Article ID: 946139
Article Last Modified on 12/31/2007
APPLIES TO
- Microsoft Internet Information Services 7.0
SYMPTOMS
Consider the following scenario. You have a Windows Server 2008-based server that is running Internet Information Services (IIS) 7.0. You set the Windows Server 2008-based server as a domain controller of a Windows 2000-based domain or of a Windows Server 2003-based domain. In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group or the IUSR guest user account. You can only see the raw security identifier (SID) of the built-in IIS accounts.
Note This problem does not occur if you set the Windows Server 2008-based server as a domain controller of a Windows Server 2008-based domain.
CAUSE
This problem occurs because the IIS 7.0 built-in accounts specification for Windows Server 2008 does not exist in earlier domains, such as Windows 2000-based domains and Windows Server 2003-based domains. When the IIS 7.0 server is set as a Windows 2000-based domain controller or a Windows Server 2003-based domain controller, the Windows Server 2008 accounts cannot be resolved.
RESOLUTION
To resolve this problem, use the following sample script.
Note You must restart the server after you run this script.
/*
SamUpgradeTask.js
(c) 2007, Microsoft Corp.
*/
// Check the version of the operating system. Stop the script if the version is earlier than 6.
if ( ! CheckOSVersion() )
{
WScript.Echo("ERROR: This script will only work on Longhorn Server or above.");
WScript.Quit(1);
}
// Retrieve the local computer's rootDSE LDAP object.
var localRootDse = null;
try
{
localRootDse = GetObject("LDAP://localhost/rootDSE");
}
catch(e)
{
WScript.Echo("There was an error attempting to retrieve the localhost RootDSE object.");
WScript.Echo("Perhaps this machine is not a Domain Controller on the network?");
WScript.Echo("ErrorCode: " + e.number);
WScript.Quit(1);
}
// Retrieve several rootDSE properties
var dnsHostName = localRootDse.Get("dnsHostName");
var dsServiceName = localRootDse.Get("dsServiceName");
var defaultNamingContext = localRootDse.Get("defaultNamingContext");
// Open the default naming context
var ncObj = GetObject("LDAP://" + defaultNamingContext);
// Get the "FSMO Role Owner"
var strfsmoNtdsa = ncObj.FsmoRoleOwner;
var fsmoNtdsaObj = GetObject("LDAP://" + strfsmoNtdsa);
// Get the parent object of "FSMO Role Owner"
var fsmoServerObj = GetObject(fsmoNtdsaObj.Parent);
// By using the Server Reference, retrieve the name of the PDC computer
var strFsmoComputer = fsmoServerObj.ServerReference;
var fsmoComputerObj = GetObject("LDAP://" + strFsmoComputer);
var pdcName = fsmoComputerObj.Get("name");
// Get the RootDSE object for the PDC
var pdcRootDse = GetObject("LDAP://" + pdcName + "/rootDSE");
// Check whether the PDC is a legacy domain or not.
var domainControllerFunctionality = pdcRootDse.Get("domainControllerFunctionality");
if ( domainControllerFunctionality > 2 )
{
WScript.Echo("Domain is already operating in a mode higher than Windows Server 2003 mode. Stopping script execution.");
WScript.Quit(0);
}
// Get the default naming context for the PDC
var pdcDefaultNamingContext = pdcRootDse.Get("defaultNamingContext");
// Retrieve the well known object from the PDC
var pdcSystem = GetObject("LDAP://" + pdcName + "/<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD," + pdcDefaultNamingContext + ">");
// Get the distinguished name for the well known object
var pdcDistinguishedName = pdcSystem.Get("distinguishedName");
// Check whether the task has already been run
var taskMarker = null;
try
{
taskMarker = GetObject("LDAP://" + pdcName + "/<WKGUID=6ACDD74F3F314ae396F62BBE6B2DB961,CN=Server," + pdcDistinguishedName + ">");
}
catch(e)
{
if ( e.number == -2147016656 ) // Check and see if error code is ERROR_DS_NO_SUCH_OBJECT
{
taskMarker = null;
}
else
{
WScript.Echo("Error attempting to retrieve well known object from PDC.");
WScript.Echo("Name: " + e.name + "\nDescription: " + e.description + "\nCode: " + e.number + "\nMessage: " + e.message);
WScript.Quit(1);
}
}
// If the well known object exists, the SAM upgrade is already running. Therefore, stop the script.
if ( taskMarker != null )
{
WScript.Echo("SAM upgrade task already being run. No work done.");
WScript.Quit(1);
}
// Get the Server container with that distinguished name
var serverObj = GetObject("LDAP://" + pdcName + "/CN=Server," + pdcDistinguishedName);
// Prepare a safe array (for example, VBArray) with one entry
var jsArray = new Array(1);
jsArray[0] = "B:32:6ACDD74F3F314ae396F62BBE6B2DB961:"+ dsServiceName;
var vbArray = JS2VBArray(jsArray);
try
{
// Append an entry to the "Other-Well-Known-Objects" attribute for the
// previous server object.
serverObj.PutEx(3, "otherWellKnownObjects", vbArray);
serverObj.SetInfo();
}
catch(e)
{
WScript.Echo("Unexpected error attempting to put the well known GUID.");
WScript.Echo("ErrorCode: " + e.number);
}
WScript.Echo("Running upgrade task.");
// Set the "runSamUpgradeTasks" attribute in the local rootDSE
localRootDse.Put("runSamUpgradeTasks", 1);
localRootDse.SetInfo();
// Remote the binary data from the previous well known object entry
serverObj.PutEx(4, "otherWellKnownObjects", vbArray);
serverObj.SetInfo();
// The upgrade is complete.
WScript.Echo("Done!");
function CheckOSVersion()
{
var wbemFlagReturnImmediately = 0x10;
var wbemFlagForwardOnly = 0x20;
var objWMIService = GetObject("winmgmts:\\\\.\\root\\CIMV2");
var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL",
wbemFlagReturnImmediately | wbemFlagForwardOnly);
var enumItems = new Enumerator(colItems);
for (; !enumItems.atEnd(); enumItems.moveNext()) {
var objItem = enumItems.item();
var fullVersion = objItem.Version;
var indexPoint = fullVersion.indexOf(".");
if ( indexPoint == -1 )
{
return false;
}
var majorVersion = fullVersion.substring(0, indexPoint);
return (majorVersion >= "6");
}
return false;
}
function JS2VBArray( objJSArray )
{
var dictionary = new ActiveXObject( "Scripting.Dictionary" );
for ( var i = 0; i < objJSArray.length; i++ )
{
dictionary.add( i, objJSArray[ i ] );
}
return dictionary.Items();
}
STATUS
This behavior is by design.
Keywords: kbtshoot kbexpertiseinter kbprb KB946139
