Re: IIS7 on Server 2008 Domain Controller

i transferred the fsmo roles to a 2K3 DC and ran the script and got dialog
boxes "running upgrade task" and "done!"

alas, no IUSR_ user accounts.


"Steven Cools" wrote:

since the script resulted in an error (and i thought it would've been well
tested by MS) i tried the following:

i transferred all the fsmo roles from the old 2K DC to the new 2K8 DC,
uninstalled SQL 2005, removed the IIS role and added it again after rebooting.
i now have the group IIS_IUSRS but it's empty (no IUSR_ account)
and when running the script i now get a different eror:
"domain is already operating in a mode higher than Windows Server 2003 mode.
Stopping script execution"

i checked my domain functional level and it is still "Windows 2000 native".

any ideas?

S.

PS: David, since the script is already from december 2007 i assume the
technet forums are a right place for questions/problems like these, no?

"David Wang" wrote:

On Oct 30, 3:38 am, Steven Cools
<StevenCo...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
hello,

i added a new 2008 server to my 2000 domain (with 2000 and 2003 DC's) and
made it a DC.
then i wanted to install WSUS 3 on this new 2008 DC.
therefore i installed SQL 2005 and IIS 7.
i now have the -known- problem that the IUSR_ accounts are not registering
in AD.
the solution would be to run a .js script
(http://support.microsoft.com/kb/946139)

BUT, when running this script (SamUpgradeTask.js) on my 2008 DC i get the
following error:
"the directory property cannot be found in the cache" on line 52.

anyone any ideas?

cheers,
Steven.


You should contact Microsoft PSS regarding support for the KB article.
That way, if there is a problem in the script, Microsoft knows to fix
it, and it helps everyone out, instead of just you if we resolve it
here.

For the most part, the problems are because you have older DCs and
thus constrain IIS7 to have the same problems installing on DCs as
prior versions. If/When you migrate forward, these issues go away.
IIS7 uses a built-in IUSR account to Windows Server 2008, which means
that all those issues with password expiration, accidentally denial of
anonymous auth user of IIS, user/ACL synchronization across multiple
machines, etc are no longer possible -- but with an old DC, all those
issues remain in addition to new issues mentioned in the KB.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

.

Relevant Pages

  • Re: Last Logon Time Stamp
    ... > I am new to script. ... > I need to list out inactive accounts more than 90 days in both AD accounts ... Use ADO to retrieve lastLogonTimeStamp for all users. ... And here is a sample program that retrieves the distinguishedName for all ...
    (microsoft.public.windows.server.scripting)
  • Re: Script to delete computer accounts not working
    ... thanks for the initial script as well. ... computer accounts that are disabled and haven't been modified for 30 days. ... Set objCommand = CreateObject ...
    (microsoft.public.scripting.vbscript)
  • Re: Running a script against an OU
    ... Do I need to place a forward slash between Computer and Accounts? ... run the script against an OU called lab1? ... the WinNT provider is blind to OU's, so you must use the LDAP provider to ... bind to the OU. ...
    (microsoft.public.scripting.vbscript)
  • Re: AD Attribute query!
    ... The scripting approach for modifying the CN attribute (using the MoveHere ... GAL will be surname, firstname as well.. ... However the script underneath it, only adjusts the display name, it does ... other accounts were created, it is rather difficult to speculate why ...
    (microsoft.public.windows.server.active_directory)
  • Re: Display All Locked Accounts in an OU
    ... > I have this script below I used from its source ... > particular OU and its sub-ou's for locked out accounts. ... you need only look at one domain controller. ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
    (microsoft.public.windows.server.scripting)