Server Solver

Dead Security Policy Icons

Following an upgrade to Windows Server 2003, this admin's default security policy icons have gone kaput.

• By Zubair Alexander
• 01/09/2006

Zubair: I recently upgrade my Windows 2000 Domain Controller to Windows Server 2003. Everything else seems to be working fine but I have encountered a weird problem. I want to modify the domain security policy, but when I try to use either the Default Domain Controller Security Policy icon or the Domain Security Policy icon, it no longer works. I have been using these icons before the upgrade without any problem. I'm concerned because these icons are related to the domain security. Any ideas why these icons stopped working?
— Lori

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Lori, one likely reason you're unable to use the Default Domain Controller Security Policy and the Domain Security Policy icons has to do with the version of Administration Tools that you might be using. When you originally ran dcpromo to upgrade your Windows 2000 Server to a Domain Controller, the set-up program added the two icons that you’ve mentioned, the Default Domain Controller Security Policy and the Domain Security Policy icon. After you upgraded your Windows 2000 Server to Windows Server 2003, the icons no longer work due to an incompatibility between the Windows 2000 Administration Tools and the Windows Server 2003 version.

The purpose of Administration Tools is to allow you to administer your Windows servers, either from a Windows Server 2003, Windows 2000, or Windows XP computers. You have to be careful and avoid using the incorrect version of the Administration Tools package. There is one version of Administration Tools that comes with Windows 2000 Server and another version that comes with Windows Server 2003. As a general rule, remember that the Windows 2000 Administration Tools package should only be installed on Windows 2000 Professional and Windows 2000 Server computers. Windows Server 2003 Administration Tools can be installed either on Windows Server 2003 or Windows XP computers.

You may use either the Windows Server 2003 or Windows 2000 version of Administration Tools to manage any Windows 2000/2003 Servers remotely. This Administration Tools business can get pretty confusing sometimes so I want to make sure that I am making the distinction very clear. In the previous paragraph I was discussing the installation of the tools on specific operating systems; in this paragraph I'm talking about remotely managing computers with those tools. In other words, you must not install a Windows 2000 version of the tools on Windows Server 2003 or Windows XP clients but you may use it to remotely manage either Windows 2000 Server or Windows Server 2003. According to Microsoft, in some cases the Windows 2000 Administration Tools are incompatible with Windows Server 2003 and vice versa, as explained in this Knowledge Base article.

Depending on the situation, try one of the following methods to address the problem:

Since you’ve completed the upgrade already, you should install the Windows Server 2003 version of the Administration Tools package (adminpak.msi), which is located in the I386 folder on your Windows Server 2003 source CD. You can also download adminpak.msi from Microsoft’s Web site at no additional charge by clicking here. (NOTE: The 64-bit versions of Windows Server 2003 use wadminpak.msi file, instead of adminpak.msi.)

If you were in a situation where you have not finished the upgrade, you can remove the Windows 2000 Administration Tools and then continue on with the upgrade to Windows Server 2003. What you have to watch out for is to make sure that you do not remove Windows 2000 Administration Tools from Add or Remove Programs in Control Panel if that feature is installed at the time when you upgrade your server to Windows Server 2003. If you remove the Windows 2000 Administration Tools from Add or Remove Programs, you will most likely get an error. Simply install the Windows Server 2003 Administration Tools package. It will overwrite the existing Windows 2000 Administration Tools and you should be able to use the Default Domain Controller Security Policy icon as well as the Domain Security Policy icon.