Windows Server 2003 – More Examples of ADSI Edit

Windows Server 2003 – ADSI Edit

You can never get too much of a good thing!  ADSI Edit is that ‘good thing’.  Never waste a chance to configure Active Directory with ADSI Edit.  If TechNet offers or solution by editing Active Directory properties, then call for ADSI Edit to make the suggested changes. 

On this page, what I am preparing you for is that day when the only way to solve a desperate problem is to change an attribute with ADSI Edit; the reason you need this tool is because no other GUI displays the low level objects.

Topics for ADSI Edit


Getting Started with ADSI Edit

Complete instructions on installing, launching and getting to know ADSI Edit are covered on this Introduction To ADSI Edit page.

Example 1: ADSI Edit and TechNetmsDS-Behavior-Version ADSI Edit Raise Domain Function Level

There is only a chance in a million that you actually need this particular ADSI Edit fix.  It is most unlikely that you will have a problem Raising Forest Function Level, despite this, msDS-Behavior-Version is a most instructive example of ADSI Edit in action.

The real life scenario is that you cannot raise the Forest Level to Window 2003.  We assume that a bug has struck, Mr Nobody fouled up or that the GUI controlling Raise Forest Function Level GUI has jammed.  The scene is set for ADSI Edit to ride to the rescue.  Researching TechNet reveals that we need to edit an attribute called:

Here are your instructions:ADSI Edit msds-behavior-version

  1. Launch ADSI Edit.  Install from the Windows 2003 Server CD \support folder.

  2. Navigate to the Configuration partition.  (The beginner’s mistake is to select Domain instead of Configuration).

  3. Expand: CN=Configuration,DC=<forestname>

  4. Right-click on the CN=Partitions node, select Properties

  5. On the properties sheet, scroll down to the
    msDS-Behavior-Version attribute, and then click Edit

  6. Set the Value to numeric 1, and then click OK.

Learning Points

1) Get a good reference source, for example TechNet.

2) Pay close attention to the correct top level container.  Is it Domain, or Schema?  No, in this instance you need to start at the Configuration Container.  If you fail to start at the right place you are doomed to frustration.

3) Once you get off to a good start, it’s just a matter of following the TechNet instructions.

4) The point is that you could not configure msDS-Behavior-Version through Active Directory Users and Computers.

5) Remember that all changes are live and instant, unlike other GUIs the operating does not perform any safety checks.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Example 2: ADSI Edit and DCDiag

Symptoms of a bizarre connection problem.

When you try to connect to network resources from an affected domain controller with a command such as
 \\ server \share, you get the following error message:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS")


[DC1] LDAP bind failed with error 31
When you run the REPADMIN /SHOWREPS utility locally on a domain controller, you may receive an error message such as:
[C:\Windows\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).

Conformation from NetDiag

The Netdiag tool may display the following error messages:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn>

ADSI Edit SolutionADSI Edit 532480 userAccountControl

  1. Launch ADSI Edit

  2. Navigate to the Domain [], expand DC=domain, and then expand OU=Domain Controllers.

  3. Right-click the affected domain controller, and then click Properties.

  4. Click userAccountControl in the Attributes box.  If the value is not 532480, type 532480 in the Edit Attribute box, click Set, click Apply, and then click OK.

Learning Points

1) This is a job for the Domain partition of Active Directory.

2) While normal values for userAccountControl are 512 or 514, Domain Controllers need a value of decimal 532480.

3) Note how you need to be a minor expert in three areas, ADSI Edit, DCDiag and TechNet.

Scenarios for ADSI Edit

  1. VBScript – Researching the LDAP properties of user objects.

  2. Exchange 2003Configuring GAL Search order.

  3. Security – Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to the Address Lists.

  4. Learning – Discovering about attributes such as tombstoneLifetime.

  5. TechNet – Following through on TechNet’s suggested solutions.  For example, Raise Forest Level with msDS-Behavior-Version.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Example 3 – Installing Exchange 2003. An invalid ADSI pathname was passed (Error code 80005000)

When you run Microsoft Exchange 2003 (2000) Server Setup with the /forestprep switch, the installation fails and you may receive the error message:  ‘An invalid ADSI pathname was passed’.  You may also get an error code of: 80005000.

The Cause of error 80005000 in Exchange

You run setup /forestprep, but it does not complete properly.  Active Directory ‘flags’ that it has been run, but in reality it did not finish.

Check the server progress log for entries like.

Error code 0X80005000 (20480): An invalid ADSI pathname was passed.

The Solution for An invalid ADSI pathname was passed  (Error code 80005000)

Open ADSI Edit.
Navigate to this location under the Configuration container:
CN=Configuration; CN=Services; select CN=Microsoft Exchange

Right-click CN=Microsoft Exchange, and then click Properties. From the Attributes tab, under Select which properties to view, click Both.
From the Select what property to view pull-down menu, select Heuristics.
If the value is set to 2, then you have already run ForestPrep.

Solution, reset the Heuristics property, click Clear, and then click Apply. The Value(s) field will have change to ‘not set’.

Example 4 – Changing Forest and Domain Function Level

Set Functional Levels Manually
It is possible as a last resort modify the current domain and forest functional level settings with ADSI Edit. When you modify the attributes manually, it is best to target the FSMO authoritative for the increase as the change is actually written to the authoritative FSMO then replicated.

Forest Level Setting

The attribute that you want is: msDS-Behavior-Version on the CN=Partitions, CN=Configurations, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level forest
Value of 1=Windows Server 2003 interim forest level
Value of 2=Windows Server 2003 forest level

Note When you increase the msDS-Behavior-Version attribute from 0 to 1, you receive the following error message, just ignore it!
Illegal modify operation. Some aspect of the modification is not permitted. Click OK to continue.

To check that your change has worked, refresh the attribute list and check the current setting.

Domain Functional Level Setting
The attribute is msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level domain
Value of 1=Windows Server 2003 domain level
Value of 2=Windows Server 2003 domain level

Download ADSI Edit

Summary of ADSI Edit

Nobody wins their Active Directory spurs without knowing where to find ADSI Edit.  No-one gets to be a top Windows Server 2003 techie without configuring the Domain and Configuration partitions with ADSI Edit.  Without ADSI Edit experience, many TechNet articles will be beyond your skill level.  While this is not a difficult tool, you have to be careful as there is no error checking.

If you like this page then please share it with your friends


See more Windows tools

ADSI Edit Tool   • Authoritative Restore   • Windiff Compare Folders

Eseutil Commands for Exchange 2010 Server  •ESEutil   •NTDSUtil