WSUS Deep Dive - Too much information!

I'm just using this as a "notepad" of sorts.
Just took over a site with many downstream WSUS and trying fix the existing issues.
Don't expect a complete solution here!
This will be updated as I go along but then again, maybe not!

WSUS Tips & Tricks:
https://community.spiceworks.com/topic/1677852-how-to-administer-wsus

No update files downloaded in WSUS Content folder:
http://clintboessen.blogspot.sg/2013/09/windows-server-2012-wsus-server-not.html
https://thwack.solarwinds.com/thread/54281
https://social.technet.microsoft.com/Forums/windowsserver/en-US/97e1170e-0506-4cf1-918c-6d472b352ff6/wsus-not-downloading-the-updates?forum=winserverwsus
https://serverfault.com/questions/754267/wsus-upstream-server-is-not-showing-current-downstream-server-status

SQL Script to clean WSUS:
https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

WSUS Error Codes:
8024401F - Equivalent to a HTTP 500 error; IIS had an internal server error while processing download request; check your default ports on WSUS if they match GPO settings. If that's not the issue see this:- http://kaustubhghanekar.blogspot.sg/2011/05/advanced-wsus-troubleshooting-for-error.html

WSUS Error Codes Database:
http://inetexplorer.mvps.org/archive/windows_update_codes.htm

Script for WSUS cleanup:
https://docs.microsoft.com/en-us/powershell/module/wsus/invoke-wsusservercleanup?view=win10-ps

Troubleshooting:
IIS Logs C:\inetpub\logs\LogFiles

Alternative method of deploying drivers from WSUS:
https://decentsecurity.com/drivers-through-wsus/

Downloading Drivers using WSUS:
http://www.runonazure.com/downloading-drivers-into-wsus-bad-idea/
https://blogs.technet.microsoft.com/sus/2008/08/20/a-large-number-of-driver-updates-showing-up-in-wsus/
http://www.runonazure.com/downloading-drivers-into-wsus-bad-idea/

Deleting WID:
https://systemspecialist.net/2013/05/15/move-or-delete-a-wsus-4-windows-internal-database-wid-on-windows-server-2012/

Disabling many AD user accounts on Windows Server 2003 without powershell

This may or may not help you but it's for my future reference.

My source was from dumping using MAP (Microsoft Assessment and Planning) toolkit using report "ActiveDevicesUsageTracker"

My AD wasn't using the default OU structure
Usable output = "Username" column = samID

Retrieve User-DN on Windows Server 2003
With the samID above, for each name

dsquery user -samid

Disable AD user accounts on Windows Server 2003
dsmod user user-DN -disabled yes

References (just got the important bits):
http://technet.microsoft.com/en-sg/library/cc781527(v=ws.10).aspx
https://kb.bluecoat.com/index?page=content&id=KB4548

Not related but I needed to get the AD group membership of those disabled AD accounts for clean up purposes.

Retrieve by AD user object AD group membership:
dsget user "" -memberof -expand 

Reference:
http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx

VMware vSphere Snapshots (draft-WIP)

This post aims to condense and place into a single page important information with regards to snapshots, svmotion (snapshots are used), cloning (snapshots used there too!) and some general issues  and questions which I've encountered in my working environment. (quiescing errors, during Avamar backup, during cloning of "hardened" windows GOS)

I started out looking for supporting articles but ended up going in and out of KBs and losing track of what belongs to what, where belongs to where. Hence this post. It's mostly my notes of what I think will be useful and important while troughing through the maze of KB articles.

Start here (Understanding how Snapshots work on different versions of ESX/ESXi)
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1015180

• Quiesce: If the  flag is 1 or true, and the virtual machine is powered on when the snapshot is taken, VMware Tools is used to quiesce the file system in the virtual machine. Quiescing a file system is a process of bringing the on-disk data of a physical or virtual computer into a state suitable for backups. This process might include such operations as flushing dirty buffers from the operating system's in-memory cache to disk, or other higher-level application-specific tasks.
  
  Note: Quiescing indicates pausing or altering the state of running processes on a computer, particularly those that might modify information stored on disk during a backup, to guarantee a consistent and usable backup. Quiescing is not necessary for memory snapshots; it is used primarily for backups.
• If the virtual disk is larger than 2TB in size, the redo log file is of  --sesparse.vmdk format.
• .vmsd
  The .vmsd file is a database of the virtual machine's snapshot information and the primary source of information for the snapshot manager. The file contains line entries which define the relationships between snapshots as well as the child disks for each snapshot.
• Snapshot.vmsnThe .vmsn file includes the current configuration and optionally the active state of the virtual machine.
• The above files will be placed in the working directory by default in ESX/ESX 3.x and 4.x.
• In ESXi 5.x and later snapshots descriptor and delta VMDK files will be stored in the same location as the virtual disks (which can be in a different directory to the working directory). 
• When removing a snapshot, the snapshot entity in the snapshot manager is removed before the changes are made to the child disks. The snapshot manager does not contain any snapshot entries while the virtual machine continues to run from the child disk. 
•  During a snapshot removal, if the child disks are large in size, the operation may take a long time. This can result in a timeout error message from either VirtualCenter or the VMware Infrastructure Client.

The child disk

The child disk, which is created with a snapshot, is a sparse disk. Sparse disks employ the copy-on-write (COW) mechanism, in which the virtual disk contains no data in places, until copied there by a write. This optimization saves storage space. The grain is the unit of measure in which the sparse disk uses the copy-on-write mechanism. Each grain is a block of sectors containing virtual disk data. The default size is 128 sectors or 64KB

The disk chain

Generally, when you create a snapshot for the first time, the first child disk is created from the parent disk. Successive snapshots generate new child disks from the last child disk on the chain. The relationship can change if you have multiple branches in the snapshot chain.

This diagram is an example of a snapshot chain. Each square represents a block of data or a grain as described above:

• Reverting virtual machines to a snapshot causes all settings configured in the guest operating system since that snapshot to be reverted. The configuration which is reverted includes, but is not limited to, previous IP addresses, DNS names, UUIDs, guest OS patch versions, etc.

When performing Storage vMotion
http://blogs.vmware.com/vsphere/2011/09/storage-vmotion-storage-drs-virtual-machine-snapshots.html
"It should also be noted that if you do a Storage vMotion of a VM with snapshots and the VM has the workingDir parameter set, theworkingDir setting will be removed from the .vmx & the .vmsn snapshot data file will be moved to the home folder of the VM on the destination datastore. You do get a warning in the migration wizard about this"

"Therefore, if you use the snapshot.redoNotWithParent = "TRUE" parameter, you should refrain from doing Storage vMotion operations."

This happens regardless even if you set the parameters above - in other words, try as best as possible to avoid putting the snapshot files on a datastore away from the parent -flat file disks if all the datastores involved are backing an SDRS cluster...

Troubleshooting http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1031200
Disable selective VSS writers for troubleshooting

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=5962168
Using custom "pre-freeze" and "post-thaw" scripts.

Covers SYNC and LGTO_SYNC drivers, not VSS.

This article details why the VM may become unresponsive and seem "hung" during a snapshot process.

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1007696
Details VSS  troubleshooting. This article also includes the services that need to be running on the GOS., Issues with quiescing.

When performing cloning on vSphere v5.x on a VM with snapshots
This is what's been observed: Base disk + snapshot will be copied over to the destination VM merging the snapshot(s) into a single VMDK at destination.

When you've run out of space on the datastore and snapshots cannot be deleted
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004545
This post details the steps to take with a command line tool provided you already have another datastore with sufficient space or have been able to increase the space on the same datastore that had run out of space.

There is a limit on how many open vmdk files an ESXi host can address depending on the VMFS version. 
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004424
This article is very interesting technically. Covers all versions of ESXi till date. There are changes to the HEAP size between version updates. Useful. Here's the table of limits reproduced:

Version/build	Default heap amount	Default allowed open VMDK storage per host	Minimum heap amount	Maximum heap amount	Maximum heap value	Maximum open VMDK storage per host
ESXi/ESX 3.5/4.0	16 MB	4 TB	N/A	N/A	N/A	N/A
ESXi/ESX 4.1	80 MB	8 TB	N/A	128 MB	128	32 TB
ESXi 5.0 Update 2 (914586) and earlier	80 MB	8 TB	N/A	256 MB	255	25 TB
ESXi 5.0 Patch 5 (1024429) and later	256 MB	60 TB	256 MB	640 MB	255	60 TB
ESXi 5.1 Patch 1 (914609) and earlier	80 MB	8 TB	N/A	256 MB	255	25 TB
ESXi 5.1 Update 1 (1065491) and later	256 MB	60 TB	256 MB	640 MB	255	60 TB

Disks (VMDK) larger than 2TB (for ESXi 5.5 with VMFS5 only. If using NFS, backend must be on file system that has large file support like EXT4. Extending disks beyond 2TB also requires the use of the Web Client or vCLI)

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2058287

Changes in virtual machine snapshots for VMDKs larger than 2 TB:

• Snapshots taken on VMDKs larger than 2 TB are now in Space Efficient Virtual Disk (SESPARSE) format. No user interaction is required. The redo logs will be automatically created as SESPARSE instead of VMFSSPARSE (delta) when the base flat VMDK is larger than 2 TB.
• Extending a base flat disk on VMFSSPARSE or SESPARSE is not supported.
• The VMFSSPARSE format does not have the ability to support 2 TB or more.
• VMFSSPARSE and SESPARSE formats cannot co-exist in the same VMDK. In a virtual machine, both types of snapshot can co-exist, but not in the same disk chain. For example, when a snapshot is taken for a virtual machine with two virtual disks attached, one smaller than 2 TB and one larger than 2 TB, the smaller disk snapshot will be VMFSSPARSE the larger disk snapshot will be SESPARSE.
• Linked clones will be SESPARSE if the parent disk is larger than 2 TB.

What else can cause snapshots consolidation to fail?
Main reference article in spanish:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2046576
1. Locks (files are locked)
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=10051
2. Temporary loss of communication between vCenter and ESXi hosts during confirmation - this does not mean that the ESXi hosts are shown to be disconnected from vCenter. To "restore" connectivity restart management agents from the host. (My note from field experience - there is a chance that during the restart of the management agents, your host may really get disconnected from vCenter AND if your cluster is EVC enabled, you will have to shutdown all the running VMs on that host in order for that host to rejoin the EVC cluster - so beware!)
3. A snapshot configuration file with extension .vmsd in the VM home directory may interfere. Rename, move or delete that file.
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003490

How-To fix RDP connection issue with error "The Local Security Authority cannot be contacted"

Can be caused by:

1. User must change password on next logon and RDC is set to use only Network Level Authentication. Affects "workgroup" computers or computers on another domain (compared to the one you're logging in from). 
2. Missing language pack 

References:

http://blog.mnewton.com/articles/Solution-RDP-The-Local-Security-Authority-cannot-be-contacted/

On how to disable NLA (assuming you can get access to your remote server using the suggested methods:

http://blog.mnewton.com/articles/Solution-RDP-The-Local-Security-Authority-cannot-be-contacted/

Shadowing a RDP session

In short:
1. RDP to the server (it must be on the same server afaik) with the RDP session you want to shadow
2. Open command prompt
3. Type "shadow

Reference:
http://support.microsoft.com/kb/320191

Tracing source of IP conflict

Look for event id 4199, source Tcpip

HOWTO: Locating Global Catalog (GC) Servers in Windows Domain

nltest /dsgetdc: /GC

or

repadmin.exe /options * and use IS_GC for current domain options

Location of windows automatic backup (system restore) of user profiles

First you need to boot into safe mode and then have to enable the built-in Administrator account. Incase if you are not able to boot into the built-in Administrator account in safe mode then enable the Built-in Administrator account. So after successfully enabling it, follow the below method:

1. First click on Start menu
2. In the search dialog box, type regedit and press enter
3. In regedit, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
4. In the left pane, look for the S-1-5 folder (SID key) with the long number that has .bak at the end of the numbers.

The user profile service failed the logon error in Windows 7

This is a quick fix, delete profile and recreate. Not recommended for sites that have large number of clients as helpdesk will need to personally "touch" each instance of profile corruption.


You can quite easily fix this problem yourself, follow these steps give below: 

• Delete the profile by using the Computer Properties dialog box. To do this, follow these steps:
  • Click Start, right-click Computer, and then click Properties.
  • Click Change settings.
  • In the System Properties dialog box, click the Advanced tab.
  • Under User Profiles, click Settings.
  • In the User Profiles dialog box, select the profile that you want to delete, click Delete, and then click OK.
• Click StartCollapse this imageExpand this image, type regedit in the Start search box, and then press ENTER.
• Locate and then expand the following registry subkey:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
• Right-click the SID that you want to remove, and then click Delete.
• Log on to the computer and create a new profile.

Location of user profile registry hive

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

How to force certain windows services to start first (or otherwise)

Basically, this article will enable us to hard-code the sequence of service start-up. It will be useful in some situations.

Summary:

1. Locate relevant "Service" registry key
2. Right click -> New -> Multi-string Value
3. Type "DependOnService", press ENTER
4. In value data box, type , click OK
5. Restart the computer

Full gory details follow:
http://support.microsoft.com/kb/193888
The Registry subkeys for services are located in the following path and can control how services are loaded.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

To create a new dependency, select the subkey representing the service you want to delay, click Edit, and then click Add Value. Create a new value name "DependOnService" (without the quotation marks) with a data type of REG_MULTI_SZ, and then click OK. When the Data dialog box appears, type the name or names of the services that you prefer to start before this service with one entry for each line, and then click OK. 

The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key. 

When the computer starts, it uses this entry to verify that the service or services listed in this value are started before attempting to start the dependent service. 


In addition, Windows 2000 and Windows 2003 Active Directory needs to find and use the DNS Server service. The Netlogon service can be delayed to ensure that the DNS Server service is up and running for Dynamic DNS registration and query for existing Active Directory domain controllers that are in the DNS server database. Use the DependOnService in the Netlogon and add DNS to the list of LanmanWorkstation and LanmanServer. This delays Netlogon from starting until the DNS Server service on that same computer is started and ready. 

Note Only delay the Netlogon service for DNS on a Windows 2000 or Windows 2003 Server when the DNS service is on the same Windows 2000 or Windows 2003-based server. 

Note Entries in this field are NOT case-sensitive. 

Warning Adding this entry manually may prevent the system from starting properly if you establish a "circular dependency." In its simplest form, such a problem would occur when you make two differing services dependent on one another. Neither service would be able to start as they would both require the other to be started first.

Note If you have a service that needs to start late in the boot cycle but you do not have a specific service dependency, as explained above, then choose one of the services which startup last as the data value for the value "Depends on Service". Services commonly selected are Spooler and Messenger.

HOWTO: Shortcuts to managing DHCP in enterprise environments

How to extract MAC address from DHCP reservations


netsh dhcp server dump >> reservationdump.txt
find “Add reservedip” reservationdump.txt >> reservations.csv


Updated June 26, 2012


Had another issue at work where I had to merge two DHCP scopes that divided a single segment between the scopes. Each scope controlled a range of IP addresses (Scope #1, .1 - .127, Scope #2, .128 - 254). 


Both of the scopes had custom scope attributes defined. 


One of the scopes had reservations defined.


To make matters more interesting, the subnet mask had to be changed from /25 (255.255.255.128) to /24 (255.255.255.0) - DHCP scope allows you to edit the defined range but the subnet mask is greyed out.


Lastly, a new scope had to be created under a new segment based on one of the old scopes above.




How to merge scopes without losing custom settings and re-doing reservations:


A variation of the commands  at the start of this post will get you a text dump.
(Note there are two kinds of export data; binary and text and they are not interchangable)


If you need to quickly modify a scope on DHCP, eg, delete a scope and recreate all the reservations in a new scope, the above technique with the following steps will make it easier.


1. Export the scopes: netsh dhcp server dump >> dump.txt
2. Edit the exported file (you can safely delete the other non applicable scopes)
3. Import the exported file using this command: netsh exec c:\dump.txt


You may encounter these errors when you try to export DHCP server configuration (binary):
"An attempt was made to load a program with an incorrect format" - Hotfix solution from Microsoft
"Access denied" error message when you use the "netsh dhcp server import" - Binary Export/Import DHCP database steps




References:
Netsh commands for DHCP


Starting point for solution:
HOWTO: Import and Export DHCP reservations in server 2003

How to reset Windows XP/2000 default system security

I bet some of you guys have had these "power users" that absolutely screw up their own workstations so much so that you as an administrator can't control the file system nor control the machine remotely.

Well...

To restore Windows 2000/XP’s default system security you can execute following command:

secedit /configure /cfg "%systemroot%\security\templates\setup security.inf" /db waisaw.sdb /verbose

If file “%systemroot%\security\templates\setup security.inf” does not exist, retrieve it from another XP machine.

http://live.sysinternals.com/

Upgrading from Lower version of Windows 7 to Enterprise

This steps are for Home Premium to Enterprise. Have not had the opportunity to try from Windows Starter Edition. Will update post once that is successfully tested:-


Upgrading from Home Premium is possible, just make the following registry changes:

Under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion modify the following keys:

• EditionID from “HomePremium” to “Enterprise”.
• ProductName from “Windows 7 HomePremium” to “Enterprise”.

Default Gateway disappearing after reboot

This is an interesting problem. It's a possible bug after applying Vista SP2.

Symptoms:
Manually added Default Gateway disappears upon reboot.

Cause:
Null or empty line in registry key "DefaultGateway | REG_MULTI_SZ"

Solution:

1. Start Regedit
2. Navigate to  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
3. Select CLSID of network adapter (you can identify your adapter by looking at the IPAddress registry Data field). 
4. Doubleclick "DefaultGateway" (You will see a list of all gateways that disappeared, especially if you've tried multiple gateways and rebooted a few times). Very likely the first line will be blank or empty. Remove this first empty line, click OK, exit regedit and reboot.

Reconnect child domain to AD forest after tombstone period without demoting child domain DCs

Frankly information on how to fix this problem IS available. It's just that Microsoft's support site contains KB articles that haven't been fully updated.

See this article: Orphaned child domain controller information may not be replicated to other Windows 2000 Server-based domain controllers

To resolve this issue, you must create a replication link, and you must enable one-way authentication instead of two-way authentication. To do this, follow these steps:

1. On a domain controller in the root domain, add the Replicator Allow SPN Fallback registry value. To do this, follow these steps.
   
   Note Perform steps 1 through 6 on this same domain controller.
   
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type Replicator Allow SPN Fallback, and then press ENTER.
   5. Double-click Replicator Allow SPN Fallback in the right-pane, type 1 in the Value data box, and then click OK.
   6. Restart the domain controller.
2. At a command prompt, type the following:
   
   repadmin /optionsfully_qualified_domain_name_(FQDN)_of_the_root_domain_controller+DISABLE_NTDSCONN_XLATE
   
   
   Note The Repadmin.exe tool is located in the Windows 2000 Support Tools. 
   
   For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
   
   301423  How to install the Windows 2000 support tools to a Windows 2000 Server-based computer
3. At a command prompt, type the following:
   
   repadmin /add CN=Configuration,DC=Domain_Name,DC=Domain_NameFQDN_of_the_root_domain_controller FQDN_of_the_child_domain_controller
4. At a command prompt, type repadmin /showreps. A successful incoming connection should be displayed for the configuration naming context from the child domain controller.
5. At a command prompt, type the following:
   
   repadmin /options FQDN_of_the_root_domain_controller -DISABLE_NTDSCONN_XLATE
6. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
   
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. Right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
7. Force replication between all domain controllers in the root domain. To do this, follow these steps:
   
   1. On a domain controller in the root domain, click Start, point to Programs, point toAdministrative Tools, and then click Active Directory Sites and Services.
   2. Expand Sites, expand Servers, expand your Server_Name folder, and then click NTDS Settings.
   3. If there are other domain controllers in your environment to replicate, they will be listed in the right pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC). 
      
      An incoming connection object from one or more of the child domain controllers is displayed. You may have to update the display by pressing F5.
      
      Note You must perform this step for each domain controller in the root domain.
8. Allow replication to occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the child domain controllers. This step makes sure that Active Directory directory service replication is successful. 
   
   Note The "Replication Allow SPN Fallback" registry entry enables the Active Directory to use one-way authentication if two-way authentication cannot be performed because of a failure to resolve a Service Principle Name (SPN) to a computer account.

@ARK-DS

Problem is almost resolved.  Been talking to Microsoft these last two weeks - we are at the last stage of monitoring replication and cleaning up.

And yes, you are right about KB http://support.microsoft.com/kb/887430. It's the first step required to rejoin the orphaned domain to parent. Unfortunately, I didn't get confirmation that this would work with Windows 2008 servers and in Windows 2003 Forest/Domain level installations - if I had, it would have saved a call to Microsoft. :-)  AND Microsoft's KB article was updated (APPLIES TO doesn't mention anything other than Windows 2000 Servers!!) See attached image kb887430.jpg

However, the whole process isn't as simple and involves many steps.

OK people, this is for the benefit of the masses.

From watching Microsoft troubleshoot the problem, besides the SOPs they ask you to do, (MPSReport, Network analyser captures, etc), these are the steps and things to take note of if you have a situation such as this.

1. You need to run the commands on the PDC.
2. You need to double-check using regedit even after using the "repadmin /regkey " - If you don't do that, although the command returns successful execution, the key might still be there.

www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_25306989.html#a30815303

WSUS 3.0 SP2 on Windows Web Server 2008 R2

To install IIS 7.0 on Windows Server 2008

1. Start the Server Manager (click Start, click Run, and then type CompMgmtLauncher).
2. In the tree view, select Roles, then in the Roles pane click Add Roles.
3. In the Add Roles Wizard, click Select Server Roles, select the Web Service (IIS) check box, click Next, and then click Next again.
   At this time you may see a message box Add features required for Web Server (IIS)? Click Add Required Features.
4. In the Select Role Services window, make sure that the following services are selected:
   • Common HTTP Features (including Static Content)
   • ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development)
   • Windows Authentication (under Security)
   • IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility)
5. Click Next, and then review your selections.
6. Click Install.

Get all your AD troubleshooting tools from one place

MPS Reporting Tool:
This MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist the Microsoft Support Professional with fault isolation.


http://support.microsoft.com/kb/818742

Once downloaded, run the .exe file and it will extract (and run)

The interesting stuff is in %windir%\MPSReports\DirSvc\Bin

No more need to go hunting around for your support folder in your windows server CD/DVD/ISO!

Additional use link for Microsoft Network Monitor (v3.3):
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f