U-Tools: Unique Tools for Windows System Administrators
UPromote
FAQ

BDCs and NT Services

Q: I promoted a standalone server to a BDC. After I rebooted, some of my services no longer start. What happened?

A: A BDC is a read-only replica of the PDC's password database. When you created the BDC, you overwrote the old local accounts in the registry with accounts from the PDC. Most services run under the SYSTEM account and are not affected. However a few services may run under special accounts. (For example, Microsoft SQL Server runs under its own special account.) You need to recreate these accounts on the PDC. You also need set the the stored password for each service to match the password on the PDC. To set the stored password of each service,

  1. Open the Control Panel and click on Services.
  2. For each service that uses a special account (e.g., MSSQLServer), click on Startup.
  3. Set the password to match the password of the corresponding account which you created on the PDC.
  4. Click on Start to start the service.

Q: I promoted a standalone server to a BDC. After I rebooted, Internet Information Server (IIS) can no longer access the IUSR_<machine> account. And it can no longer use the IWAM_<machine> account to run a web site in a separate process. What happened?

A: (Note: It is generally a bad idea to run IIS on a DC for security reasons.) A BDC is a read-only replica of the PDC's password database. When you created the BDC, you overwrote the old local accounts in the registry with accounts from the PDC. This includes the IUSR_<machine> account and the IWAM_<machine> account. If you run IIS on the BDC, you will need to recreate these accounts manually. Run USRMGR.EXE and create the accounts. Make IUSR_<machine> a member of the Guests group only. Make IWAM_<machine> a member of the Guests group and the MTS Impersonators group. Give IWAM_<machine> the right to Log On as a Batch Job.

After you recreate the accounts, you need to tell IIS the passwords. To tell IIS the password for the IUSR_<machine> account, run the Internet Service Manager on the BDC. (Note: If you cannot locate the Internet Service Manager icon, create a console window and type MMC.EXE %windir%\system32\inetsrv\iis.msc)   Click on IIS -> Default Web Site -> Properties -> Directory Security. Press the Edit button twice. Verify that the username is IUSR_<machine>. Check the box for "Enable Automatic Password Synchronization" or enter a manual password that matches the password you assigned when you created the IUSR_<machine> account.

To tell IIS the password for the IWAM_<machine> account, do the following.

  1. Create a DOS shell.
  2. Type cd %windir%\system32\inetsrv\adminsamples
  3. Type cscript adsutil.vbs set w3svc/WAMUserPass "password"

Use the password you assigned when you created the IWAM_<machine> account.

UPromote Frequently Asked Questions