Feeds:
Posts
Comments

Archive for the ‘Active Directory & DNS’ Category

 Problem 

I’m currently working on a project and I was asked to create a secure configuration GPO according to CIS Standard.

I’ve noticed  that  “MSS:” prefixed is not visible in the Group Policy Management Editor , to reveal these setting please perform the following:

(Location: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options)

3

 Solution

  • My recommendation is to use a test virtual machine or a test server before proceeding
  • Prerequisites:

Please  make sure that the following software installed on the server:

  • Microsoft .Net Framework 4
  • SQL Server  installed
  • Download Security Compliance Manager (SCM) and install it on the server

http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

  • After installing SCM, copy  “LocalGPO.msi” file from the following path: “C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi” to your AD server.
  • Run and install the file “LocalGPO.msi” on the AD server.

1

  • Execute the following command: cscript LocalGPO.wsf /ConfigureSCE

9

10

  • Close and open Group Policy Management Editor and you’ll notice that MSS Prefixed was added!

11

Idit 🙂

Read Full Post »

Problem:

I tried to create a secondary DNS zone, but I received the following error: The zone cannot be created. A conditional forwarding zone already exists for that name.

Solution

  • Connect to the domain controller.
  • Go to Start > Run > Dnsmgmt.msc
  • Stand on the server’s name > Properties > Forwarders ,and remove the domain controller that you are trying to create the secondary DNS zone.
  • Try to create the zone from the start.

Idit.

Read Full Post »

Problem:

I have domain DomA.com  and client ServerA.DomA.com , I have additional domain DomB.com . I created a two-way  trust between DomA.com and DomB.com

I am trying to resolve the FQDN of ServerA.DomA.com from DomB.com (from start > run > nslookup > server’s IP)  but I received an error massage: 

*** DomB.com can’t find server’s IP : Non-existent domain

Solution

Configure a DNS replication  Between DomA.com and DomB.com

 By doing the following:

  • Connect to DomA.com
  • Go to Start > Run > Dnsmgmt.msc
  • Go to Forward Lookup Zones > DomA.com > Right Click > Properties > Zone Transfers > check Allow zone transfers > to any server or choose only to the following servers and write the IP of DomB.com

           

  • Connect to DomB.com
  • Go to Start > Run > Dnsmgmt.msc
  • Stand on the server’s name > Properties > Forwarders ,and remove DomA.com from it.

         

  • From the DNS Management go to Reversed Lookup Zones > Right Click > New Zone > Secondary Zone > add “DomA.com”
  • Go to Reversed Lookup Zones > Stand on a zone > Right Click > Properties > Name Servers > add DomA.com

            

  • Go to the relevant reversed lookup zone and manually add RTP record of  ServerA.DomA.com
  • Now if you will go to DomB.com start > run nslookup > and write the IP of ServerA.DomA.com , you won’t be receiving any error massages.

That’s it!  And you are ready to work.

Idit.

Read Full Post »

Problem

I created a user with permissions to join server into the domain (our domain is windows 2003 based). At first it worked, but afterwards I received the following error:

Solution

In order to solve this problem, I used AdsiEdit.msc (from the domain controller). Unfortunately, I didn’t have AdsiEdit installed on my domain controller. In order to install it go to windows installation media > Support > Tools > supptools.msi

Afterwards, I opened AdsiEdit.msc and stood on the domain folder > Properties , and changes the attribute “ms-DS-MachineAccountQuata” from 10 (the default) into 999999 .

That action had solved the problem.

Idit.

Read Full Post »

Problem

I tried to create a new domain controller in an existing forest but I kept receiving the following error:

Solution

Make sure that the user you are using is a member of Enterprise Admin group. Mine didn’t 🙂

Once I added the user I was using into Enterprise Admin group the problem has been solved.

Idit.

Read Full Post »