Group Policy are not applying properly - event id 1054

Description:

You have a group policy setting that you want to deploy during computer startup. However it seems that the policy is not applying properly. Running gpresult command from the client machine shows no error. Running gpresult wizard from GPMC for the problematic machine shows GPO Core processing error preventing some policies from applying successfully. Running gpupdate /force will correct the situation and the settings will be applied successfully. 
At event viewer of the problematic computer, you found event id 1054, “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.”

Resolutions:

Please follow Microsoft's Knowledge Base Article KB840669 http://support.microsoft.com/kb/840669

As Per KB 840669, create a new DWord value on registry on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: GpNetworkStartTimeoutPolicyValue
Value: 120

Restart the client computer. Settings can be applied successfully.

DNS Tombstones in Windows 2003 and 2008

When DNS records are deleted from AD integrated zones, they are not immediately tombstoned in the way normal AD object deletions are. Instead, they go through a DNS tombstone process. This includes setting dnsTombstoned=True for the object.

When set to True, the DNS console and tools will ignore the presence of the record. You will still see the objects through LDP/ADSIEDIT/LDIFDE alongside the other DNS records. Each DNS server is hard coded to perform a cleanup process every morning at 2 a.m. to delete any dnsTombstoned=True records that are seven days old or older.

It is at this time that the objects are tombstoned like normal AD deletions (isDeleted=True) and moved to the Deleted Objects container. This is important to know in case someone deletes records, such as enabling scavenging for the first time, and wants to know why they still see the objects in Active Directory. The reason for the seven days of dnsTombstoned=True is to prevent frequent database churn. This is because workstation records may get de-registered or scavenged and then re-created within a short period of time.

Infrastructure Master & Global Catalog placement

Infrastructure Master (IM) is FSMO role that responsible to updates cross-domain references and phantoms from the global catalog. It is comparing objects of the local domain against objects in other domains of the same forest.

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, IM won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. So there are no phantoms or work for the infrastructure master to do.

In this case, the infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.

Active Directory Replication Terminology - Part I

Following is some of the day to day Active Directory terminology.

> BridgeHeads Servers,
A bridgehead is a point at which a connection leaves or enters a site.

> ISTG (Intersite Topology Generator),
The single KCC in a site that manages intersite connection objects for the site.

> KCC (Knowledege Consistency Checker),
The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.

So what is the relation between those three?

Knowledge Consistency Checker (KCC), runs as an application on every domain controller and communicates through the distributed Active Directory database. KCC reads configuration data and reads and writes connection objects.
One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site-to-site replication. These servers are called bridgehead servers.

The ISTG creates a view of the replication topology for all sites, including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for those servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site.

For more information please see:
http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

Useful command in managing Active Directory

Here's some of the list that common to use on day to day administration and troubleshooting of Active Directory:

> To summarizes the replication state and health of a forest:
Repadmin /Replsum /BySrc /ByDst

> To show the state of the last inbound replication for specified domain controller:
Repadmin /Showreps
Repadmin /Showrepl

> To show the state of the last inbound and outbound replication (change notification) for specified domain controller:
Repadmin /Showrepl /repsto

> To display the replication queue list:
Repadmin /queue
> To display all the Domain Controller in the forest:
Repadmin /Viewlist *
> To display the Intersite Topology Generator (ISTG) server for specified site:
Repadmin /ISTG
> To display the Bridgeheads servers for specified site:
Repadmin / Bridgeheads

> To synchronize a sepecified domain controller with all of the replication partners
Repadmin /syncall (DC_name) /A /e

> To list the name of Domain Contollers in a domain:
Nltest /dclist:(domainname)

> To verify if we can locate a domain controller:
Nltest /dsgetdc:(domainname)

> To display the servers that hold FSMO role:
Netdom query FSMO

> To chek the health of DNS settings:
DCdiag /test:DNS

> To query the tombstonelifetime setting in a forest:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=contoso,dc=com" -scope base -attr tombstonelifetime

Site Costed Referrals

Windows Server 2003 and above supports the ability to provide finer control over how DFS referrals are returned for the SYSVOL and NETLOGON shares.

By default, in Windows Server 2003 the DFS referral list will contain all local domain controllers of the client’s domain in the local site, randomly ordered, and then all other domain controllers in the domain randomly ordered.
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.

Windows Server 2008 uses the SiteCostedReferrals behavior by default and does not require the Registry value to be set. Windows 2000 Server does not support this feature.

The SiteCostedReferrals Registry value should be defined across all domain controllers in a domain to ensure consistent behavior. The DFS service must be restarted or the domain controllers rebooted for the change to take effect.

This behavior is controlled via the following Registry value:

HKLM\System\CurrentControlSet\Services\Dfs\Parameters

Value: SiteCostedReferrals

Type: REG_DWORD

Data:

• Windows 2003

= Disabled

0 = Disabled

1 = Enabled

• Windows 2008

= Enabled
0 = Disabled
1 = Enabled

Cannot start IPSEC service error. The system cannot find the file specified.

Description:
Suddenly you cannot logon to the domain from a server. You cannot ping it, even though the network card is connected to the network and functioning normally. You can ping to self from the server. No firewall blocks the connection. When looking through event viewer, you notice 2 errors were log; Event ID 7023 and Event ID 4292 (IPSec driver has entered Block mode). Both are related to IPSEC. You check the IPSEC services and found that you cannot start it. There’s “The system cannot find the file specified” error.

Resolution:
The problem occurs when there’s corrupted file in the policy store. The file may become corrupted if an interruption occurs when the policy being written to the disk. To solve it, please go to HKEY_LOKAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local. Delete this subkey (if exist). After that, rebuild the new local policies store. To do that, click Start > Run > type regsvr32 polstore.dll. Try starting the IPSEC services again. All issue should work well now.

Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

How to disable Windows Scalable Networking Pack Components

Description
Scalable Networking Pack (SNP) is enabled by default as part of installing Windows Server 2003 Service Pack 2. SNP can be used, under specific circumstances, to improve network performance. Most environments, however, do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it. For Domain Controller, it is recommended to disable this feature.

Resolution
To disable SNP, modify certain this registry values:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnableTCPChimney
Value: EnableRSS
Value: EnableTCPA
Data: 0 or 1
Each component can be individually enabled or disabled. Set the value to "0" to disable it.

Windows Time Service time correction setting

Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.

Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).

Could not start DHCP Client Services

Description:
One day you discover that DHCP client services on some of your server cannot be started. It gives you “access is denied” error message. The DHCP client services already use network service account to logon. You suspect that one of the recent windows patch that causes the issue.

Resolution:
The Network Service requires permissions to open the‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters’ registry keys for the DHCP Client service to start. Some updates can remove the Network Service permissions to these registry keys. Please check and re-add them if necessary.
1) Open Regedit.
2) Navigate to ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp' and click on Parameters.
3) Click on Edit menu then go to Permissions.
4) In the 'Permissions for Parameters' window, click on Add.
5) In the 'Select Users, Computers and Groups' window, type in "Network Service" (without the quotes) and click 'Check Names'. You may need to change the Location to "System".
6) Click OK.
7) In the 'Permissions for Parameters' window, highlight the Network Service group and give it Full Control and Read permission by selecting the check boxes.
8) Click OK
Try starting the DHCP client service again.

Cannot Upgrade from Windows 2003 Service Pack 1 to Windows 2003 Service Pack 2

Description:
You are having an issue when trying to upgrade your Windows 2003 Service Pack 1 server to Windows 2003 Service Pack 2. The upgrade process runs for a while and stops in the middle because of WMI error. You cannot do the upgrade from Add/Remove program too.

Resolution:
The issue cause by some corrupt files inside %windir%\system32\wbem\repository. Files in this folder is the database of WMI, if the files in this folder are corrupt, the WMI service will not work correctly. Delete the files in the folder %windir%\system32\wbem\repository. After restart the WMI service again, the files in this folder will be rebuilt again.
Below is the script to do it automatically:
################
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
if exist repository.old rmdir /s/q repository.old
rename repository repository.old
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
regsvr32 /s %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /b *.mof') do mofcomp %%s
for /f %%s in ('dir /b *.mfl') do mofcomp %%s

Invalid FSMO Role Owner for Application Partition

Description:
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com

Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.

Group Policy for safe sender lists in Outlook 2007 does not work

Description:
You have set Outlook 2007 safe sender list through GPO however it isn’t applying to users. You’ve check that the GPO was applied successfully.

Resolution:
Change the safe sender list path to \\servername\sharefolder\filename. It cannot use the %logonserver%\sharefolder syntax.

Proxy Exception at Internet Explorer does not work

Description:
You have set proxy exception for IE through Group Policy (GPO). For some reason the setting won’t apply to user’s computer. You verified that the GPO has the right setting and has no conflict with other GPO. You also confirmed that the GPO was applied to user’s computer, but the computer registry contains different data.

Resolution:
Please check the exception list content. Make sure there’s no invalid character or value. If the http address in Proxy Exception list contains more than two “/” characters, the IE Branding extension would accept this setting. You should remove the rest of the “/” from the http address in proxy exception list.

Enable Strict Replication Consistency

Description
Supposed a domain controller get disconnected from the replication topology for an extended period and then later on reconnect it. You need to make sure that no outdated Active Directory objects can be replicated within the forest.

Resolution
Use regedit command and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a Strict Replication Consistency with REG_DWORD data type. Set 1 as the value.

This setting ensures that no outdated objects are reintroduced into Active Directory Domain Services (AD DS).
You need to set it on all of the Domain Controller within the Forest.

Script to Add Windows Registry Keys

You can add / create windows registry key through command line by using REG.Exe tool.

Example:

Reg Add HKLM\Software\Classes\Excel.Sheet.8\ /v Browserflags /t REG_DWORD /d "8" /f

/v value name to add, under the selected Key
/t RegKey data types:
[ REG_SZ, REG_MULTI_SZ, REG_DWORD_BIG_ENDIAN, REG_DWORD, REG_BINARY, REG_DWORD_LITTLE_ENDIAN, REG_NONE, REG_EXPAND_SZ ] If omitted, REG_SZ is assumed
/d data to assign to the registry ValueName being added
/f force overwriting the existing registry entry without prompt

How to Uninstall Microsoft Operation Manager 2005 from Your Domain?

Uninstall MOM 2005 components in the following order.
1. Active Directory Helper Object - From Add/Remove Programs at each client
2. Agents - From MOM 2005 Console
3. Reporting Server
4. Web Console
5. Management Server(s)
6. Operators Console, Administrator Consoles
7. Operational Database
8. Data Warehouse
Note:
In a tiered environment, we recommend that you uninstall the child Management Groups and then the parent Management Group.

Limitation on Proxy Exceptions in Windows 2003 Group Policy Object Editor

From Microsoft KB302224

Description
When you use the Group Policy Object Editor, and you configure the proxy settings, the text box that contains the proxy exception list may be truncated if more than 255 characters are used. Also, if you previously clicked to select the Do not use proxy server for local check box, the check box may be cleared. Because of a limitation in the way INS files are read, the proxy exception list is limited to 255 characters. The Do not use proxy server for local check box appends the text ";" to the end of the list. This text is eight characters long, and the 255 characters must include these characters. Therefore, when you click to select the Do not use proxy server for local check box, the total length of the exception list is actually 247 characters.

Resolution
Apply Windows Server 2003 Service Pack 2. After you install this hotfix, the proxy exception list is limited to 1024 characters.

Missing Files in Certain Folders on Windows Server

Description
On your Windows 2003 server some files in certain folders are missing. However when you rename the folder to other name, the missing files suddenly appear. If you rename the folder back to the original name, the files are missing again. You already check the security permission, possible viruses and malware, but everything seems to be normal.

Resolution
You should check whether you had programs that hide/lock/protect those files from appearing. One of the example is a program called Lock Folder XP. These programs run on Kernel mode and cannot be seen from user mode process monitoring. You can use Rootkit Revealer and Process Explorer from Microsoft SysInternals to try to watch the process.
After you found the program that cause the issue, you can try to uninstall it.
You may need to supply the correct password to uninstall or modify the program.