Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force 

Blue Screen after modifying Windows registry - Recovery

Description
You changed certain value on your Windows machine's registry (HKLM). After a restart, the machine cannot start properly again. Windows never reached the normal logon page.
You want to revert the changes back to previous condition.


Resolution
Use a CD/DVD/ISO to boot to the Recovery Environment. Follow the wizard until you can open the command prompt. At the command prompt, type regedit.
In the registry editor, highlight HKEY_LOCAL_MACHINE, and then go to File and select Load Hive. Select the file from other drives. It could be in E:\(or F:\)Windows\System32\Config, and will be called just SOFTWARE or SYSTEM. Type any name when the wizard prompt for the hive name.
Go to the registry location where you performed the last changes. Revert the value back to previous working condition.
To unload  the Hive, Highlight that hive name under HKEY_LOCAL_MACHINE, and go to File and select Unload Hive.
Restart the machine normally.




 

Group Policy are not applying properly - event id 1054

Description:

You have a group policy setting that you want to deploy during computer startup. However it seems that the policy is not applying properly. Running gpresult command from the client machine shows no error. Running gpresult wizard from GPMC for the problematic machine shows GPO Core processing error preventing some policies from applying successfully. Running gpupdate /force will correct the situation and the settings will be applied successfully. 
At event viewer of the problematic computer, you found event id 1054, “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.”

Resolutions:

Please follow Microsoft's Knowledge Base Article KB840669 http://support.microsoft.com/kb/840669

As Per KB 840669, create a new DWord value on registry on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: GpNetworkStartTimeoutPolicyValue
Value: 120

Restart the client computer. Settings can be applied successfully.

Red X or Cross on Network Connection Icon - Windows 2008 R2

Description:

You found there's a Red X or Cross on Network Connection Icon.
Found some services stopped and cannot be started with access denied error.

Resolutions:

Ø  Check and add the registry permissions on the following key: 

•Regarding the BFE service, we have given “NT Service\BFE” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control 

•Regarding the NLA service, we have given “NT Service\NLASvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NLASvc:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

•Regarding the DPS service, we have given “NT Service\DPS” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config

• Regarding the Windows Firewall service, we have given “NT Service\mpssvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess

•Regarding the DHCP Client service, we have given Local Service account full control permissions on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP

•Regarding the Distributed Transaction Coordinator, we have given “NT Service\MSDTC” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to add Network Service account with “read, write, read & execute”  permissions to the file C:\WINDOWS\system32\MSDtc\MSDTC.LOG

> All of the services can be started after adding the security permission. Restart the computer to make sure.

Note:
If the issue happens again ,you may want to check for the group policy, or local policy, or application that modified the security permission on those above registry.