Group Policy are not applying properly - event id 1054

Description:

You have a group policy setting that you want to deploy during computer startup. However it seems that the policy is not applying properly. Running gpresult command from the client machine shows no error. Running gpresult wizard from GPMC for the problematic machine shows GPO Core processing error preventing some policies from applying successfully. Running gpupdate /force will correct the situation and the settings will be applied successfully. 
At event viewer of the problematic computer, you found event id 1054, “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.”

Resolutions:

Please follow Microsoft's Knowledge Base Article KB840669 http://support.microsoft.com/kb/840669

As Per KB 840669, create a new DWord value on registry on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: GpNetworkStartTimeoutPolicyValue
Value: 120

Restart the client computer. Settings can be applied successfully.

DNS Tombstones in Windows 2003 and 2008

When DNS records are deleted from AD integrated zones, they are not immediately tombstoned in the way normal AD object deletions are. Instead, they go through a DNS tombstone process. This includes setting dnsTombstoned=True for the object.

When set to True, the DNS console and tools will ignore the presence of the record. You will still see the objects through LDP/ADSIEDIT/LDIFDE alongside the other DNS records. Each DNS server is hard coded to perform a cleanup process every morning at 2 a.m. to delete any dnsTombstoned=True records that are seven days old or older.

It is at this time that the objects are tombstoned like normal AD deletions (isDeleted=True) and moved to the Deleted Objects container. This is important to know in case someone deletes records, such as enabling scavenging for the first time, and wants to know why they still see the objects in Active Directory. The reason for the seven days of dnsTombstoned=True is to prevent frequent database churn. This is because workstation records may get de-registered or scavenged and then re-created within a short period of time.

Infrastructure Master & Global Catalog placement

Infrastructure Master (IM) is FSMO role that responsible to updates cross-domain references and phantoms from the global catalog. It is comparing objects of the local domain against objects in other domains of the same forest.

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, IM won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. So there are no phantoms or work for the infrastructure master to do.

In this case, the infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.

Active Directory Replication Terminology - Part I

Following is some of the day to day Active Directory terminology.

> BridgeHeads Servers,
A bridgehead is a point at which a connection leaves or enters a site.

> ISTG (Intersite Topology Generator),
The single KCC in a site that manages intersite connection objects for the site.

> KCC (Knowledege Consistency Checker),
The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.

So what is the relation between those three?

Knowledge Consistency Checker (KCC), runs as an application on every domain controller and communicates through the distributed Active Directory database. KCC reads configuration data and reads and writes connection objects.
One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site-to-site replication. These servers are called bridgehead servers.

The ISTG creates a view of the replication topology for all sites, including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for those servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site.

For more information please see:
http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

Useful command in managing Active Directory

Here's some of the list that common to use on day to day administration and troubleshooting of Active Directory:

> To summarizes the replication state and health of a forest:
Repadmin /Replsum /BySrc /ByDst

> To show the state of the last inbound replication for specified domain controller:
Repadmin /Showreps
Repadmin /Showrepl

> To show the state of the last inbound and outbound replication (change notification) for specified domain controller:
Repadmin /Showrepl /repsto

> To display the replication queue list:
Repadmin /queue
> To display all the Domain Controller in the forest:
Repadmin /Viewlist *
> To display the Intersite Topology Generator (ISTG) server for specified site:
Repadmin /ISTG
> To display the Bridgeheads servers for specified site:
Repadmin / Bridgeheads

> To synchronize a sepecified domain controller with all of the replication partners
Repadmin /syncall (DC_name) /A /e

> To list the name of Domain Contollers in a domain:
Nltest /dclist:(domainname)

> To verify if we can locate a domain controller:
Nltest /dsgetdc:(domainname)

> To display the servers that hold FSMO role:
Netdom query FSMO

> To chek the health of DNS settings:
DCdiag /test:DNS

> To query the tombstonelifetime setting in a forest:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=contoso,dc=com" -scope base -attr tombstonelifetime

Site Costed Referrals

Windows Server 2003 and above supports the ability to provide finer control over how DFS referrals are returned for the SYSVOL and NETLOGON shares.

By default, in Windows Server 2003 the DFS referral list will contain all local domain controllers of the client’s domain in the local site, randomly ordered, and then all other domain controllers in the domain randomly ordered.
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.

Windows Server 2008 uses the SiteCostedReferrals behavior by default and does not require the Registry value to be set. Windows 2000 Server does not support this feature.

The SiteCostedReferrals Registry value should be defined across all domain controllers in a domain to ensure consistent behavior. The DFS service must be restarted or the domain controllers rebooted for the change to take effect.

This behavior is controlled via the following Registry value:

HKLM\System\CurrentControlSet\Services\Dfs\Parameters

Value: SiteCostedReferrals

Type: REG_DWORD

Data:

• Windows 2003

= Disabled

0 = Disabled

1 = Enabled

• Windows 2008

= Enabled
0 = Disabled
1 = Enabled

Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

Windows Time Service time correction setting

Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.

Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).

Enable Strict Replication Consistency

Description
Supposed a domain controller get disconnected from the replication topology for an extended period and then later on reconnect it. You need to make sure that no outdated Active Directory objects can be replicated within the forest.

Resolution
Use regedit command and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a Strict Replication Consistency with REG_DWORD data type. Set 1 as the value.

This setting ensures that no outdated objects are reintroduced into Active Directory Domain Services (AD DS).
You need to set it on all of the Domain Controller within the Forest.

Supported Guest OS on Windows Server 2008 Hyper-V

Supported Guest OS

The following is the list of guest operating systems that will be supported on Hyper-V.

Windows Server 2008 x64 (VM configured as 1-, 2-, or 4-way SMP)

• Window Server 2008 Standard x64
• Window Server 2008 Enterprise x64
• Window Server 2008 Datacenter x64
• Windows Web Server 2008 x64

Windows Server 2008 x86 (VM configured as 1-, 2-, or 4-way SMP)

• Window Server 2008 Standard x86
• Window Server 2008 Enterprise x86
• Window Server 2008 Datacenter x86
• Windows Web Server 2008 x86

Windows Server 2003 x86 (VMs configured as 1- or 2-way SMP only)

• Window Server 2003 Standard x86 Edition with Service Pack 2
• Window Server 2003 Enterprise x86 Edition with Service Pack 2
• Window Server 2003 Datacenter x86 Edition with Service Pack 2
  

Windows Server 2003 x64 (VMs configured as 1-way only)

• Window Server 2003 Standard x64 Edition with Service Pack 2
• Window Server 2003 Enterprise x64 Edition with Service Pack 2
• Window Server 2003 Datacenter x64 Edition with Service Pack 2
  

Linux Distributions (VMs configured as 1-way only)

• SUSE Linux Enterprise Server 10 with Service Pack 1 x86 Edition
• SUSE Linux Enterprise Server 10 with Service Pack 1 x64 Edition
  

Supported Client Operating Systems

• Windows Vista Business x86 with Service Pack 1 (VMs configured as 1-way only)
• Windows Vista Enterprise x86 with Service Pack 1 (VMs configured as 1-way only)
• Windows Vista Ultimate x86 with Service Pack 1 (VMs configured as 1-way only)
• Windows XP Professional x86 with Service Pack 3 (VMs configured as 1-way only)

Networking Infrastructure in Windows 2008 – What’s new?

>Installation
Simplified windows configuration
All versions are available in single DVD. Choose which version during installation.
After Installation we can configure the server through Initial Configuration Task Overview.
(Setup the administrator username & password, IP, domain/workgroup, windows update, windows firewall, etc)
Have configurable Server Roles and Features.
All configurations are done through Server Manager Console.
Example of Server Roles: AD Domain Service, DNS, DHCP, File Server, etc
Example of Features: Failover Clustering, Storage Manager for SAN, etc
>Networking
Truly support IPv6 – 128 bit
Network Access Protection availability
Non-comply computer can be directed to isolated segment or denied access
>Server Core Installation
No GUI
For Installation of Role Functionality in Windows 2008
We cannot install other application here.
For better performance and security
>Windows backup
VSS enable on Drive directly
Backup to Bootable CD/DVD
Default backup schedule is full + incremental
>Windows Deployment Service
The Next of RIS
For Installing OS and or Application
Several Image type: Boot Image, Install Image, Capture Image, Discover Image
>Windows Server Virtualization
The Next of Virtual Server 2005
Differencing support on VHD files
Virtual Network use VLAN ID for better performance
Dedicated Processor/RAM blocking on WSV for certain Guest Computer
Support x-64 guest OS
>Clustering & NLB
No more need for a VLAN for geo clustering
No 500 ms limitation for heartbeat

Active Directory in Windows Server 2008 – What’s new?

Ø Active Directory Role in Windows Server 2008
o Active Directory Domain Services (ADDS) – this is like the current AD
o Active Directory Certificate Services (ADCS)
o Active Directory Federation Services (ADFS) – for possible access between two different organization
o Active Directory Lightweight Directory Services (ADLDS) – this is like ADAM in Windows 2003
o Active Directory Rights Management Services (ADRMS)
o Active Directory Read Only Domain Controller (ADRODC) – truly new feature
Ø ADLDS contains customize AD attribute, mainly use for application in DMZ and it is read only too. No authentication and doesn’t support exchange.
Ø ADRMS – for Intranet, Website, Email, and document
Ø For RODC implementation must have at least Windows Server 2003 forest functionality and one Windows Server 2008 DC
Ø By default RODC doesn’t keep password. A password replication policy must be setup. PDC emulator on the Domain must run on Windows Server 2008.
Ø Local Administrator can be set on RODC without giving access to Active Directory.
Ø Improved Auditing in AD
o Directory Service Access (current)
o Directory Service Change
o Directory Service Replication
o Detailed Directory Service ReplicationAuditing is not setup by default. When it’s enable, it can track AD object creation, deletion, modify, or movement.