Search This Blog

Sunday, September 16, 2012

MBSA Cabinet File Download Location

If you want to manually download the cabinet file for Microsoft Baseline Security Analyzer (MBSA) v2.2, here's the url:

http://go.microsoft.com/fwlink/?LinkId=76054

The name of the file is WSUSSCN2.CAB

Thursday, November 3, 2011

Using SMTP for Active Directory Replication

SMTP replication is used only for replication between sites.
You also cannot use SMTP replication to replicate between domain controllers in the same domain—only inter-domain replication is supported over SMTP (that is, SMTP can be used only for inter-site, inter-domain replication).
SMTP replication can be used only for schema, configuration, and global catalog partial replica replication. SMTP replication observes the automatically generated replication schedule.

Tuesday, November 1, 2011

DNS Tombstones in Windows 2003 and 2008

When DNS records are deleted from AD integrated zones, they are not immediately tombstoned in the way normal AD object deletions are. Instead, they go through a DNS tombstone process. This includes setting dnsTombstoned=True for the object.
When set to True, the DNS console and tools will ignore the presence of the record. You will still see the objects through LDP/ADSIEDIT/LDIFDE alongside the other DNS records. Each DNS server is hard coded to perform a cleanup process every morning at 2 a.m. to delete any dnsTombstoned=True records that are seven days old or older.
It is at this time that the objects are tombstoned like normal AD deletions (isDeleted=True) and moved to the Deleted Objects container. This is important to know in case someone deletes records, such as enabling scavenging for the first time, and wants to know why they still see the objects in Active Directory. The reason for the seven days of dnsTombstoned=True is to prevent frequent database churn. This is because workstation records may get de-registered or scavenged and then re-created within a short period of time.

Saturday, October 29, 2011

Prevent Registration of Certain Domain Controller DNS Records

There are times when you want to restrict a Domain Controller from registering certain resource records in the DNS. One of the scenario is when you have hub - spoke topology, it is preferable that if all domain controllers/global catalogs in a satellite site become unavailable, a client that is searching for a domain controller/global catalog in that site will fail over to a domain controller/global catalog in a central hub and not in another satellite site.
To achieve this behavior, the domain controllers/global catalogs in the satellite offices should not register generic (non-site-specific) domain controller locator DNS records

To restrict the DNS resource records that are updated by NetlLogon
  1. Open Registry Editor.
  2. In Registry Editor, navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. Add the following multistring value (REG_MULTI_SZ) value:
    DnsAvoidRegisterRecords
  4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.
<>
<>
Domain Controller -Specific Records
Mnemonic
Type
DNS Record
LdapIpAddress
A
Ldap
SRV
_ldap._tcp.
DcByGuid
SRV
_ldap._tcp..domains._msdcs.
Kdc
SRV
_kerberos._tcp.dc._msdcs.
Dc
SRV
_ldap._tcp.dc._msdcs.
Rfc1510Kdc
SRV
_kerberos._tcp.
Rfc1510UdpKdcSRV_kerberos._udp.
Rfc1510KpwdSRV_kpasswd._tcp.
Rfc1510UdpKpwdSRV_kpasswd._udp.

Global Catalog-Specific Records
Mnemonic
Type
DNS Record
GcSRV_ldap._tcp.gc._msdcs.
GcIpAddressAgc._msdcs.
GenericGcSRV_gc._tcp.

Sunday, October 9, 2011

Infrastructure Master & Global Catalog placement

Infrastructure Master (IM) is FSMO role that responsible to updates cross-domain references and phantoms from the global catalog. It is comparing objects of the local domain against objects in other domains of the same forest.

  • Single domain forest:

    In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.


  • Multidomain forest:

    If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, IM won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. So there are no phantoms or work for the infrastructure master to do.

  • In this case, the infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.

    Search Google