RE: Security audit & Domain Controller security

Hi Dan,

Thank you for posting in SBS newsgroup.

>From your description, I understand you can not open the Domain Controller
Security Policy from Administrator Tools. If I have misunderstood your
concerns, please do not hesitate to let me know.

For the problem, please refer to the following KB article:

294257 "Failed to Open the Group Policy Object" Error Message Occurs When
You
http://support.microsoft.com/?id=294257

Regarding DNS, there should be 2 lines. One has the prefix of _msdcs. For
DNS 4015 & 4004 errors, please try the following:

1. Open Active Directory Users and Computers, click View, Advanced.
2. Expand Internal_domain.local -> System -> MicrosoftDNS and delete item
in it.
3. Go to DNS, expand forward lookup zones, and delete the
_msdcs.internal_domain.local zone
4. Go to Start ->Run, type Services.msc and click OK, locate and restart
Net logon service.
5. Wait for a few minutes. Open the DNS MMC again. Verify that the _msdcs
zone file now has the _msdcs zone re-created.

If the _msdcs zone under internal_domain.local is missing, you should
create a new delegation by performing the following:

1. Right click on internal_domain.local, select new, then delegation.
2. Click next on the wizard, under delegated domain, type in _msdcs and
click next, click add and browse to the server's A record under forward
lookup zones, internal_domain.local.
3. Click ok and finish.

The following article may be helpful:

310568 Domain Subfolders Missing from Forward Lookup Zone
http://support.microsoft.com/?id=310568

321045 Description of the DNSLint utility
http://support.microsoft.com/?id=321045

Hope the infromation help and I look forward to your reply.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Security audit & Domain Controller security
| | From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
<DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Security audit & Domain Controller security
| Date: Wed, 3 Aug 2005 11:39:17 -0700
| | Newsgroups: microsoft.public.windows.server.sbs
|
| I am running SBS 2003 premium. I recently noticed 174,359 entries in my
| security folder, in the event viewer. When logged in as the administrator
and
| trying to open Domain Controller Security I get the following message:
Failed
| to Open Group Policy Object you may not have appropriate rights....
specified
| domain either does not exist or could not be found. I checked my DNS
event
| log a found some 4015 & 4004 errors. I am not certain if they coincided
with
| system start up / shutdown. What is best practice for security log? How
do I
| resolve my GPO editor problem? I see 2 lines under DNS forward lookup
zones,
| both reference the domain name, one has a prefix of _msdcs. Should I have
| both?
|
| Thanks
|
| Dan
|

.

Relevant Pages

  • RE: Security audit & Domain Controller security
    ... Do I need to make changes to my security audit ... I understand you can not open the Domain Controller ... One has the prefix of _msdcs. ... > zone file now has the _msdcs zone re-created. ...
    (microsoft.public.windows.server.sbs)
  • Re: Site or Domain
    ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 and TS-App Mode
    ... It's not secure... ... functionality over security and now you want functionality back. ... open and easy to use...they want TS on a domain controller back. ... Do not enable application server mode on a domain controllers. ...
    (microsoft.public.windows.server.sbs)
  • Re: audit user activity
    ... you can set filter to view the Security log for a particular user. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Right-click Small Business Server Auditing Policy and click Edit. ...
    (microsoft.public.windows.server.sbs)
  • Re: A new Beta test from Panda
    ... | Paypay/ebay) I have switched ISP, ... connection to computer security and vulnerability, well, I judge on ... every Usenet newsgroup message posted in the last 25 years, ... Internet gambling account and immediately contacted him. ...
    (microsoft.public.security.virus)