Tuesday, November 29, 2011

Comparing the Group Policy by Security Compliance Manager v2

One of the features in Security Compliance Manager is GPO comparison. I think it is good for Administrators to verify the different between 2 GPOs.

Prerequisites

OS: Windows 7, Windows Server 2008 or Windows Server 2008 R2
Application: Microsoft .Net Framework 4

In this lab, I will install SCM in a Windows 7 computer.

Install Security Compliance Manager (SCM)
1. At a computer, log in as Domain Administrator.
2. Double-click "Security_Compliance_Manager_Setup".
3. At welcome screen, click "Next".
4. Select "I accept the terms of the license agreement", click "Next" twice.
5. Select "Download and install".


6. Click "Next".
7. Select "I accept the terms of the license agreement", click "Next".
8. Click "Install".


9. Click "Finish".
10. Microsoft Security Compliance Manager will start automatically and download the latest Security Compliance.



Comparing Group Policy Objects
Prerequisites
Using Group Policy Management Console back up the Group Policy Objects to a folder

1. At "Microsoft Security Compliance Manager", next to "Import" session, click "GPO Backup (folder)".
2. Select a folder which contains the Group Policy, click "OK".
3. Enter the name for the GPO, click "OK".


The GPOs named GPO 1 and GPO 2 in my lab.

4. The GPO was imported successfully.
5. Import 1 more GPO from the backup.


6. Select "GPO 1".
7. Next to "Baseline" session.


8. Click "Compare / Merge".
9. Select "GPO 2", click "OK".


The result of comparing 2 GPOs was generated. You can also click "Export to Excel" to save as a Excel file.

Download link
Microsoft Security Compliance Manager

Reference
http://technet.microsoft.com/en-us/library/cc677002.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Sunday, November 27, 2011

Configuring the maximum message size for internal organization

In Exchange 2007 and Exchange 2010, the maximum message size is 10 MB for internal organization. Users allow sending and receiving 10 MB an email. However, some companies would like to send a large email in internal organization. Administrators need to modify the “Transport Settings” to achieve the goal.

I use Exchange Server 2010 to demo this lab.

1. At an Exchange Server, log in as Domain Administrator.
2. Launch "Exchange Management Console".
3. Expand "Microsoft Exchange On-Premises > Organization Configuration > Hub Transport".
4. Select "Global Settings" tab.
5. Right-click "Transport Settings", select "Properties".


By default, all users in the organization follow the "Transport Settings".

6. Next to "Maximum receive size (KB)", change the value to "20480".
7. Next to "Maximum send size (KB)", change the value to "20480".


8. Click "OK".

Remark: You can also perform the following cmdlet to modify the settings.

Set-TransportConfig -MaxReceiveSize 20MB -MaxSendSize 20MB


Remark: You can use ADSI Edit to update or verify the settings.

1) At a Domain Controller, log in as Domain Administrator.
2) Launch "ADSI Edit".
3) Right-click "ADSI Edit", select "Connect to".
4) Next to "Select a well known Naming Context", select "Configuration".
5) Expand "Configuration > CN=Configuration,DC=<Domain Name>,DC=com > CN=Services > CN=Microsoft Exchangte > CN=<Organization Name> >CN=Global Settings > CN=Message Delivery".
6) Right-click "CN=Message Delivery", select "Properties".


"delivContLength" is "Maximum receive size".
"submissionContLength" is "Maximum send size".

All values is in Kilobyte(KB).

Administrators can assign the Maximum send and received message size in users’ mailbox. If administrators assign the maximum message size in mailboxes, the settings override the maximum message size of “Transport Settings”.

9. Still in "Exchange Management Console", expand "Recipient Configuration > Mailbox".
10. Right-click the user mailbox, select "Properties".
11. Select "Mail Flow Settings" tab.


12. Select "Message Size Restrictions", click "Properties".


Administrators can assign the maximum send and receive message size for this user.

Remark: You can perform "Set-Mailbox" cmdlet to configure the Maximum send and receive message size for users.

Set-Mailbox <Alias> -MaxReceiveSize 10MB -MaxSendSize10MB


Remark: You can use ADSI Edit to update or verify the user mailbox.

1) At a Domain Controller, log in as Domain Administrator.
2) Launch "ADSI Edit".
3) Right-click "ADSI Edit", select "Connect to".
4) Next to "Select a well known Naming Context", select "Default Naming context".
5) Expand "Default naming context > DC=<Domain Name>,DC=com > CN=Uesrs".
6) Right-click a user name, select "Properties".
7) Next to "delivContLength" and "submissionContLength", configure the size for the user.


After the settings are updated, users can send and receive the large email in internal organization.

This posting is provided “AS IS” with no warranties, and confers no rights!

Saturday, November 26, 2011

Fail to configure the maximum message size on AdSiteLink of Exchange Servers

When I perform “Set-AdSiteLink” with “MaxMessageSize” parameter in Exchange 2010 Management Shell, it failed to update the setting.

It shows the following error:

Active Directory operation failed on <Server name>. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSIS-03150BB9, problem 4003 (INSUF_ACCESS_RIGHTS), data 0 + CategoryInfo: NotSpecified: (0:Int32) [Set-AdSiteLink], ADOperationException + FullyQualifiedErrorId: A44E1A40,Microsoft.Exchange.Management.SystemConfigurationTasks.SetAdSiteLink

To solve this problem, you need to assign the permission of “Exchange Trusted Subsystem” on the “Site-Link-Object”.

1. At a domain controller, log in as Enterprise Administrator.
2. Launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connect to".
4. Next to "Select a well known Naming Context", select "Configuration".


5. Click "OK".
6. Expand "Configuration > CN=Configuration,DC=contoso,DC=com > CN=Sites > CN=Inter-Site Transports > CN=IP".
7. Right-click "CN=IP", select "Properties".
8. Select "Security" tab, click "Advanced".


9. Click "Add".
10. Enter "Exchange Trusted Subsystem".
11. Next to "Apply to", select "Descendant Site Link objects".
12. Check "Allow - Read all properties, Write all properties and Read permissions".


13. Click "OK" three times.
14. Close "ADSI Edit".

Now, you can update the "MaxMessageSize" on "AdSiteLink".


Reference:
::::: Workaround ::::: Exchange 2010 Set-ADSiteLink -MaxMessageSize insufficient access rights

Sunday, November 20, 2011

Authroizing DHCP Server by a non-enterprise administrator

By default, only a administrator which is member of "Enterprise Admins" group can authorize the DHCP which is installed in domain environment. If the other accounts  would like to authorize the DHCP server which is a member server in child domain, you may get "Access is denied".


To solve this problem, I try to grant the permission for child domain administrator.

1. At the forest root domain controller, log in as Domain Administrator.
2. Launch "Active Directory Sites and Services".
3. On the menu, click "View > Show Services Mode.


4. Expand "Services > NetServices".
5. Right-click "NetServices", select "Delegate Control".

6. On "Delegation of Control Wizard" screen, click "Next".
7. On "Users or Groups" screen, add an user or group which you want to grant permission for authorizing DHCP servers to.


8. Click "Next".
9. On "Tasks to Delegate" screen, select "Create a custom task to delegate".


10. Click "Next".
11. On "Active Directory Object Type" screen, select "This folder, existing objects in this folder, and creation of new objects in this folder".


12. Click "Next".
13. On "Permissions" screen, check "Full Control".

14. Click "Next" .
15. Click "Finish".

Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.

Reference:
Delegate ability to authorize DHCP servers to a non-enterprise administrator

Updated 24-Jan-17
Just checked and chatted with my previous manager, attach the following web site for reference.

This posting is provided “AS IS” with no warranties, and confers no rights!

Thursday, November 17, 2011

An article for DNS and Active Directory

I would like to share a good article ,"Friday Mail Sack: Saturday Edition", for you. This article was written by NedPyle [MSFT]. There are some recommendations for DNS. If you have time, please take a look.

This posting is provided “AS IS” with no warranties, and confers no rights!

Wednesday, November 16, 2011

Sending a large attachment in OWA 2010

When users attach an attachment bigger than 35MB in OWA 2010, the users get the following error:

404 - File or directory not found
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.


Remark: Assuming that your organization allows users sending the large attachment bigger than 35 MB.

To solve this problem, I need to modify the "web.config" file.

1. At the Client Access Server, log in as Domain Administrator.
2. Launch "Windows Explorer".
3. Navigate to "C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa".
4. Open "web.config" by "Notepad".
5. Search "requestLimits maxAllowedContentLength" and "httpRuntime maxRequestLength".


By default, the maximum attachement is about 35MB. I need to modify the value which is suitable for my environment.

6. Next to "requestLimits maxAllowedContentLength", change the value from "35000000" to "52428800".

Remark: The value is in byte(B).

7. Next to "httpRuntime maxRequestLength", change the value from "35000" to "51200".

Remark: The value is in Kilobyte(KB).


8. Save and exit the file.

Reference:
http://technet.microsoft.com/en-us/library/aa996835(EXCHG.80).aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Monday, November 7, 2011

Autodiscover failed (0x800C8203)

When you run "Test E-mail AutoConfiguration", you get the following result.

Autodiscover to https://<FQDN>/Autodiscover/Autodiscover.xml Failed (0x800C8203)


One of the reasons is the Outlook client cannot find the DNS record of Autodiscover service.

To solve this case, you need to create a DNS record for the Autodiscover service in the DNS server.



Another reason is the Client Certificates setting of Autodiscover in IIS doesn't select "Ignore".


After updating the above settings, the Autodiscover of the Outlook client resumes normal.



Reference:
0x800C8203 Autodiscover 
http://clintboessen.blogspot.com/2010/04/0x800c8203-autodiscover.html

This posting is provided “AS IS” with no warranties, and confers no rights!

Sunday, November 6, 2011

Active Directory Replication over Firewalls

I would like to share a good article for you about "Active Directory Replication over Firewalls". This article shows you which ports and protocol should be allowed to pass through by the firewall. By default, AD replication use dynamic RPC. Firewall Administrators need to allow a lot of port for AD replication. This article shows you how to use different method to control the ports used by AD replication.

I hope all of you enjoy it.

This posting is provided “AS IS” with no warranties, and confers no rights!