tag:blogger.com,1999:blog-49289034205711633672024-03-13T20:21:11.593-07:00http://gorbunov.caSharing 20-years of my IT experience :-)Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4928903420571163367.post-79152760531202965412013-08-12T21:08:00.000-07:002013-08-12T21:08:59.375-07:00Active Directory domain in DMZ. Firewall rules.<p>Deploying an Active Directory domain in a perimeter network (or DMZ) usually requires some changes in firewalls. But the question is: what ports and from what computers must be opened?</p> <p>The answer is not obvious. To simplify the firewalls rules deployment and (very important!) to simplify communication with Network Support team I designed an Excel spreadsheet. The spreadsheet has only one page that includes all groups and rules that must be configured on a firewall. You can easily customize it and then share with the network administrators.</p> <a name='more'></a> <p>The default rules included in the spreadsheet assumes:</p> <ul> <li>One-way trust from the domain in the DMZ to an internal domain <li>The domain in DMZ contains domain controllers as well as member servers <li>Typical clients must be installed within the DMZ domain on all servers. The clients must communicate with relevant server components in the internal network</li></ul> <p>The network topology diagram is below:</p> <p><a href="http://lh6.ggpht.com/-jU7bdSX71CM/Uglb1tyKXfI/AAAAAAAAAtc/OnEdBCGsWVQ/s1600-h/FW%252520Rules%252520for%252520AD%252520domain%252520in%252520DMZ%25255B5%25255D.png"><img title="FW Rules for AD domain in DMZ" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="FW Rules for AD domain in DMZ" src="http://lh3.ggpht.com/-ngnJWCO_VYs/Uglb2NbBB8I/AAAAAAAAAtg/vCSn51iI5Y0/FW%252520Rules%252520for%252520AD%252520domain%252520in%252520DMZ_thumb%25255B3%25255D.png?imgmax=800" width="598" height="461"></a></p> <p><font size="4"><a href="http://sdrv.ms/1cIypev" target="_blank"><strong>You can download the files here. The folder includes:</strong></a></font></p> <ul> <li><font size="4">Visio diagram;</font> <li><font size="4">Excel spreadsheet;</font> <li><font size="4">Zip archive with the two files above.</font></li></ul> <p> </p> <h1>How to use the spreadsheet</h1> <h3> </h3> <h3>Step 1. Update server groups</h3> <p>Network administrator will use these lists to create firewall groups.</p> <p>List all <strong>domain controllers</strong> of the <strong>internal</strong> domain here:</p> <p><a href="http://lh5.ggpht.com/-dzoaBpkaeEY/Uglb2Vb2foI/AAAAAAAAArU/3bKbiaHM8Gk/s1600-h/image%25255B24%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-7KUOUw9Pbaw/Uglb2wdA5YI/AAAAAAAAArg/TVqzeMNSz40/image_thumb%25255B12%25255D.png?imgmax=800" width="285" height="146"></a></p> <p> </p> <p>List all <strong>domain controllers</strong> of the <strong>DMZ </strong>domain here:</p> <p><a href="http://lh4.ggpht.com/-qPAGtUPifKI/Uglb3QXxQdI/AAAAAAAAAro/TnmkuAbr72E/s1600-h/image%25255B23%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-GpKpTsESkbQ/Uglb32JBc1I/AAAAAAAAArw/8z5_iLJuxhs/image_thumb%25255B11%25255D.png?imgmax=800" width="296" height="107"></a></p> <p> </p> <p>List <strong>all servers</strong> (including DC and member servers) of the <strong>DMZ </strong>domain here:</p> <p><a href="http://lh5.ggpht.com/-gstamBSn-6I/Uglb4D87cfI/AAAAAAAAAr4/HiOderI_orA/s1600-h/image%25255B22%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh4.ggpht.com/-OYWybFVKVi8/Uglb4gMwvtI/AAAAAAAAAsA/QuNwa9pDaCU/image_thumb%25255B10%25255D.png?imgmax=800" width="285" height="155"></a></p> <p> </p> <h3>Step 2. Review the rules and adjust as needed</h3> <p>Update the main table that includes actual rules. The table is pre-populated with some known rules.</p> <p><a href="http://lh3.ggpht.com/-YKZRCizEk1c/Uglb4yFmjyI/AAAAAAAAAsI/F59nvvP5owQ/s1600-h/image%25255B17%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-rAxN2N46_ME/UglcAtwVnzI/AAAAAAAAAsQ/XNyey0vXpsA/image_thumb%25255B7%25255D.png?imgmax=800" width="644" height="164"></a></p> <p> </p> <p>The table contains three main groups, that combine rules required for specific functions.</p> <p>The <strong>DMZ specific domain controllers rules</strong> group includes communication for DNS and Time Synchronization. Typically, DNS service runs on domain controllers; time synchronization with external time source is required on domain controllers as well.</p> <p><a href="http://lh5.ggpht.com/-L27mrEBvbhI/UglcBOkfbuI/AAAAAAAAAsY/F-UkM7sURcE/s1600-h/image%25255B28%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-cvYVTGGM19k/UglcBlGdc-I/AAAAAAAAAsg/M-klrvY53u8/image_thumb%25255B14%25255D.png?imgmax=800" width="305" height="139"></a></p> <p> </p> <p>The <strong>Infrastructure rules</strong> group includes communications that must be enabled from ANY server in the <strong>DMZ</strong> network to specific servers in the <strong>Internal</strong> network. Typically they are SCCM, SCOM, Antivirus, Backup. Two very important rules are also Remote Desktop access and Windows Activation. Note: update the rules marked with ??? if you have these infrastructure components deployed.</p> <p><a href="http://lh3.ggpht.com/-L5ZfKFvZdxk/UglcCBMZoLI/AAAAAAAAAso/rV3Gc6qqsmI/s1600-h/image%25255B32%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-7CvjOAZxeqs/UglcCk7aLnI/AAAAAAAAAsw/NsMsH0-PCqg/image_thumb%25255B16%25255D.png?imgmax=800" width="330" height="173"></a></p> <p> </p> <p>The Active Directory one-way forest trust group includes ports that must be opened specifically for Active Directory trust. Note: trust relationships include communication that can be initiated from ANY server in the <strong>DMZ</strong> network (i.e. either domain controller or member server) to domain controllers in the <strong>Internal</strong> network.</p> <p><a href="http://lh3.ggpht.com/-g_r0MAobR2I/UglcC5Y6TQI/AAAAAAAAAs4/oKe3aV4Lvpo/s1600-h/image%25255B36%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-qI06zfYHso4/UglcDb2Pe-I/AAAAAAAAAtA/v3VLJ-Mac8o/image_thumb%25255B18%25255D.png?imgmax=800" width="336" height="289"></a></p> <p> </p> <p>Quick description of the table columns:</p> <table cellspacing="2" cellpadding="2" width="585" border="1"> <tbody> <tr> <td valign="top" width="110"><strong>Column</strong></td> <td valign="top" width="467"><strong>Description</strong></td></tr> <tr> <td valign="top" width="110"><strong>Service</strong></td> <td valign="top" width="467">Service/application name that requires the rule</td></tr> <tr> <td valign="top" width="110"><strong>DMZ - Group</strong></td> <td valign="top" width="467">Group of servers in <strong>DMZ</strong> network that initiates or accepts connection.<br>Add either a predefined group or individual servers or IP addresses here.</td></tr> <tr> <td valign="top" width="110"><strong>DMZ - Port</strong></td> <td valign="top" width="467">Port or ports used to initiate or accept the connection</td></tr> <tr> <td valign="top" width="110"><strong>Direction</strong></td> <td valign="top" width="467">---> <strong>DMZ</strong> initiates connection to <strong>Internal</strong><br><--- <strong>Internal</strong> initiates connection to <strong>DMZ</strong><br><-> both directions (don’t use)</td></tr> <tr> <td valign="top" width="110"><strong>Internal - Group</strong></td> <td valign="top" width="467">Group of servers in <strong>Internal</strong> network that initiates or accepts connection.<br>Add either a predefined group or individual servers or IP addresses here.</td></tr> <tr> <td valign="top" width="110"><strong>Internal - Port</strong></td> <td valign="top" width="467">Port or ports used to initiate or accept the connection</td></tr> <tr> <td valign="top" width="110"><strong>Explanation</strong></td> <td valign="top" width="467">Your own reminder, why you need this rule</td></tr></tbody></table> <p>You can easily filter the rules (see row 5 with drop-down lists).</p> <hr> <p><a href="http://sdrv.ms/1cIypev" target="_blank"><strong>And one more link to the files. The folder includes:</strong></a></p> <ul> <li>Visio diagram; <li>Excel spreadsheet; <li>Zip archive with the two files above.</li></ul> <p>Feel free to customize the files the way you want.</p> <p> <hr> <p> </p> <h3>Happy firewalling! </h3> <p><img class="wlEmoticon wlEmoticon-smile" style="border-top-style: none; border-left-style: none; border-bottom-style: none; border-right-style: none" alt="Smile" src="http://lh5.ggpht.com/-Jj2yLkbdqk4/UglcDteBHZI/AAAAAAAAAtI/fM1DUxq0FCY/wlEmoticon-smile%25255B2%25255D.png?imgmax=800"></p> Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.com14tag:blogger.com,1999:blog-4928903420571163367.post-84552180596308633742013-08-12T12:47:00.000-07:002013-08-12T16:11:11.759-07:00Active Directory domain security hardening with Microsoft Security Compliance Manager (SCM). Twelve easy steps.<p>A step-by-step guide how to create, export and import Group Policy Objects with recommended security baselines for your domain. </p> <p>The article provides a complete guide how to deploy the required GPO. The guide assumes that you deploy security baselines for Windows Server 2008 R2 SP1. You can easily adapt the guide for other versions of Windows.</p> <blockquote>Step 1. Prerequisites<br>Step 2. Domain Security Hardening GPO – Baseline design<br>Step 3. Domain Security Hardening GPO – Baseline export<br>Step 4. Domain Controllers Security Hardening GPO – Baseline customization<br>Step 5. Domain Controllers Security Hardening GPO – Baselines merge<br>Step 6. Domain Controllers Security Hardening GPO – Baselines export<br>Step 7. Member Servers Security Hardening GPO – Baseline design<br>Step 8. Member Servers Security Hardening GPO – Baseline export<br>Step 9. Target domain – GPO folders copying<br>Step 10. Target domain – The first GPO creation and settings import<br>Step 11. Target domain – Creation and import of two more GPO<br>Step 12. Target domain – GPO assignments</blockquote><br><br> <a name='more'></a> <h3>Step 1. Prerequisites</h3> <p>Download the latest version of the SCM tool from the Microsoft web site: <a href="http://technet.microsoft.com/en-us/library/cc677002.aspx"><strong>http://technet.microsoft.com/en-us/library/cc677002.aspx</strong></a>. <br>Install SCM to your client computer. </p> <h3>Step 2. Domain Security Hardening GPO – Baseline design</h3> <p>Start <strong>Security Compliance Manager</strong> from the <strong>All Programs</strong> menu.</p> <p><br><br><a href="http://lh3.ggpht.com/-wYQhdAzntVs/UgkiV3p-CAI/AAAAAAAAAgE/8QOHMg6g4Jo/s1600-h/clip_image0024.jpg"><img title="clip_image002" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image002" src="http://lh5.ggpht.com/-duorW4TYjYA/UgkiW104fiI/AAAAAAAAAgM/hdDzLuBL668/clip_image002_thumb2.jpg?imgmax=800" width="399" height="294"></a></p> <p>The main SCM window opens. </p> <p> <br><a href="http://lh5.ggpht.com/-CcGEWK30J38/UgkiXHdDIVI/AAAAAAAAAgU/RG_GCt7yiOg/s1600-h/image3.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-yARkrlUxvsA/UgkiXjx2VWI/AAAAAAAAAgc/LEfh71LGBrU/image_thumb1.png?imgmax=800" width="597" height="441"></a><br>Expand <strong>Microsoft Baselines</strong> -> <strong>Windows Server 2008 R2 SP1</strong> in the navigation pane. Select <strong>WS2008R2SP1 Domain Security Compliance 1.0</strong>. <br><br><br><a href="http://lh6.ggpht.com/-y1r3w_CYkvo/UgkiYQ1DB6I/AAAAAAAAAgg/0gUtug4K3Ig/s1600-h/clip_image00293.jpg"><img title="clip_image002[9]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image002[9]" src="http://lh5.ggpht.com/-lOsiC336GJA/UgkiYoD1V1I/AAAAAAAAAgo/gM56U_AZf5M/clip_image0029_thumb1.jpg?imgmax=800" width="506" height="253"></a><br>Review the highlighted values suggested by SCM. Change if needed. <br> <br></p> <h3>Step 3. Domain Security Hardening GPO – Baseline export</h3> <p><br><a href="http://lh5.ggpht.com/-zaorHEZ6Sg8/UgkiZd2WgoI/AAAAAAAAAg0/ce-4qVP8Ms4/s1600-h/clip_image002113.jpg"><img title="clip_image002[11]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image002[11]" src="http://lh6.ggpht.com/-P9YgdgnkoKk/UgkiZ5SpTGI/AAAAAAAAAg8/JgbnV178bFQ/clip_image00211_thumb1.jpg?imgmax=800" width="628" height="262"></a><br>Select <b>GPO backup (folder)</b> task at the right pane. <br><br> <br><a href="http://lh4.ggpht.com/-YDuHA0RL9O8/Ugksd2x_lNI/AAAAAAAAAqU/7MLc7Ye30EI/s1600-h/image%25255B20%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-RNoyrD2RC9s/UgkseWzC6RI/AAAAAAAAAqc/8OQ4mCfL7pw/image_thumb%25255B9%25255D.png?imgmax=800" width="253" height="290"></a><br>Select a path to export the GPO and create a new folder named <b>SCM Domain Security Hardening GPO</b>. <br> <br><br><a href="http://lh4.ggpht.com/-6A6VHU3JZ9w/UgkibVTNQZI/AAAAAAAAAhU/u29t2Htr19A/s1600-h/clip_image0064.jpg"><img title="clip_image006" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image006" src="http://lh6.ggpht.com/-6RBea5nlXW8/UgkibzIRGWI/AAAAAAAAAhc/mnyijlUmUDk/clip_image006_thumb1.jpg?imgmax=800" width="628" height="221"></a><br>GPO is exported to a folder.<br>Windows Explore opens automatically to display the folder. <br>The exported GPO will be later imported to a target domain. </p> <p><br><i><span style="color: #c0504d"><strong>Important note! <br>The highlighted values can be applied to a target domain only through a GPO that is linked to the root of the domain. The settings are NOT applied, if the GPO is linked to Domain Controllers OU.</strong></span></i></p> <p><i><span style="color: #c0504d"><strong></strong></span></i><br> </p> <h3>Step 4. Domain Controllers Security Hardening GPO – Baseline customization</h3>Domain controllers typically run Active Directory Domain Services and DNS services at the same time. Therefore we need a combined security baseline for these two services. <br>SCM includes two separate baselines that must be <b>merged</b> into a single one: <br> <ul> <li><b>WS2008R2SP1 DNS Server Security Compliance 1.0</b> <li><b>WS2008R2SP1 Domain Controller Security Compliance 1.1</b></li></ul> <p><br><a href="http://lh4.ggpht.com/-yDHtUCwiCSQ/UgkicLCKmNI/AAAAAAAAAhk/8FmfuEFXU2U/s1600-h/clip_image002133.jpg"><img title="clip_image002[13]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image002[13]" src="http://lh4.ggpht.com/-Ne2JRPQ1RYQ/UgkicglsQwI/AAAAAAAAAhs/2xVzZRSDERY/clip_image00213_thumb1.jpg?imgmax=800" width="455" height="335"></a><br>Review both baselines first and adjust if needed.</p> <p><br><br><a href="http://lh3.ggpht.com/-cKUBQkO4xUs/UgkidAAle_I/AAAAAAAAAh0/cfu5mXTHtMM/s1600-h/clip_image00453.jpg"><img title="clip_image004[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image004[5]" src="http://lh4.ggpht.com/-MWm10GEC6Zw/Ugkidp4YLhI/AAAAAAAAAh8/pJIjT0lTD5I/clip_image0045_thumb1.jpg?imgmax=800" width="579" height="263"></a><br>Select the <b>WS2008R2SP1 DNS Server Security Compliance 1.0</b> baseline.<br>The baseline for DNS servers contains only settings within the <b>System Services</b> section.<br>No customization is needed for this baseline. <br> <br><br><a href="http://lh6.ggpht.com/-spliGsLFGlE/Ugkid4FRrOI/AAAAAAAAAiE/qZ7TpxmP54w/s1600-h/clip_image00653.jpg"><img title="clip_image006[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image006[5]" src="http://lh6.ggpht.com/-dBYjXfHa0L8/Ugkiefa_7hI/AAAAAAAAAiI/IbWBRQECvDI/clip_image0065_thumb1.jpg?imgmax=800" width="579" height="385"></a><br>Select the <b>WS2008R2SP1 Domain Controller Security Compliance 1.1</b> baseline.<br>The baseline for domain controllers is complicated and contains hundreds of settings. <br> <br></p> <h3>Step 5. Domain Controllers Security Hardening GPO – Baselines merge</h3> <p>To merge the baselines follow the steps below. </p> <p><br><a href="http://lh6.ggpht.com/-VpnwkFVIhvU/Ugkie__RapI/AAAAAAAAAiQ/FTL97e8AO7o/s1600-h/clip_image0084.jpg"><img title="clip_image008" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image008" src="http://lh6.ggpht.com/-4X7guKytzhA/UgkifMmYFVI/AAAAAAAAAic/2r_dFaNnTbM/clip_image008_thumb1.jpg?imgmax=800" width="596" height="317"></a><br>1. Select the <b>WS2008R2SP1 Domain Controller Security Compliance 1.1</b> baseline.<br>2. Click the <b>Compare/Merge</b> link at the right pane. <br><br> <br><a href="http://lh5.ggpht.com/-fzozADblsic/UgkifgddOmI/AAAAAAAAAik/MEcwzY6c0Yg/s1600-h/clip_image0104.jpg"><img title="clip_image010" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image010" src="http://lh5.ggpht.com/-DI8V-oLOS6A/UgkigG8XjYI/AAAAAAAAAis/aEWP1BLjRyg/clip_image010_thumb1.jpg?imgmax=800" width="298" height="343"></a><br>3. Select the <b>WS2008R2SP1 DNS Server Security Compliance 1.0</b> and click <b>OK</b>. <br><br> <br><a href="http://lh5.ggpht.com/-UChaw2ztv0I/UgkigphB2sI/AAAAAAAAAiw/lnZPhzQnFuw/s1600-h/clip_image0124.jpg"><img title="clip_image012" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image012" src="http://lh5.ggpht.com/-3SvYqnSMO5k/UgkihNrb9PI/AAAAAAAAAi8/tiH2AO0Ukw8/clip_image012_thumb1.jpg?imgmax=800" width="530" height="386"></a><br>The window compares two baseline settings. No changes here.<br>4. Click <b>Merge Baselines</b>. <br><br> <br><a href="http://lh3.ggpht.com/-QKnRtorYnRA/UgkiheO0dyI/AAAAAAAAAjE/PYtjkQCN3rg/s1600-h/clip_image0144.jpg"><img title="clip_image014" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image014" src="http://lh5.ggpht.com/-gNuu5QUNQ3Q/Ugkih1tU2bI/AAAAAAAAAjM/Ve-hIwGj0zs/clip_image014_thumb1.jpg?imgmax=800" width="529" height="291"></a><br>5. Resolve conflicts between the baselines by selecting the highlighted options. Click <b>OK</b>. <br> <br><br><a href="http://lh6.ggpht.com/-NQAft_ubGC0/UgkiiYBv-UI/AAAAAAAAAjU/Ii0fylHBvdM/s1600-h/clip_image0164.jpg"><img title="clip_image016" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image016" src="http://lh3.ggpht.com/-NANO0giQcrg/UgkiijSL9dI/AAAAAAAAAjc/qSijaD-h_7I/clip_image016_thumb1.jpg?imgmax=800" width="306" height="103"></a><br>6. Name the new custom baseline <b>Security Hardening - Domain Controllers and DNS Servers</b>. Click <b>OK</b>. <br><br> <br><a href="http://lh6.ggpht.com/-g5ocFe9VDgw/UgkijMIosdI/AAAAAAAAAjk/h07WLSHTZmg/s1600-h/clip_image0184.jpg"><img title="clip_image018" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image018" src="http://lh5.ggpht.com/-57z68fWnmgE/UgkijqEpNeI/AAAAAAAAAjs/DgzB87Tep0A/clip_image018_thumb1.jpg?imgmax=800" width="597" height="176"></a><br>7. The new custom baseline appears under the <b>Custom Baselines</b> node in the main window of SCM. <br> <br></p> <h3>Step 6. Domain Controllers Security Hardening GPO – Baselines export</h3>You must export the custom baseline in order to use it later in an Active Directory domain. <br><br><a href="http://lh4.ggpht.com/-SbsXQmTT7pg/UgkikPdyhHI/AAAAAAAAAjw/GIAfD9hSxzk/s1600-h/clip_image0204.jpg"><img title="clip_image020" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image020" src="http://lh3.ggpht.com/-GKuXPASze1Q/UgkiklUTdII/AAAAAAAAAj4/xyAxy_Uymto/clip_image020_thumb1.jpg?imgmax=800" width="597" height="189"></a><br>1. Select the <b>Security Hardening - Domain Controllers and DNS Servers GPO</b>.<br>2. Select the <b>GPO Backup (folder)</b> link in the right pane. <br><br> <br><a href="http://lh3.ggpht.com/-FMC-xjMJqqg/Ugkr9aqIfoI/AAAAAAAAApc/zaPDiZ8xpaE/s1600-h/image%25255B12%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-CnSlgVv1D80/Ugkr9yHw9tI/AAAAAAAAApk/yZEbRtGFkG4/image_thumb%25255B5%25255D.png?imgmax=800" width="253" height="290"></a><br>Select <b>Computer</b> > <b>C:</b> and then click the <b>Make New Folder</b> button.<br>Name the new folder <b>Security Hardening - Domain Controllers and DNS Servers baseline</b>.<br>Click <b>OK</b>. <br><br> <br><a href="http://lh5.ggpht.com/-61BZ7BGe35k/UgkimBjHhJI/AAAAAAAAAkU/19D-zDEoC5M/s1600-h/clip_image0244.jpg"><img title="clip_image024" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image024" src="http://lh3.ggpht.com/-I2svba9Qd7w/UgkimiWHqaI/AAAAAAAAAkc/4zJoAwBPmo4/clip_image024_thumb1.jpg?imgmax=800" width="628" height="160"></a><br>Windows Explorer opens and displays the newly created folder. <br><b></b><br> <h3>Step 7. Member Servers Security Hardening GPO – Baseline design</h3> <p>Review the <b>WS2008R2SP1 Member Server Security Compliance 1.1</b> baseline. It doesn’t require any customization or merging with another baseline. </p> <p><br><i><span style="color: #c0504d"><strong>Important note! <br>This security hardening baseline contains couple of settings that may break your web applications, including SharePoint and MS SQL Server Reporting Services. Please test this baseline carefully within non-prod environment first. </strong></span></i><i><span style="color: #c0504d"><strong></strong></span></i> </p> <p> </p> <h3>Step 8. Member Servers Security Hardening GPO – Baseline export</h3> <p>You must export the <b>WS2008R2SP1 Member Server Security Compliance 1.1</b> baseline in order to use it later in an Active Directory domain. <br><br><a href="http://lh6.ggpht.com/-BWYhP5Rs78c/Ugkim531mzI/AAAAAAAAAkk/r7RR1Jfm-MY/s1600-h/clip_image0264.jpg"><img title="clip_image026" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image026" src="http://lh4.ggpht.com/-xDJARU6W3BE/Ugkinb6BPuI/AAAAAAAAAks/q13CXCtAdxQ/clip_image026_thumb1.jpg?imgmax=800" width="568" height="263"></a><br>1. Select the <b>WS2008R2SP1 Member Server Security Compliance 1.1</b>.<br>2. Select the <b>GPO Backup (folder)</b> link in the right pane. <br><br> <br><a href="http://lh6.ggpht.com/-jB-6b1FqHa4/UgktEb9njGI/AAAAAAAAAqk/2cLhjdo2V_8/s1600-h/image%25255B28%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-S1Uhlgf2WyI/UgktEy_9cZI/AAAAAAAAAqs/RLBBFP87Yds/image_thumb%25255B13%25255D.png?imgmax=800" width="256" height="294"></a><br>Select <b>Computer</b> > <b>C:</b> and then click the <b>Make New Folder</b> button.<br>Name the new folder <b>Security Hardening – Member Servers GPO</b>.<br>Click <b>OK</b>. <br><br> <br><a href="http://lh3.ggpht.com/-w6h7GW1bUgY/UgkiozQ-vOI/AAAAAAAAAlE/4DEeJ6eUBu0/s1600-h/clip_image0304.jpg"><img title="clip_image030" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image030" src="http://lh5.ggpht.com/-DMfz3VHfkTM/UgkipR7ysdI/AAAAAAAAAlM/kfpFcAPLf3c/clip_image030_thumb1.jpg?imgmax=800" width="561" height="151"></a><br>Windows Explorer opens and displays the newly created folder. </p> <p> </p> <h3>Step 9. Target domain – GPO folders copying</h3> <p>Logon to a domain controller of the target domain. <br>Copy exported GPO folders from remote computer to the drive <b>C: </b>of the domain controller. </p> <p><br><a href="http://lh6.ggpht.com/-AVhOywV9J10/Ugkip13tCeI/AAAAAAAAAlU/snY3_-36WW4/s1600-h/clip_image002153.jpg"><img title="clip_image002[15]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image002[15]" src="http://lh5.ggpht.com/-3s4JLCDUswY/UgkiqWCq2EI/AAAAAAAAAlc/cXBcxWFPjdk/clip_image00215_thumb1.jpg?imgmax=800" width="628" height="299"></a> <br> <br></p> <h3>Step 10. Target domain – The first GPO creation and settings import</h3> <p>Open the <b>Group Policy Management</b> console. <br><br><a href="http://lh3.ggpht.com/-IPifl_HbZUM/Ugkr_BoJOpI/AAAAAAAAAp4/dHAXjZvSyKI/s1600-h/image%25255B16%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.ggpht.com/-g5Mc1HWw-eE/Ugkr_hI3HGI/AAAAAAAAAqA/8rEYifpzZys/image_thumb%25255B7%25255D.png?imgmax=800" width="435" height="351"></a><br>1. Select the <b>Group Policy Objects</b> node.<br>2. From the Action menu select <b>New</b>. <br><br> <br><a href="http://lh5.ggpht.com/-f7ajOxtJB50/UgkirsO1tnI/AAAAAAAAAl0/sNDeIQjuJ0w/s1600-h/clip_image00673.jpg"><img title="clip_image006[7]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image006[7]" src="http://lh4.ggpht.com/-UZlbkI1ii44/UgkisAYSusI/AAAAAAAAAl8/HZ6PeVgzN2Y/clip_image0067_thumb1.jpg?imgmax=800" width="290" height="131"></a><br>Type <b>Security Hardening: Domain Security Compliance</b> in the Name field.<br>Click <b>OK</b>. <br><br> <br><a href="http://lh6.ggpht.com/-_nPkA8UisMA/UgkishOGbfI/AAAAAAAAAmE/l3MKIbT7v34/s1600-h/clip_image00853.jpg"><img title="clip_image008[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image008[5]" src="http://lh3.ggpht.com/-b1W1idsP3vk/UgkitBq1h4I/AAAAAAAAAmM/ogz2nE6X2QU/clip_image0085_thumb1.jpg?imgmax=800" width="357" height="329"></a><br>Select the newly created GPO.<br>Select <b>Action</b> > <b>Import Settings…</b> . <br><br> <br><b>Import Settings Wizard</b> window opens. <br><br><a href="http://lh3.ggpht.com/-iLwJDn-0J_E/UgkittyHzfI/AAAAAAAAAmU/87sfbmDnD2c/s1600-h/clip_image01053.jpg"><img title="clip_image010[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image010[5]" src="http://lh5.ggpht.com/-Y0PSm9hkuLw/UgkiuMePNrI/AAAAAAAAAmc/DgdIIs3igUk/clip_image0105_thumb1.jpg?imgmax=800" width="373" height="287"></a><br>Click <b>Next</b>. <br><br> <br><a href="http://lh3.ggpht.com/-OiQeUVctQx8/Ugkiu_nCFqI/AAAAAAAAAmk/5-yDficzM2Q/s1600-h/clip_image01253.jpg"><img title="clip_image012[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image012[5]" src="http://lh5.ggpht.com/-Aeg6DPcR8u0/UgkivUrSCuI/AAAAAAAAAms/u932Uu5xxzw/clip_image0125_thumb1.jpg?imgmax=800" width="388" height="299"></a><br>Click <b>Next</b>. <br><br> <br><a href="http://lh4.ggpht.com/-4PVRGVfEArY/UgkivixIVsI/AAAAAAAAAm0/smc-1OacDcg/s1600-h/clip_image01453.jpg"><img title="clip_image014[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image014[5]" src="http://lh6.ggpht.com/-ii4rhSJgTTc/UgkiwAzUiwI/AAAAAAAAAm8/9y5_uijQqHc/clip_image0145_thumb1.jpg?imgmax=800" width="388" height="298"></a><br>Browse to the folder that contains exported GPO.<br>Click <b>Next</b>. <br> <br><br><a href="http://lh4.ggpht.com/-GKwNziYekdo/Ugkiwm0sVbI/AAAAAAAAAnE/L-i_g0gVIJY/s1600-h/clip_image01653.jpg"><img title="clip_image016[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image016[5]" src="http://lh4.ggpht.com/-NA5CGCJU888/UgkixYZdm7I/AAAAAAAAAnM/czpOd2hoDjM/clip_image0165_thumb1.jpg?imgmax=800" width="389" height="299"></a><br>Click <b>Next</b>. <br><br> <br><a href="http://lh4.ggpht.com/-wCk0okO72sg/Ugkix-0_EoI/AAAAAAAAAnU/v-g6VoL4-M8/s1600-h/clip_image01853.jpg"><img title="clip_image018[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image018[5]" src="http://lh4.ggpht.com/-sR6iaFKWZ-U/UgkiyTF1wcI/AAAAAAAAAnc/btd-LHiGxpQ/clip_image0185_thumb1.jpg?imgmax=800" width="388" height="299"></a><br>Click <b>Next</b>. <br><br> <br><a href="http://lh5.ggpht.com/-MFD7Ec2sE0A/Ugkiy3bYFOI/AAAAAAAAAnk/9-Nengq6fOc/s1600-h/clip_image02053.jpg"><img title="clip_image020[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image020[5]" src="http://lh5.ggpht.com/-Wpt416HbxMI/UgkizMJ_JxI/AAAAAAAAAns/BJHoVuEAjv0/clip_image0205_thumb1.jpg?imgmax=800" width="380" height="292"></a><br>Click <b>Next</b>. <br><br> <br><a href="http://lh3.ggpht.com/-yTsdTJux76U/UgkizteXrrI/AAAAAAAAAn0/d9PLfcx5nxc/s1600-h/clip_image02253.jpg"><img title="clip_image022[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image022[5]" src="http://lh3.ggpht.com/-WUM7wF842x8/Ugki0Km5ffI/AAAAAAAAAn8/0ZVzuvcrZjo/clip_image0225_thumb1.jpg?imgmax=800" width="380" height="292"></a><br>Click <b>Finish</b>. <br><br> <br><a href="http://lh3.ggpht.com/-Vz7BZGhXbN4/Ugki0mE7pUI/AAAAAAAAAoA/6L93Tgi6_Qk/s1600-h/clip_image02453.jpg"><img title="clip_image024[5]" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="clip_image024[5]" src="http://lh4.ggpht.com/-dFKtuq59haE/Ugki1PlWtAI/AAAAAAAAAoM/MGB7QWQsYl8/clip_image0245_thumb1.jpg?imgmax=800" width="364" height="296"></a><br>Click <b>OK</b>. <br> <br></p> <h3>Step 11. Target domain – Creation and import of two more GPO</h3>Repeat the Import Settings Wizard steps (see <strong>Step 10</strong>) for the other previously exported GPO: <br> <ul> <li><b>Security Hardening – Domain Controllers and DNS Servers GPO</b>; <li><b>Security Hardening – Member Servers GPO</b>.</li></ul><br><a href="http://www.blogger.com/blogger.g?blogID=4928903420571163367" name="_Toc363558000"><b></b></a><br> <h3>Step 12. Target domain – GPO assignments</h3>Assign the newly created GPO according the table <br> <table cellspacing="0" cellpadding="0" border="1"> <tbody> <tr> <td width="467"><b>GPO name</b></td> <td width="164"><b>Target </b></td></tr> <tr> <td width="467"><b>Security Hardening - Domain Security Compliance</b></td> <td width="164">The domain root</td></tr> <tr> <td width="467"><b>Security Hardening - Domain Controllers and DNS Servers </b></td> <td width="164">Domain Controllers OU</td></tr> <tr> <td width="467"><b>Security Hardening - Member Servers</b></td> <td width="164">Servers OU</td></tr></tbody></table> <p><br><br>Unlink all other default GPO from the containers. <br>The domain Group Policy Objects assignments should look like this: <br><a href="http://lh6.ggpht.com/-rzmJJKiE22U/Ugki1mI2htI/AAAAAAAAAoU/6z9gSQxyc5k/s1600-h/image7.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-SOZfZebHKRY/Ugki2ART9FI/AAAAAAAAAoc/ax0y9dO1ULg/image_thumb3.png?imgmax=800" width="479" height="264"></a></p> <p> </p> <h3>Conclusion</h3> <p>Domain security hardening process is not a complicated process when you use the right tools. Tricky thing, however, that every security hardening policy requires thorough testing in a non-prod environment. Especially if you deploy it in a domain where applications have already been installed and configured.</p> Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.com6tag:blogger.com,1999:blog-4928903420571163367.post-36344148113943495962013-08-09T14:10:00.002-07:002013-08-12T19:29:25.673-07:00User Account Control issueAfter applying security hardening CIS baselines to Windows Server you may notice an annoying window asking you to click Alt-Ctrl-End every time you try to perform some administrative task:<br><br> <div class="separator" style="text-align: left; clear: both"><a style="margin-left: 1em; margin-right: 1em" href="http://4.bp.blogspot.com/-fu_SQsE0DGY/UgVZ7ZWGTdI/AAAAAAAAAWw/7fhZIxjgq-8/s1600/UAC.jpg" imageanchor="1"><img border="0" src="http://4.bp.blogspot.com/-fu_SQsE0DGY/UgVZ7ZWGTdI/AAAAAAAAAWw/7fhZIxjgq-8/s1600/UAC.jpg"></a></div><br>To fix the behaviour you must either change a Group Policy that contains the security baseline settings or the Local GPO (if the baseline was applied locally).<br><br> <div class="separator" style="text-align: left; clear: both"><a style="margin-left: 1em; margin-right: 1em" href="http://2.bp.blogspot.com/-jPPywtXpxks/UgVaXx1DXRI/AAAAAAAAAW4/6rjGQX2j9Sg/s1600/UAC-2.png" imageanchor="1"><img title="Group Policy" border="0" alt="" src="http://2.bp.blogspot.com/-jPPywtXpxks/UgVaXx1DXRI/AAAAAAAAAW4/6rjGQX2j9Sg/s400/UAC-2.png" width="400" height="194"></a></div> <div class="separator" style="text-align: left; clear: both"> </div>After the change all elevations will be performed without additional windows. Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.com15tag:blogger.com,1999:blog-4928903420571163367.post-76619319932441655622013-06-26T19:33:00.000-07:002013-08-12T19:34:21.234-07:00Troubleshooting SCCM 2012 Software Updates download<p>Sometime SCCM returns error message when you try to download an update:</p> <div class="separator" style="text-align: left; clear: both"><a style="margin-left: 1em; margin-right: 1em" href="http://4.bp.blogspot.com/-wAVZhnYmYvk/UcSl5D1boHI/AAAAAAAAAVo/ezMvnGLoWBs/s1600/Errors.jpg" imageanchor="1"><img border="0" src="http://4.bp.blogspot.com/-wAVZhnYmYvk/UcSl5D1boHI/AAAAAAAAAVo/ezMvnGLoWBs/s1600/Errors.jpg" wya="true"></a></div><br>The first thing in the troubleshooting process is finding a log file named <strong>PatchDownloader.log</strong>. The log file location is not obvious, because it not stored in the standard <strong>Program Files\Configuration Manager\Log</strong> folder with all other SCCM logs.<br><br>Instead, the <strong>PatchDownloader.log</strong> is created on your local computer from witch you open the <strong>System Center 2012 Configuration Manager</strong> console. And the file location is <strong>%temp%</strong> folder.<br><br> <div class="separator" style="text-align: left; clear: both"><a style="margin-left: 1em; margin-right: 1em" href="http://3.bp.blogspot.com/-a6kt5vyupic/UcSn3AsIfuI/AAAAAAAAAV4/_xuk4QwuN-0/s1600/temp.jpg" imageanchor="1"><img border="0" src="http://3.bp.blogspot.com/-a6kt5vyupic/UcSn3AsIfuI/AAAAAAAAAV4/_xuk4QwuN-0/s1600/temp.jpg" wya="true"></a></div> <div class="separator" style="text-align: left; clear: both"><strong>%temp%</strong> folder itself is located within your user profile: <strong>C:\Users\<em><user_name></em>\AppData\Local\Temp</strong>.</div> <p><br><br>If you open the <strong>System Center 2012 Configuration Manager</strong> console in a Remote Desktop session from a site server, then <strong>%temp%</strong> location will be a bit different: <strong>C:\Users\<em><user_name></em>\AppData\Local\Temp\2</strong>.<br><br>Once you find the <strong>PatchDownloader.log</strong> file, open it with the <strong>CMTrace </strong>tool and review it.</p> <p>The most likely reason that one or more updates are blocked by your security scanner, for example Websense.</p> <p>Solution is to download the required updates manually (see the <strong>PatchDownloader.log</strong> file for URL links to the updates) and then import them into SCCM from a local disk instead of from Microsoft Updates site.</p> Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.com17tag:blogger.com,1999:blog-4928903420571163367.post-57673398339630434112013-06-26T13:26:00.002-07:002013-08-12T16:02:58.954-07:00Domain controller post-promotion tasks: time synchronizationAfter you finish installing a first domain controller in a new forest, couple of important settings must be configured:<br />
<ul>
<li>Time synchronization</li>
<li>Windows Activation service location</li>
</ul>
This part will explains how to configure<br />
<h3>
Time synchronization</h3>
PDC Emulator must be synchronized with a reliable time source. In large companies it is usually one of the internal routers, that is configured to sync time with external NTP server.<br />
<br />
Once you finish installing domain controller, logon to it, open the elevated Command Prompt and enter the following command:<br />
<br />
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: 'Courier New';">w32tm /config /manualpeerlist<em>:"<FQDN_of_internal_NTP_server></em> <em><IP_address_of_internal_NTP_server></em>" /syncfromflags:manual /reliable:yes /update</span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
Ensure that the command has completed successfully.</div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
Open the <strong>Event Viewer</strong> console from <strong>Administrative</strong> tools.</div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
Select <strong>Windows Log</strong> > <strong>System node</strong>.</div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br />
Ensure that events <strong>35</strong> and <strong>37</strong> from the <strong>Time-Service</strong> source are logged.</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/--eGKwSQz7RQ/UctMnwhYUrI/AAAAAAAAAWI/_AxdJm8Z4cI/s1600/ts1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/--eGKwSQz7RQ/UctMnwhYUrI/AAAAAAAAAWI/_AxdJm8Z4cI/s1600/ts1.jpg" xya="true" /></a></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
Open event <strong>37</strong> and read the message details: "The time provider NtpClient is currently receiving valid time data from <Your_NTP_server>" on port UDP:123. </div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
The message indicates that valid time source server was successfully contacted and communication has successfully crossed all firewalls.</div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<a href="http://3.bp.blogspot.com/-2gL04Fraikk/UctMxLFfcSI/AAAAAAAAAWQ/SqD2kOxdwEM/s1600/ts2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-2gL04Fraikk/UctMxLFfcSI/AAAAAAAAAWQ/SqD2kOxdwEM/s1600/ts2.jpg" xya="true" /></a></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
Open event <strong>35</strong> and read the message details: "The time service is now synchronizing the system time with the time source <Your_NTP_server>" on port UDP:123. <br />
The event indicates that domain controller (PDC Emulator) is able to receive regular time updates from the time server.</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-GMqR52Td-5k/UctN_oyRsYI/AAAAAAAAAWg/RsNpJmY4m7g/s1600/ts3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-GMqR52Td-5k/UctN_oyRsYI/AAAAAAAAAWg/RsNpJmY4m7g/s1600/ts3.jpg" xya="true" /></a></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 3pt;">
<br /></div>
Alexey Gorbunovhttp://www.blogger.com/profile/18267153771033870497noreply@blogger.com0