Windows Server 2016 Update settings

Aside


Windows Server 2016 Update settings

 

Hi, guys, I noticed that server 2016 doesn’t have options to schedule updates and restart but I found that it can be done by 3 scenarios I will share it with you all 

First, I found the following useful policy and website 


Configure Group Policy Settings for Automatic Updates
this link is very useful in describing every policy what it can do 

Second

Go to CMD and run the 

Sconfig


Choose option 5 

Third method 

Registry keys

n Windows Server 2016 there are no GUI options available to change the update behavior.
In this blog I was outline the different ways to change the Windows Server 2016 Update settings.

Windows Server 2016 Update settings

Windows always looks at registry keys located in the following hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Typically there is a key named ‘AUOptions’ with a value in the range 2-5, and have the following meaning:

– 2 = Notify before download.
– 3 = Automatically download and notify of installation.
– 4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.
– 5 = Automatic Updates is required and users can configure it.

But if there is a ‘NoAutoUpdate’ key with the value of ‘1’, no updates will be processed by Windows.


PowerShell

You can change the registry key with the help of Powershell directly:

Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 3

 

Windows Server 2016 Update settings

 

 

 

 

 

 

 

 

Advertisements

Service Principal Names

Aside


Service Principal Names

As Microsoft descriptions

(A service principal name (SPN) is a unique identifier of a service instance.)

SO what is the meaning?

Continue reading

Configure source of time on Domain


Configure time in my Active Directory

  • How to set the PDC ROLE server as the source of time zone on the network
  • How to move PDC role and Time service to another server

How to set the PDC ROLE server as the source of time zone on the Domain

How to set a time source in my domain

Continue reading

KRBTGT account cannot be enabled


KRBTGT account cannot be enabled


The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.

KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.

Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.

Ref: https://technet.microsoft.com/en-us/library/dn745899.aspx#Sec_KRBTGT

How to know the SPN needed name


How to get the SPN of any server

And how to know the Service needed name

Setspn

First, open the active directory administrative center

Continue reading

Authorizing DHCP Server by a non-enterprise administrator


Authorizing DHCP Server by a non-enterprise administrator

By default, only a administrator which is member of “Enterprise Admins” group can authorize the DHCP which is installed in domain environment. If the other accounts  would like to authorize the DHCP server which is a member server in child domain, you may get “Access is denied“.

 

To solve this problem, I try to grant the permission for child domain administrator.

 

1. At the forest root domain controller, log in as Domain Administrator.

2. Launch “Active Directory Sites and Services“.

3. On the menu, click “View > Show Services Mode.


 

4. Expand “Services > NetServices“.

5. Right-click “NetServices“, select “Delegate Control“.


 

6. On “Delegation of Control Wizard” screen, click “Next“.

7. On “Users or Groups” screen, add an user or group which you want to grant permission for authorizing DHCP servers to.


 

8. Click “Next“.

9. On “Tasks to Delegate” screen, select “Create a custom task to delegate“.

 


10. Click “Next“.

11. On “Active Directory Object Type” screen, select “This folder, existing objects in this folder, and creation of new objects in this folder“.

 


12. Click “Next“.

13. On “Permissions” screen, check “Full Control“.


14. Click “Next” .

15. Click “Finish“.

Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.

Ref: http://terrytlslau.tls1.cc/2011/11/authroizing-dhcp-server-by-child-domain.html

https://technet.microsoft.com/en-us/library/cc786474(WS.10).aspx

Active Directory Security, Permission and ACL Analysis


 

Active Directory Security, Permission and ACL Analysis

http://www.ldapexplorer.com/en/liza.htm

Bottom of Form

 

LIZA

 
 

Active Directory Security, Permission and ACL Analysis


Fast and lucid display of container permissions and audit configurations in Active Directory environments.
Analysis: Where in the directory hierarchy are permissions granted for an account (including it’s group memberships)?For which objects the permission inheritance is blocked?

         
    Download Liza
    Version 1.8.11

Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.

Top of Form

        

Bottom of Form 


I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.

The following topics are available for the LIZA online manual: