Windows Server 2016 Update settings

Aside

Windows Server 2016 Update settings

Hi, guys, I noticed that server 2016 doesn’t have options to schedule updates and restart but I found that it can be done by 3 scenarios I will share it with you all

First, I found the following useful policy and website

Configure Group Policy Settings for Automatic Updates
this link is very useful in describing every policy what it can do

Second

Go to CMD and run the

Sconfig

Choose option 5

Third method

Registry keys

n Windows Server 2016 there are no GUI options available to change the update behavior.
In this blog I was outline the different ways to change the Windows Server 2016 Update settings.

Windows Server 2016 Update settings

Windows always looks at registry keys located in the following hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Typically there is a key named ‘AUOptions’ with a value in the range 2-5, and have the following meaning:

– 2 = Notify before download.
– 3 = Automatically download and notify of installation.
– 4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.
– 5 = Automatic Updates is required and users can configure it.

But if there is a ‘NoAutoUpdate’ key with the value of ‘1’, no updates will be processed by Windows.

PowerShell

You can change the registry key with the help of Powershell directly:

Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 3

Windows Server 2016 Update settings

Service Principal Names

Aside

Service Principal Names

As Microsoft descriptions

(A service principal name (SPN) is a unique identifier of a service instance.)

SO what is the meaning?

Continue reading →

Configure source of time on Domain

Posted on April 1, 2018 by kazaki82

Configure time in my Active Directory

How to set the PDC ROLE server as the source of time zone on the network
How to move PDC role and Time service to another server

How to set the PDC ROLE server as the source of time zone on the Domain

How to set a time source in my domain

Continue reading →

KRBTGT account cannot be enabled

Posted on May 2, 2017 by kazaki82

KRBTGT account cannot be enabled

The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.

KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.

Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.

Ref: https://technet.microsoft.com/en-us/library/dn745899.aspx#Sec_KRBTGT

How to know the SPN needed name

Posted on March 29, 2017 by kazaki82

How to get the SPN of any server

And how to know the Service needed name

Setspn

First, open the active directory administrative center

Continue reading →

Authorizing DHCP Server by a non-enterprise administrator

Posted on October 13, 2015 by kazaki82

Authorizing DHCP Server by a non-enterprise administrator

By default, only a administrator which is member of “Enterprise Admins” group can authorize the DHCP which is installed in domain environment. If the other accounts would like to authorize the DHCP server which is a member server in child domain, you may get “Access is denied“.

To solve this problem, I try to grant the permission for child domain administrator.

1. At the forest root domain controller, log in as Domain Administrator.

2. Launch “Active Directory Sites and Services“.

3. On the menu, click “View > Show Services Mode.

4. Expand “Services > NetServices“.

5. Right-click “NetServices“, select “Delegate Control“.

6. On “Delegation of Control Wizard” screen, click “Next“.

7. On “Users or Groups” screen, add an user or group which you want to grant permission for authorizing DHCP servers to.

8. Click “Next“.

9. On “Tasks to Delegate” screen, select “Create a custom task to delegate“.

10. Click “Next“.

11. On “Active Directory Object Type” screen, select “This folder, existing objects in this folder, and creation of new objects in this folder“.

12. Click “Next“.

13. On “Permissions” screen, check “Full Control“.

14. Click “Next” .

15. Click “Finish“.

Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.

Ref: http://terrytlslau.tls1.cc/2011/11/authroizing-dhcp-server-by-child-domain.html

https://technet.microsoft.com/en-us/library/cc786474(WS.10).aspx

Active Directory Security, Permission and ACL Analysis

Posted on July 15, 2014 by kazaki82

Active Directory Security, Permission and ACL Analysis

http://www.ldapexplorer.com/en/liza.htm

Bottom of Form

LIZA

Active Directory Security, Permission and ACL Analysis

Fast and lucid display of container permissions and audit configurations in Active Directory environments.
Analysis: Where in the directory hierarchy are permissions granted for an account (including it’s group memberships)?For which objects the permission inheritance is blocked?

    Download Liza
    Version 1.8.11

Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.

Top of Form

Bottom of Form

I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.

The following topics are available for the LIZA online manual:

	Security Descriptor Display
	Trustee Analysis
	Blocked Inheritance Analysis
	Objekte in LEX – The LDAP Explorer anzeigen
	Command Buttons

	Change Log and Installation Notes

Microsoft System Admins

Microsoft System Admins Products Support and configuration

Category Archives: Active Directory

Windows Server 2016 Update settings

Aside

Service Principal Names

Aside

Configure source of time on Domain

How to set the PDC ROLE server as the source of time zone on the network

How to move PDC role and Time service to another server

How to set the PDC ROLE server as the source of time zone on the Domain

How to set a time source in my domain

KRBTGT account cannot be enabled

How to know the SPN needed name

Authorizing DHCP Server by a non-enterprise administrator

Authorizing DHCP Server by a non-enterprise administrator

Active Directory Security, Permission and ACL Analysis

LIZA

Active Directory Security, Permission and ACL Analysis

Share this:

Like this:

Share this:

Like this:

How to set the PDC ROLE server as the source of time zone on the network

How to move PDC role and Time service to another server

How to set the PDC ROLE server as the source of time zone on the Domain

How to set a time source in my domain

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Authorizing DHCP Server by a non-enterprise administrator

Share this:

Like this:

LIZA

Active Directory Security, Permission and ACL Analysis

Share this:

Like this: