Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2

Article translations Article translations
Article ID: 980360 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

An update is available for Active Directory Domain Services (AD DS) Best Practices Analyzer in Windows Server 2008 R2. This update adds eight new rules to the Best Practices Analyzer for AD DS. Additionally, this update fixes an issue in an existing rule.

AD DS Best Practices Analyzer

AD DS Best Practices Analyzer can help you implement best practices in the configuration of your domain.

After you install AD DS Best Practices Analyzer on the domain controllers that are running Windows Server 2008 R2, Best Practices Analyzer scans the AD DS server role and reports best practice violations. You can filter or exclude results from AD DS Best Practices Analyzer reports that you do not need. You can also perform the AD DS Best Practices Analyzer tasks by using either the Server Manager graphical user interface (GUI) or by using cmdlets for the Windows PowerShell command-line interface.

Rules that are changed by this update

This update adds or updates the following rules in AD DS Best Practices Analyzer:
  1. User accounts and trusts should not be configured for "DES-only" encryption.
  2. The "Access this computer from the network" user right assignment should be granted to the following security groups on all domain controllers:
    • Authenticated Users
    • Built-in Administrators
    • Enterprise Domain Controller
    The "Deny access to this computer from the network" user right assignment should NOT be granted to the following security groups on all domain controllers:
    • Everyone
    • Authenticated Users
    • Built-in Administrators
    • Enterprise Domain Controller
  3. Validate that the Default Domain Controllers Policy Group Policy objects (GPO) are linked to all domain controller computer objects even if some computer objects are not in the built-in Domain Controllers organizational unit.
  4. The infrastructure master role and the global catalog (GC) role should not be enabled on the same server. However, these roles can be enabled on the same server when one of the following conditions is true:
    • Only one domain controller exists in the forest.
    • All domain controllers in the forest are global catalog servers.
  5. All external trust objects in a domain must have the SID filtering feature enabled.

    For more information about SID filtering, visit the following Microsoft Web site:
    General information about SID filtering

An issue fixed in an existing rule

The following rule is applied incorrectly to the MaxPosPhaseCorrection entry:
  • The value of the MaxNegPhaseCorrection entry on the domain controller should be equal to 48 hours.
Before you apply this update, a registry path is incorrectly set to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
After you apply this update, the registry path is corrected to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

MORE INFORMATION

Update information

How to obtain this update

This update is available from the Microsoft Update Web site:
http://update.microsoft.com
The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the update package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running Windows Server 2008 R2. Additionally, you must have the Active Directory Domain Services (AD DS) server role installed on the computer.

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

REFERENCES

For more information about AD DS Best Practices Analyzer, visit the following Microsoft Web site:
General information about AD DS Best Practices Analyzer
For more information about how to scan in Best Practices Analyzer, visit the following Microsoft Web site:
How to run or filter scans in Best Practices Analyzer

Properties

Article ID: 980360 - Last Review: August 3, 2010 - Revision: 4.0
APPLIES TO
  • Windows HPC Server 2008 R2
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
Keywords: 
kbexpertiseinter kbinfo atdownload kbsurveynew kbhowto KB980360

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com