Applying Domain controller policy to only one DC on a domain

We want to apply the Microsoft supplied group policy "MSFT Windows Server 2012 R2 Domain controller Baseline" to only 1 out of our 6 Server 2012 R2 Domain controllers. This server is also set-up as an RODC and is in a DMZ
hence hardening.
Some of the settings within this policy would seem to be applicable to a domain rather than an individual server (DC), even though they are listed under "Local Policies".
The following are only some examples, there may be others.......
Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Other
Domain member: Digitally encrypt or sign secure channel data (always)
Microsoft network server: Digitally sign communications (always)
Computer Configuration, Policies, Windows Settings, Security Settings, Local Polices/Security Options, Domain Controller
Domain Controller: LDAP server signing requirements - Require signing
Computer Configurati......, Local Policies/Security Options, Network Security
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients (and Servers) - Require NTLMv2 session security and Require 128-bit encryption
My question is - If we apply this group policy to one DC only, will it affect any other Domain wide communication e.g. PCs to other DCs, Member servers to other DCs, DCs to DCs etc? I understand that after policy application, the DC may not function
properly and we will need to test it and potentially relax some of the settings but we cannot afford to risk the rest of the domain from being affected. We are particularly concerned with the forcing of Digitally signing or encypting communications.
Can anyone help?

If configured incorrectly the policy might disable communication from or to the dc.
That being said, I think you are pretty safe applying the listed policy items.
MCP/MCSA/MCTS/MCITP

Similar Messages

How to apply Swap Image Restore for only one behaviour?

Hi, I have two behaviors for one hotspot..
the first, swaps another image on mouse over..
the second, swaps another image on click..
So, i want the "swap image restore" behaviour to apply only for the first, Is there a way to do that? cuz when i try it applies to both.

@ NancyO
I am trying to do the same thing as Magdi_alafifi - I have two swapImages on click that I want to stay and then another swapImage on mouseover with a "swap image restore" on mouse out.
Here is my code:
<img src="360.png" width="26" height="26" id="Image5" onclick="MM_swapImage('InnerSS','','innersolarsystemON.png',1);
MM_swapImage('outerSS','','outersolarsystemON.png',1)" onmouseover="MM_swapImage('Image5','','360ON.png',1)" onmouseout="MM_swapImgRestore('Image5','','360.png',1)" />
The first swapImage on click works fine, but the second one swaps on click, and resores on mouseout. The swapImage and swapImgRestore on mouseover and mouseout works fine.
I hope this makes sence.

Only One domain controller, Remote Registry service keeps DISABLING itself. Where in the registry could this be set?

This is killing my remote management. I have 4 server 2012R2 domain controllers. Only one of them is being affected with this problem. Almost everytime I check, the remote registry service is disabled again. It seems like there is a corrupt
group policy preference that keeps on attacking during a policy refresh, but I can't imagine setting a group policy to disable this service. It is needed for our remote management. Also the IP Tunnel service is also disabling. Another strange
artifact is that when I set a Windows Firewall policy to add an exception for remote administration in a group policy to my Admin workstation, it seemed to set a firewall rule in other computers to block remote administration. I can not figure out where
else this strange Windows Firewall rule Blocking remote administration could have come from. These may be related or they may not, but they are occuring on the same domain controller. I am able to set the RemoteRegistry service to enabled and to
start it (which I have done too many times now), but it constantly is being changed back to disabled. I am searching the registry to find any invalid entries or artifacts that may be affecting these two annoying effects, but I cannot find anything yet.
Any ideas? I need to know what policies will disable the remoteregistry service OR the IPTunelling service, or where in the registry this could be set to enact this during a policy refresh. Of course, any other ideas are welcome, I have spent
several days troubleshooting this, and need to conquer this by tomorrow if possible, thank you. James

Hi,
Please type
services.msc in RUN to open Services panel, navigate to the Remote Registry service. Then open its Properties and set
Startup type: Automatic. Then please check if this issue still exist.
In addition, please refer to mlippold’s suggestion (the last reply) in following thread and configure relevant
value in RemoteRegistry registry key, then check if can help you to solve this issue.
For registry items, please back up all registry items before all operations. That will help us to avoid some unexpected issue.
Remote
Registry Service stops automatically if we do not use it above 10 minutes
By the way, did you open Event Viewer and check if find any relevant errors?
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

PrepareDomain should it modify the Domain Controller Policy?

I have Exchange 2010 installed with two servers in a DAG. I recently ran into a problem were two of the domain controllers were down and had to reboot both Exchange servers. Exchange would not come back online because of the missing SACL right
on the other domain controllers.
http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx
I went ahead and ran exchange "setup /preparedomain" and I was able to get my DAG running again but when I check the "Default Domain Controllers Policy" it is not modified to allow the "Exchange Servers" group manage auditing
and security log like I would expect it to. There are no errors but it only modified the local domain controller policy. So I would have to run this on every domain controller.

Hi,
According to your description, it seems like DC replication issue.
I recommend you refer to the follwoing article to force sync manually:
Force Replication Between Domain Controllers
You can use this procedure to force Active Directory replication to occur between two domain controllers on a one-time basis when you want changes to be replicated from the server that received the changes to a server in another site sooner than the
site link schedule allows. As an alternative, you can synchronize replication with all replication partners.
Thanks.
Niko Cheng
TechNet Community Support

Default Domain Controller Policy

Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HA

Hi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Default domain controller policy audit

If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
If I enable auditing in default domain controller policy, I see event only from all domain controller or
see event from all workstation in domain
---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
interpret names for brevity

EA2: Code is generated for only one column with Domain check constraint.

I created a Domain with a Value List (Y or N - Yes or No) and used that domain for two columns in the same table. But for only one column (the last one) the check appears in the generated DDL.
After I enabled the "Use Domain Constraints" both checks appear in the DDL, but one as an inline check constraint and one as an "Alter table add contraint.."
Once I changed the naming Template for the check constraint, both constraints are generated as an Alter table clause. The inline check constraint is only generated when the name of the constraint (according to the template) is too long. It would be nice if I could choose if I want an inline or a separate check constraint definition.
Edited by: Roel on Nov 23, 2010 11:55 AM
Edited by: Roel on Nov 23, 2010 12:02 PM

I logged ER for that
Philip

Can I use Prime to create a WLAN report for only one controller?

I have multiple controllers all configured with the same WLAN/SSID, like most people probably do.
I am trying to get a report on one WLAN/SSID from only one controller. I don't want a report for the WLAN/SSID that contains information from all controllers - just one controller.
Has anyone ever figured out how to do that? Am I missing something?

We're close to that, anyway. I have a guest WLAN configured on each controller, and I want to see how metrics on the guest SSID, but would like it broken out per controller.
The guest network client count almost equals our production client count, and all that traffic is getting tunneled across the backbone. I want to explore local connectivity options - possibly dumping the guest WLAN traffic out at the controller instead of it traversing the corporate backbone.
Can't seem to figure out how to get a report to show that - seems like it's "all or nothing"...

Applying only *one* rule on the emails in a mailbox

Morning.
Is there a way or a plug-in or something else, to apply only one certain rule to selected messages in Mail.app?
TIA and kind regards, Friedrich

No
All photos frames must contain photos or you can not order the book
LN

Only one Apply button for Dashboard Prompt in obiee

Hi experts,
We have a need wer we need to place prompts at specified places like one at right top then next 3 one below other. But only one Apply button.
Please let me know how to customize OBIEE 11.1.1.5 to achieve this.
Thanks in advance.

Hi,
You are using OBIEE 11g ,so constrain the second report should be on the first prompt.I mean,In the second prompt properties we have an option like "based on the other prompt";where you need to give the first prompt column name.like wise third prompt also.
Then you will get only one apply button for 3 prompts.
mar if helpful/correct..
thanks,
prassu

Missing rows / output only one row in a Report after applying patchset 2

Hi.
We use Reports Builder for 10g R2. We had the problem with our AS 10g R2 on windows 2003, that some reports creates duplicate rows when it is a ASCII report (desformat = delimited), see Bug 3340546.
Now we apply Patchset 2 on a local machine, to test the functionality. It fix the problem (look in metalink doc ID 398955.1 under "2.12 Oracle Reports Developer Bugs")-
But now most csv reports creates only one row instead of multiple rows.
We run reports on our local machine with OC4N and local started Form (via Forms Builder) to generate the reports (local started report server) from DevSuite).
When we start the reports with desformat=delimited the txt-file has only the header row and one data row (instead of multiple ones).
And when we generate the same report with desformat=delimiteddata it looks fine and generates all rows as expected.
We found neither here in the forum or in metalink knowledge base nor on the internet.
Have you any suggestions for us how to fix this problem?
Using delimiteddata is now acceptable solution for us, because delimited is easier to use.
Thanks for your help!

Hey folks.
We have solved the problem. :)
We applied PatchSet2 for 10gR2. But we don´t know how the csv-report outputs only 1 data-row instead of several rows.
Than we create a similar report (with the same sql-query) as a new one with the reports builder assistant.
This one works pretty fine. So we looked for the attributes and see the "max. number datasets for each site" and it was in the new one set to 0 and in our old one set to 1.
So we change this and ... the old one works pretty fine! :)
So the problem is, that this attribute does not had any consequences in the old version. But since we update with PatchSet 2 it respect this attribute but we don´t "see" it.
Hope this helps others.

I created a watermark in LR4 and it applied to all photos I only wanted one photo marked.

I created a watermark in LR4 and it applied to all photos I only wanted one photo marked. How can I keep it from adding the watermark to all of my photos?
I want to be able to add them manually to each photo in a location that I chose so the photo is still visably appealing.
Thanks!

I think it's a feature of the Web Module, since it is assumed that you would want the watermark on all images of a web-gallery.
But, in this context (as always is the case in Lr) you have to take into consideration of how Lr works. Lr never ever changes your originals.
"Watermark applied" means only that there is a set of data in the Lr catalog that says something like "when uploading the web-gallery the watermark has to be applied to the uploaded JPGs".
Nothing has been done to your originals - even though they are displayed in te Web Module with the watermark. The orginals are ever unchanged.
If you go back to the Library Module (within the same Collection) you won't see a watermark.

Applying feathering to only one layer

Hi,
I'm created a two-part ad. One of the two parts (on two different layers) has a background image that I would like only the center to show up and the rest I'd like to whiten (about 90% opacity, leaving 10% of the background image visible) using feathering, as described in Feather Selections In Photoshop With Quick Mask
So, does anyone know how to apply such feathering on only one layer?
Thanks!
-Ron

Create a Layer Mask and apply Feather in the Properties Panel.
Could you please post a screenshot with the Layers Panel visible?

Apply effect to only one video line

Does anyone know how to apply a transition to only one video line? Check out my video for further explanation.
http://www.youtube.com/watch?v=NPCs8lsJR3Y

Can't do that with that transition. It will always effect the adjacent clip coming in ot going out.

Issue with only one distribution point not able to access only one folder wile PIXE boot

I am facing problem only one distribution point not able to reach perticular folder through network access account, all other DP and other folder are working fine, I already verifiy share and security permission are in place, through <a href="file:///\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\">\\041TBVELCMS001.xyz.ORG\SMSPKGE$\VEL000EA\</a> 
i am able to reach from network, but while booting from system belongs to perticular DP, it stuck on below folder where fdisk.cmd files are uploded from primery server. pls check below logs and suggest what could be the actual issue.
<spanlang="ENIN">Severity               Type     
Site code             Date / Time        System Component       
Message ID        DescriptionError      Milestone          
CES         1/31/2014 12:32:11 PM  MININT-L670NBC             Task
Sequence Engine   11135    The task sequence execution engine failed executing the action (DiskPart DataDisk) in the group (Install Operating System) with the error code 2147942402  Action output: T=80070047
(e:\nts_sms_fre\sms\framework\tscore\tsconnection.cpp,148) Failed to access the share <a href="file:///\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\">\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\</a> with network access account !sAccessibleSource.empty(),
HRESULT=80070002 (e:\nts_sms_fre\sms\framework\tscore\resolvesource.cpp,2392) GetAccessibleLocation(pszSource, saResolvedPath, sSourceDirectory, dwFlags, hUserToken), HRESULT=80070002 (e:... [Show more]

The error 80070047 states a msg as "No more connections can be made to this remote computer at this time because there are already as many connection as the computer can accept." Check the share quota if at all any limitations has been provided, if not,
try giving one.. Also, check if any enterprise policy has been applied for the share connections limitations..
bluerail

Applying Domain controller policy to only one DC on a domain

Similar Messages

Maybe you are looking for