Windows 2008 domain important security update

Dear All,
We have windows 2008 server X64 Enterprise edition SP2 . we implemented domain controller it's working fine . last 3years we near updates any important patches and security update . we would like to update important patches and security update . please let
we know which are the important security updates and important patches ..
We are waiting for your valuable tips.
Regards
Subash

Every Critical and Security patch is important. There is nothing like important ones, if the server role is critical then you can install windows Server 2008 in your test environment and deploy the patches and check the stability. You can also check each
update and read its description and then install it. 
Prajwal Desai, http://prajwaldesai.com

Similar Messages

  • CERT_TRUST_IS_NOT_SIGNATURE_VALID when installing a 3rd-party cert in Windows 2008 Domain Controller

    Hello,
    I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
    Basically, I'm following this TechNet
    http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
    1) I did create the file Reqdccert.vbs on the Domain Controller
    2) then I did generate the inf file
    cscript reqdccert.vbs DomainController E
    3) and then I generated a certificate request
    certreq -new AD.inf AD.req
    4) also I've imported RootCA and SubCA into the Certificate Store of the DC
    5) I got a signed certificate from our 3rd-party CA running on Windows 2000
    6) when importing the certificate I get the below error
    C:\>certreq -ACCEPT ad.p7c
    Certificate Request Processor: The signature of the certificate cannot be verifi
    ed. 0x80096004 (-2146869244)
    Here is the verbose log from CAPI2:
    + System 
      - Provider 
       [ Name]  Microsoft-Windows-CAPI2 
       [ Guid]  {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} 
       EventID 11 
       Version 0 
       Level 2 
       Task 11 
       Opcode 2 
       Keywords 0x4000000000000003 
      - TimeCreated 
       [ SystemTime]  2014-06-13T09:33:02.604870500Z 
       EventRecordID 304 
       Correlation 
      - Execution 
       [ ProcessID]  1700 
       [ ThreadID]  3032 
       Channel Microsoft-Windows-CAPI2/Operational 
       Computer ad.eac.igs 
      - Security 
       [ UserID]  S-1-5-21-4171312682-976198474-2692596432-500 
    - UserData 
      - CertGetCertificateChain 
      - Certificate 
       [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
       [ subjectName]  ad.eac.com 
      - AdditionalStore 
      - Certificate 
       [ fileRef]  691847ADD248AEB8579462249B063A1555716B21.cer 
       [ subjectName]  SubCA 
      - Certificate 
       [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
       [ subjectName]  ad.eac.com
      - Certificate 
       [ fileRef]  0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer 
       [ subjectName]  RootCA 
       ExtendedKeyUsage 
      - Flags 
       [ value]  0 
      - ChainEngineInfo 
       [ context]  user 
      - AdditionalInfo 
      - NetworkConnectivityStatus 
       [ value]  1 
       [ _SENSAPI_NETWORK_ALIVE_LAN]  true 
      - CertificateChain 
       [ chainRef]  {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A} 
      - TrustStatus 
      - ErrorStatus 
       [ value]  8 
       [ CERT_TRUST_IS_NOT_SIGNATURE_VALID]  true 
      - InfoStatus 
       [ value]  0 
      - ChainElement 
      - Certificate 
       [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
       [ subjectName]  ad.eac.com 
      - SignatureAlgorithm 
       [ oid]  1.2.840.113549.1.1.11 
       [ hashName]  SHA256 
       [ publicKeyName]  RSA 
      - PublicKeyAlgorithm 
       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 
      - TrustStatus 
      - ErrorStatus 
       [ value]  8 
       [ CERT_TRUST_IS_NOT_SIGNATURE_VALID]  true 
      - InfoStatus 
       [ value]  4 
       [ CERT_TRUST_HAS_NAME_MATCH_ISSUER]  true 
      - ApplicationUsage 
      - Usage 
       [ oid]  1.3.6.1.5.5.7.3.1 
       [ name]  Server Authentication 
      - Usage 
       [ oid]  1.3.6.1.5.5.7.3.2 
       [ name]  Client Authentication 
      - Usage 
       [ oid]  1.3.6.1.4.1.311.20.2.2 
       [ name]  Smart Card Logon 
       IssuanceUsage 
      - ChainElement 
      - Certificate 
       [ fileRef]  691847ADD248AEB8579462249B063A1555716B21.cer 
       [ subjectName]  SubCA 
      - SignatureAlgorithm 
       [ oid]  1.2.840.113549.1.1.5 
       [ hashName]  SHA1 
       [ publicKeyName]  RSA 
      - PublicKeyAlgorithm 
       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 
      - TrustStatus 
      - ErrorStatus 
       [ value]  0 
      - InfoStatus 
       [ value]  101 
       [ CERT_TRUST_HAS_EXACT_MATCH_ISSUER]  true 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 
      - ApplicationUsage 
       [ any]  true 
       IssuanceUsage 
      - ChainElement 
      - Certificate 
       [ fileRef]  0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer 
       [ subjectName]  RootCA 
      - SignatureAlgorithm 
       [ oid]  1.2.840.113549.1.1.5 
       [ hashName]  SHA1 
       [ publicKeyName]  RSA 
      - PublicKeyAlgorithm 
       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 
      - TrustStatus 
      - ErrorStatus 
       [ value]  0 
      - InfoStatus 
       [ value]  10C 
       [ CERT_TRUST_HAS_NAME_MATCH_ISSUER]  true 
       [ CERT_TRUST_IS_SELF_SIGNED]  true 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 
      - ApplicationUsage 
       [ any]  true 
      - IssuanceUsage 
       [ any]  true 
      - EventAuxInfo 
       [ ProcessName]  certreq.exe 
       [ startTime]  2014-06-13T09:32:53.369Z 
       [ endTime]  2014-06-13T09:33:02.604Z 
       [ duration]  PT9.232850S 
      - CorrelationAuxInfo 
       [ TaskId]  {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B} 
       [ SeqNumber]  27 
      - Result The signature of the certificate cannot be verified. 
       [ value]  80096004 
    Any idea what the problem is?
    Thanks in advance,
    Davide.

    One common reason for that error is that the wrong SubCA certificate had been imported accidentally - e.g. an earlier 'version' of that SubCA with the same Subject CA name but a different key. In this case the validating client will try to build a chain
    based on name only but finally the signature check fails.
    Could you cross-check if the extension Authority Key Identifier in your DC certificate is the same as the field
    Subject Key Identifier of the SubCA certificate? (These are typically hashes of the keys though it is not standardized - it should be a unique string characteristic for the CA)
    For the client cert. CERT_TRUST_HAS_NAME_MATCH_ISSUER is indicated in your log - thus Isser name in client cert. matches Subject Name in CA cert, but we don't know about SKI/AKI.
    Elke

  • Adding Administrative Templates (.admx) for Windows 8 and Windows Server 2012 to my Windows 2008 domain

    Hi,
    We have a Windows 2008 domain, and now we need to configure IE 10 options, so we have to import the Windows 8 / 2012 ADMX files. Can we just do the following:
    1. Download
    http://www.microsoft.com/en-us/download/details.aspx?id=36991
    2. Unzip it and copy the .admx files to c:\Windows\Sysvol\<domain>\policies and create a directory called policydefinitions
    3. Then just re-open Group Policy Management ?
    Correct way or not? Will this have any implication on network or any old GPO.
    Thanks for reply
    /Regards Andreas

    > But i cant seem to find "Check for publisher`s certificate revocation",
    > so how can i disable this. I did see a url to create a ADML file, but
    > this was very old.
    Doesn't exist - only "Server certificate". The old URL might still be valid.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • SCEP 2012 Client in Windows 8 / 2012 - in Windows 2008 Domain- Not Syncing -/ Not Compatiable

    Dear All ,
    With lots of Hardship I had installed SCEp 2012 in Windows 2012 Virtual machine in WIndows 2008 Domain.
    SCCM 2012 Server in Windows 2008 Server with Sql 2008 was - performing well and there was no issues until our COmpany planned to Convert the Windows 2008 Server to  Windows 2012 Server ( AD is 2008)
    WSUS is not Fully synching with SCCM 2012 ( previously it was )
    Software Updates not pushing properly and to top all the SCEP client is not compatible with win 8.1 pro or win 2012 server
    Error: Failed to download content id 16787046. Error: Access is denied.
    Package:
      Success: The software updates were placed in the existing package:
    •     Deployment Package(JUN2014)
    Software updates that will be downloaded from the internet
      Error: Update for Forefront Endpoint Protection 2010 Client - 4.1.522.0 (KB2780435)
    Errors
        Failed to download content id 16787046. Error: Access is denied.
    Language Selection:
     English
    But the service account has full access - administrative rights and the administrator of the system
    please advise on this

    Hi,
    All the software updates downloaded failed?
    Are there any errors in PatchDownloader.log? If you use Automatic deployment rule, please also check ruleengine.log.
    Please add the account with Full rights to the source share (both NTFS and Share permissions) where the Deployment Package is located.
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Mac os x 10.7 joining to windows 2008 domain

    I recently started a project to understand MAC functionality in a tradtional WIndows domain. I seeking instruction to add my MacBook Pro to our Windows 2008 domain. Thanks in advance!
    -r1cw3b

    I have verified every required settings closely and had it cross checked over and over again with the network administrator himself, every settings was in place but when i tried to bind with the domain it returns server not found.
    I also ping the server and it works....i verified the RJ45 cable...all is fine.
    i tried updating from 10.7.3 to 10.7.4 but the problem persists.
    Infact originally i had to bind the Mac OS X 10.7.3 and 10.7.4  to a Windows Server 2008 Standard SP2, it didn't worked then afterwards i tried to bind them to a Windows Server 2008 R2....it worked on 2 but on the third it didn't.
    So does anybody have an idea or can anyone confirm me if Windows Server 2008 Standard SP2 is compatible with Mac OS X 10.7.4???

  • Arch Samba - Windows 2008 Domain

    I have made the thread bellow thinking i solve my problem giving access on FTMG...but unfortunately nope...
    https://bbs.archlinux.org/viewtopic.php?id=107350
    My Situation:
    3 Servers on Windows 2008 Domain (Example: 192.168.1.1 / 2 / 3)
    1.1 - DC
    1.2 - Exchange
    1.3 - ISA FTMG (Gateway to all servers)
    1 Arch Server for Backup (Samba Share PUBLIC) - 192.168.1.4
    And my problem is annoying at least, i go to one of my windows 2008 servers and push on explorer \\192.168.1.4\Backup and sometimes fully work without any problem... and another times (let's say 5 minutes after i push again) and:
    Network path could not be found
    or
    xx.xx.xx.xx is not setup to establish a connection on port "File and Print Sharing (SMB)"
    BUT FROM THIS WINDOWS 2008 SERVER IT PINGS 192.168.1.4
    AND
    TRACERT GO DIRECTLY TO 192.168.1.4
    And if i try and try eventually it will work again.....can't damn understand what's going on with this.....
    On ISA I gave FULL ACCESS to my servers to go where the hell they want and even so......
    Thanks in advance for all the help....yep i need it.
    Sniff

    KimTjik wrote:
    I'm sorry I didn't know that this wasn't covered in the Wiki. When I get some time I'll probably add something about. No neither of those links are correct. You already have one DC, a native Windows server, and the second one isn't necessary (you don't need to join the whole Linux workstation to the domain, just the Samba service; the Samba service will with hostname be recognized as a stand-alone server).
    In lack of an appropriate Wiki entry Samba's own How-to is better: http://www.samba.org/samba/docs/man/Sam … ember.html
    Look for this section: "Joining an NT4-type Domain with Samba-3"
    Even that How-to might be confusing since it covers all kinds of configurations at the same time. What you need, as far as I can understand your description, is only what's written in that section.
    Start with the strings in smb.conf for domain, password server (in your case probably the DC itself) and  security set to domain. Restart samba and the you need to know an administrator account (user and password) and fill it in to the command example shown, e g "net rpc join -S DOMPDC -UAdministrator%password". If everything works you should get confirmation about it. You could also double-check the AD on the DC and see if the Samba server is added.
    See if you get this to work.
    OK, sorry for the delay in my answer but i was traveling and couldn't test the above in the production environment.
    I have add the backup server to the domain successfully but that was not the problem.
    Now i have full details and maybe you could give your opinion:
                                             FTMG (Forefront Threat Management Gateway)
                                                                   SWITCH LAYER 3
                      SERVER BACKUP----------------------SERVERDC---------------------------SERVEREXCHANGE
    THE PROBLEM is that if the DC have a share or exchange, everything works ok \\dc or \\exchange, but if you try to connect to the share archserver the connection drop quite often \\archserver
    WHY? Because after some trace in FTMG, the microsoft firewall consider that the archserver is doing spoofing, yes is on the same network as all servers, same domain as above help, trusted...etc.
    SOLUTION? First i give permissions on the firewall to the archserver (ALLOW ALL /PROTOCOLS ETC), but even so the FTMG was intercepting all the requests to the archserver and still consider him spoofing...odd enough no??!! By the way the FTMG Server control all network, is the gateway to all servers and switching.
    Are you thinking to change the gateway to archserver or just don't put any....yep same result, FTMG catch archserver still.
    I gave up and come with my actual solution (VLAN or BACKUP NETWORK), all servers with a extra ethernet card dedicated to the backup network or vlan just to backup without the firewall going there to trace anything.
    And that's it....
    But my question to you all is, everytime that we have a linux server (share) together with FTMG in same network do you have the same result, it seems to me like FTMG have something like: IT'S LINUX / GET BLOCKED.
    Thanks for your help and patience regarding my answer.
    TD (Sniffer)

  • Please explain something strange that happened when I elected to receive an important security update to firefox. Thank You!

    I got a notice (pop up) saying I needed an important security update to firefox, so I did it, but it ran for a really long time, and then I saw on the lower action bar that it was transferring information from or to l.collective-media.net; Why?! I "x'd" off the screen quickly; Please explain this too me, thank you.

    Sorry I gave this a 'this helped me' but after a long struggle I found some ticked box somewhere from some unauthorised chrome extension blaaa....... the link you gave was great, not only did it confirm all the bad things google is supposed to be up to it provided a better browser. Cheers man.
    Anyone who find this; I disabled all extension in chrome. I then searched the word proxy in the settings section. A button came up, "change proxy settings" I clicked on it. Earlier it was greyed out as an extension was interefering.. It brought up a box with my own settings from my computer. Then I clicked LAN settings, then unchecked the 'Use a proxy server' button.
    P.S. If you're using chrome, bail, and dowload Komodo Dragon. It's virtually identical, but you're not tracked, and you can use chrome extensions, and you can quickily transfer your chrome preferences into it.

  • Why won't my HP Touch Smart 310 X64 Windows 7 Desk Top- Security Update Problem

    I am trying to run update from 6/14/2011 for my 64 bit Windows 7, update says "Security Update For NETFramwork 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2518869) and I also keep getting this following error after I try to download this update I just listed. Error is listed as Code 800B0100 but I never can find help for it??? Such a pain in the you know what. anyone ever have this problem

    Hello scottmdy40:
                   Goto this web-site. http://windows.microsoft.com/en-US/windows7/Windows-Update-error-800B0100 Just do what it says. Good Luck. your fix still need more help with it then contact Microsoft Support. Links are on this page as well.

  • Windows Vista 32 bit security updates

    After lastest security updates from Microsoft for Vista, 32 bit, the PC checks for system errors and restores to point before updates.  Tried doing one update at an time and again get system reset before updates.
    Sometimes get no signal to TV and PC hangs and have to do a forced shutdown.  Today get blue screen and message that Windows did not shut down normally press enter for start up Windows normally.  Enter password and repeat.  Also booted with emergency CD today and then get same results after diaganostics run: blue screen, start up Windows normally, repeat.  Staring in safe mode did nothing either.  Several days ago ran disk clean up.  Defrag did not run because the drive was only 1% framented.
    Started using an HDMI cable instead of VGA to TV about the same time this problem started and wonder if I should switch back to VGA.  Do not believe that could be a problem unless there is somthing wrong with the HDMI port on video card.
    This question was solved.
    View Solution.

    Hi Flustered,
    You are having some issues!
    Could you provide your PC's product number?
    Well, you have to start troubleshooting somewhere, so I would restore the PC  to a point prior to the potentially troublesome Microsoft updates and temporarily stop automatic updates.
    I would also go back to VGA graphics and then run the PC and see if it stabilizes.
    You are blue screening when running diagnostics? What diagnostics are you using? Have you ever been able to complete the diagnostic tests and obtain results without blue screening?
    Jaco
    ****I am not an HP employee****
    Please give a" Kudos, Thumbs Up" if advice received is relevant or" Accept as Solution" to assist other forum users having a similar problem.
    HP Products:
    810-150se Desktop
    17t-j000 Notebook
    H8 1380t CTO Desktop
    560z Desktop
    Errare humanum est.

  • Issue with Installing Oracle 10g R2 on a Windows 2008 Domain Controller

    I'm assigned a evaluation task for my company. The task invoke to install oracle in my Domain Controller Server.
    I got "ORA-12560: TNS:protocol adapter error" when I installed ORACLE 10g R2 for Win2K8 on my Windows 2008 (a Domain Controller Server). It happened in the create predefined database period.
    I tried to google and noted that there are some RUMOS say "We cannot deploy ORACLE on a Domain Controller, It's impossible"
    Is this true? Please, Please advise!
    Thansk,

    This is a link to a same issue
    Creating instance oracle 10.2.0.4 on Windows 2008 32bit

  • Can i add a windows 2008 domain controller in a open directory  ?

    i want to add an windows 2008 r2 domain controller to a open directory .
    is this possible, and replicated all users to active directory?

    Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
    Also you can refer below link
    http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
    Mai Ali | My blog: Technical

  • Windows 2008 r2 Server: Cant update the group belonging

    Hello,
    I have a Windows 7 client computer which is administered by a Windows 2008 Server.
    When I try to change the local grants of the user account in that client computer,  it appears to me the following message:
    "Cant update the group belonging for NameDomain\user"
    As result I cant change local grants for the user. I cant change his status from administrator to user of that machine.
    Can anybody tell me how can I solve this issue?
    Thanks in advance
    Regards

    Hi,
    Thanks for your feedback. Did you mean that the issue exists after you removed
    DameWare tools?
    Please make sure that you have more than one administrator account on your computer, or you can't change it to a standard account since Windows requires at least one administrator account on a computer.
    If you have another administrator account, you can try to use it to change the user’s account type.
    Best regards,
    Susie

  • Keep getting a window to install a security update for Firefox 25.0.1. I have installed it 3 times already and still get the notice to install it again.

    At least twice a day I get a pop up window alerting me to the need to install a security update for Firefox 25.0.1. I have installed it several times and still I am prompted to install it again. I have received no response from Mozilla on this issue. I had sent in an email about this several days ago.

    Please note that all technical support is performed through this site. Mozilla will not respond to emails requiring technical support.
    '''Try Firefox Safe Mode''' and updating while in safe mode to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
    ''(If you're not using it, switch to the Default theme.)''
    * On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
    * On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
    * On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
    * Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
    [[Image:FirefoxSafeMode|width=520]]
    ''Once you get the pop-up, just select "'Start in Safe Mode"''
    [[Image:Safe Mode Fx 15 - Win]]
    '''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
    ''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
    Please report back soon.

  • Join ipad to windows 2008 domain?

    Can I input the Ipad in one domain with windows 2008 x64?
    If i can, what do I need to do ?

    Hi,
    Thanks for your posting.
    Have you check this article?
    Migrate windows users profiles from a workgroup to a domain
    http://it.mzedan.com/2012/02/15/migrate-windows-users-profiles-from-a-workgroup-to-a-domain/
    There is a similar thread has been discussed:
    Transferring from Workgroup to Domain - Keeping user profile
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac17d6a-3c1b-4188-913e-ac2ec45b3ad6/transferring-from-workgroup-to-domain-keeping-user-profile?forum=winservergen
    And this article is talking about non-domain USMT for windows server 2003/2008
    http://social.technet.microsoft.com/Forums/en-US/fe799f52-183e-4953-b894-92415f6dcd82/nondomain-usmt-for-windows-server-20032008?forum=winserverMigration
    Hope this helps.
    Regards.
    If you have any feedback on our support, please click
    here
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Migration of a Windows 2008 Domain to 2012 with SCCM 2012 installed

    Hey there,
    i have been requested to migrate two 2008 Domains to 2012 with a possible merge.
    Done this many times, but in this case i have a SCCM 2012 installed in the Environment.
    SCCM is not covered by me, but i would like to have some aditional Background on this...
    Are there any Special Points to give Attention to?
    Any Hints or Ideas on this?
    Best regards
    Chris
    btw: i still found, that i am not "allowed" to migrate the sccm itself, but Need to reinstall it...

    i have been requested to migrate two 2008 Domains to 2012 with a possible merge.
    Done this many times, but in this case i have a SCCM 2012 installed in the Environment.
    btw: i still found, that i am not "allowed" to migrate the sccm itself, but Need to reinstall it...
    Lets say you have two domains - Domain 1 and Domain 2. Both have W2008 DCs. SCCM 2012 has been deployed to Domain 1.
    You could just upgrade to W2012 DCs in Domain 1, then migrate Domain 2 resources to Domain 1.In this way SCCM is unaffected.
    Gerry Hampson | Blog:
    www.gerryhampsoncm.blogspot.ie | LinkedIn:
    Gerry Hampson | Twitter:
    @gerryhampson

Maybe you are looking for