Tag Archives: BPA

Error: DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Error
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
BPA - Error DHCP Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server

What does this mean?

If you have the DHCP service installed on your domain controller without a service account configured, by default, DNS registrations from DHCP clients will be prevented from being registered and will log event 1056 in event viewer.

Solution: Complete the following steps below to change the credentials of the service account used for DHCP.

  1. Before beginning, make sure you have a service account you can use to set the DHCP Server to run as.  This account should be a domain account (not a local account) and should not have any fancy privileges (standard user account, not an administrator).
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Click Tools and select DHCP
    Server Manager - Tools - DHCP
  4. Expand your DHCP server and right click on the IPv4 service and select Properties
    DHCP - IPv4 - Properties
  5. Select the Advanced tab and then click the Credentials... button
    DHCP - IPv4 Properties - Advanced - Credentials...
  6. Enter in the User name, domain, password, and confirmation password to the user and click OK
    DNS dynamic update credentials
  7. Click OK on the IPv4 Properties screen
  8. Repeat this step on each of the DHCP servers in your domain.  It is recommended to use the same service account on each of the machines.

Notes: The official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx
Another very good Technet article written by karammasri on this subject can be found here: http://blogs.technet.com/b/stdqry/archive/2012/04/03/dhcp-server-in-dcs-and-dns-registrations.aspx

Warning: Short file name creation should be disabled

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Short file name creation should be disabled
Short file name creation should be disabled

What is short file name creation?

Back in the good ol' days of windows, filenames were limited to a format of 8 characters for the name, a period, and then 3 characters for a file extension.  The filename was limited by FAT formatted partitions.  Unless running very old legacy applications, this can be safely turned off to help with performance.

Solution: Complete the following steps below to disable short file name creation.

  1. Open up an elevated powershell console
    Server 2012 - PowerShell - Run as Administrator
  2. Execute the following command
    1. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name NtfsDisable8dot3NameCreation -Value 1
      Set-ItemProperty HKLM-SYSTEM-CurrentControlSet-Control-FileSystem
  3. Optionally, you can open up registry viewer and confirm the value has been changed.
    Registry Editor - HKLM-SYSTEM-CurrentControlSet-Control-FileSystem

Notes: An official KB article from Microsoft on this topic can be found here: http://technet.microsoft.com/en-us/library/ff633453(v=ws.10).aspx

Warning: Enable Receive Side Scaling (RSS) on a network adapter

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Enable Receive Side Scaling (RSS) on a network adapter
Server Manager - Best Practices Analyzer - Warning - Enable Receive Side Scaling RSS on a network adapter

What is Receive Side Scaling (RSS)?

Per Microsoft's website, Virtual Receive-side scaling (RSS) is a feature in Windows Server® 2012 R2 that allows the load from a virtual network adapter to be distributed across multiple virtual processors in a virtual machine.

Solution: Complete the following steps below to enable Receive-side scaling (RSS) on a network adapter.

  1. Open up an elevated command prompt
    Elevated Command Prompt
  2. Execute the following command
    1. netsh interface tcp set global rss=enabled
      command prompt - netsh interface tcp set global rss enabled
  3. At this point, Receive Side Scaling should be enabled.  Optionally, you can verify this in the Windows GUI.  Follow the steps below for verification.
    1. Execute the following command to open up device manager
      1. DEVMGMT.msc
        command prompt - devmgmt
    2. Expand Network adapters, right click on your adapter and select Properties
      device manager - network adapters - properties
    3. Select the Advanced tab and find Receive Side Scaling.  Set this to Enabled if it isn't already.
      Network Adapter Properties - Advanced - Receive Side Scaling

Notes:
An official KB article on this issue can be found here: http://technet.microsoft.com/en-us/library/gg162712(v=ws.10).aspx
An official KB article about Receive Side Scaling can be found here: http://technet.microsoft.com/en-us/library/dn383582.aspx

Warning: All OUs in this domain should be protected from accidental deletion

Symptom: When running the Microsoft Best Practices Analyzer on Server 2008 - Server 2012 R2, you receive the following warning:

Severity: Warning
All OUs in this domain should be protected from accidental deletion
Server Manager - Best Practices Analyzer - Warning - All OUs in this domain should be protected from accidental deletion

What is accidental deletion?

By protecting all OUs in the domain from accidental deletion, you will prevent yourself from being able to simply right click and delete an organizational unit in Active Directory Users and Groups.  By enabling accidental deletion on all OUs, you will have to take an extra step to delete the OU (which can be nice, as you don't want to accidentally delete an OU with important users or groups in it).

Solution:

Complete the steps below to enable protect all OUs in the domain from accidental deletion.

  1. Open up Server Manager
    Server 2012 R2 - Server Manager
  2. Click Tools and select Active Directory Module for Windows PowerShell
    Server Manager - Tools - Active Directory Module for Windows PowerShell
  3. Optional Step: Execute the following command to see which OUs are not currently protected from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedNameList unprotected OUs from Accidental Deletion PowerShell
  4. Execute the following command to protect all OUs in the domain from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $trueProtect OUs from Accidental Deletion PowerShell

Notes: An official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/dd723677(v=ws.10).aspx

Warning: DNS: The DNS server should have scavenging enabled

Symptom: When running the Microsoft Best Practice Analyzer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, you receive the following recommendation/warning:

Severity: Warning
DNS: The DNS server should have scavenging enabled.
Server 2012 - BPA - The DNS server should have scavenging enabled

What is DNS scavenging?

Per Microsoft: Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

Solution: Complete the following steps below to enable scavenging of DNS records.

  1. Click Start (right click Start if in Server 2012), and select Run
    Server 2012 - Run
  2. Type dnsmgmt.msc and click OK
    Run - dnsmgmt-msc
  3. Right click on your server and select Properties
    DNS Manager - Properties
  4. Click on the Advanced tab and check Enable automatic scavenging of stale records
    DNS Manager - Properties - Advanced - Enable automatic scavenging of stale records
  5.  Click OK

Notes: The official KB article from Microsoft can be found here: http://technet.microsoft.com/en-us/library/ff807390(v=ws.10).aspx