DNSSec Zone TrustAnchors

I started to see this error as I moved servers in my test environment to Windows 2008 R2.

Alert

Name

DNS 2008 Monitor Zone Resolution Alert

Description

Zone TrustAnchors on DNS Server VDC01.Cosiris.local is not responding to queries.

Source

TrustAnchors (VDC01.Cosiris.local)

The MP is DNS 2008 MP v6.0.6480.0 and OpsMgr 2007R2.

I had not seen this before and as i was having some general problems with the test environment I thought that it might be linked. In fact it seems to be a new feature of Windows 2008 R2. A bit of searching brought in some more information on DNSSec (DNS Security).

http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-trust-anchor-03

http://www.dnssec-tools.org/wiki/index.php/Trust_Anchor

http://blogs.technet.com/sseshad/archive/2008/10/30/dnssec-in-windows-7.aspx

DNSSEC in Windows Server 2008 R2

From http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx

A trust anchor is a preconfigured public key associated with a specific zone. Windows Server 2008 R2 supports the configuration of trust anchors by using DNSKEY resource records.

A validating DNS server must be configured with one or more trust anchors in order to perform validation. At least one trust anchor is required if any DNSSEC data is to be validated by the DNS server. Additional trust anchors can be deployed to support islands of trust. DNS server management tools (DNS Manager and Dnscmd.exe) can be used to locally or remotely view and modify trust anchors. Trust anchors apply only to the zone for which they are configured.

If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and will be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns in %windir%\System32\DNS.

The reason it shows up as an alert is that it appears to be a DNS zone in Windows 20089 R2. As I am not intending to run DNSSec I just put an override on this alert.

For a 12:47 video on DNSSec and a link to a deployment white paper go to this link http://edge.technet.com/Media/DNS-Security-DNSSec-Overview/.

Ian

Dec 2009

Group Policy Preprocessing (Active Directory) Alert

This error may occur on Windows 2008 servers

Group Policy Preprocessing (Active Directory) Alert
Alert Description

Source:
Server name
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Active Directory Bind Monitor

Summary

Group Policy Preprocessing (Active Directory)

Group Policy processing requires Active Directory. The Group Policy service reads and updates information stored in Active Directory. The absence of Active Directory (or a domain controller) prevents Group Policy from applying to the computer or user.

Resolutions

Correct binding to the directory

The Group Policy service logs the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:

• Error code 5
• Error code 49
• Error code 258

Error code 5 (Access is denied)

This error code might indicate that the user does not have permission to Active Directory.

To correct permissions for accessing Active Directory:

Use Active Directory troubleshooting procedures to further diagnose the problem.

Error code 49 (Invalid credentials)

This error code might indicate that the user’s password expired while the user is still logged on the computer.

To correct invalid credentials:

• Change the user’s password.
• Lock/unlock the workstation.
• Check if there are any system services running as the user account.
• Verify the password in service configuration is correct for the user account.

Error code is 258 (Timeout)

This error code might indicate that the DNS configuration is incorrect.

To correct timeout issues:

Use the nslookup tool to confirm _ldap._tcp.<domain-dns-name> records are registered and point to correct servers (where domain-dns-name is the fully qualified domain name of your Active Directory domain).

Use Active Directory troubleshooting procedures to further diagnose the problem.

Note: These steps may have varying results if your network constrains or blocks ICMP packets.

This knowledge is identical to http://technet.microsoft.com/en-us/library/cc727283(WS.10).aspx about event ID 1006.

Additional error codes for event 1058  can be found at http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx

If you follow the link in the knowledge to do troubleshooting AD then you go to http://technet.microsoft.com/en-us/library/cc732148(WS.10).aspx and get told that “The document that you are attempting to access is not yet available.” even though it is dated 7th November 2008.

There is a hotfix for Windows 2008 servers that this applies to.

http://support.microsoft.com/default.aspx?scid=kb;en-us;950876&sd=rss&spid=12925

Information

Alert is “Active Directory Search Monitor” from Group Policy 2008 MP. It is looking for event 1080 in System and is a Manual Reset monitor. The same named alert is from “Active Directory Bind Monitor” and is looking for event 1006 and is also a Manual Reset.

NB as this is a monitor you have to do Reset Health in Health Explorer and not just Close the alert. These alerts rollup for Availability and will create the calculated alerts (AD Domain Availability Health Degraded and  AD Site Availability Health Degraded) for the domain if more than 60% of DCs are affected.

OpsMgr is R2 and AD MP is v6.0.6452.0.

Power Management MP Needs Something to Manage

According to the Power Management MP (version 6.0.6735.0 is the first version and was released on 9th Nov 2009) the Windows 2008 R2 Server hardware that qualifies for the “Enhanced Power Management” Additional Qualification logo is at

http://www.windowsservercatalog.com/results.aspx?&chtext=&cstext=&csttext=&chbtext=&bCatID=1333&cpID=0&avc=10&ava=0&avq=30&OR=1&PGS=25&ready=0

The only ones on the list (as off 2nd Dec 09) are the following 12 HP ProLiants.

• ProLiant BL280c G6 2.93GHz Quad Core
• ProLiant BL2x220c G6 2.53GHz Quad Core
• ProLiant BL460c G6 2.93GHz Quad Core
• ProLiant BL490c G6 2.93GHz Quad Core
• ProLiant DL320 G6 2.93GHz Quad Core
• ProLiant DL360 G6 2.93GHz Quad Core
• ProLiant DL370 G6 3.20GHz Quad Core
• ProLiant DL380 G6 2.93GHz Quad Core
• ProLiant DL380 G6 3.33GHz Quad Core
• ProLiant ML330 G6 2.53GHz Quad Core
• ProLiant ML350 G6 2.93GHz Quad Core
• ProLiant ML370 G6 3.20GHz Quad Core

Enhanced Power Management
The Enhanced Power Management qualifier identifies servers which support the next generation power management technology available with Windows Server 2008 R2. The software infrastructure and management interfaces in Windows Server 2008 R2 that help improve the power efficiency of the server platform and enable remote monitoring of power consumption and remote control of the power profile. There are three major requirements for a system to qualify for this Additional Qualifier;

1. The server system provides a system power meter and system power budget capability in hardware

2. The server system supports the new power metering and budgeting ACPI interface (ACPI V4.0) specification

3. The server system enables control of processor performance states by the Operating System

These new features in Server 2008 R2 will provide cost-savings associated with reducing power consumption on each server. They will also help with capacity planning by making power consumption and power budget information available to administrators. This helps enable more efficient allocation of power and cooling infrastructure in the data center. System Center Operations Manager (SCOM) 2007 R2 provides a Management Pack that takes advantage of all of these new features in Server 2008 R2. Any server that qualifies for the Enhanced Power Management qualifier has native support for the features in this Management Pack.

Unless you are rolling out Windows Server 2008 R2 on those hardware configurations and on OpsMgr R2 then you will not get any advantage of deploying this MP. Hopefully other vendors will catch up as the facilities to monitor power and carbon footprint is intriguing. It may be that some of these features can be enabled on other machines with a future BIOS update?  Or maybe they need to be built in from scratch. One to keep an eye on for the future (in more ways than one!).

Ian