Thursday, June 14, 2012

Unable to relay outbound email - DNS query failed

One of my clients this morning had an issue sending outbound email from their Exchange server. The exchange server was relaying email between tenants however external emails were building up in the SMTP queue.

MSExchangeTransport was logging the following error in the event logs.

MSExchangeTransport - EventID 16025

The DNS servers could not be retrieved from network adapter GUID.  Check if the computer is connected to a network and Get-NetworkConnectionInfo returns any results.


Messagesin the transport queues were providing the following error message:

451 4.4.0 DNS query failed


After diagnosing the issue we noticed the network adapter to the server had changed and hence a different GUID.  The network adapter GUID being displayed in the event logs no longer matched a network interface on the server.  To view a list of all network interface GUID's on the server look at the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

To restore outbound email to the Internet, we needed to update the GUID on the TransportServer to match the GUID of the new network adapter.  We updated Transport Server with the new GUID obtained from the registry key above using the Set-TransportServer powershell command.  This resolved the issue.


Also please look at this post, a related problem for the 451 4.4.0 DNS query failed:

http://clintboessen.blogspot.com.au/2010/12/451-440-dns-query-failed.html

Monday, June 11, 2012

Compare the Difference between two Group Policy Objects

There’s no built-in functionality in Windows for comparing two GPOs to see how their settings differ.  Back in 2005 a company named DesktopStandard Corp made a tool called GPOVault which extended the functionality of GPMC providing administrators the ability to compare two group policy objects.

DesktopStandard Corp however was brought out by Microsoft and navigating to their website http://www.desktopstandard.com/ simply redirects to the Microsoft Group Policy webpage.
GPOVault does not only provide the ability to compare group policy objects within Group Policy Management Console but also provides other much needed functionality such as change control, notification, approval, rollback, offline editing, templates, and difference reporting directly into the GPMC.

Since the acquisition of DesktopStandard Corp, finding GPOVault on the Internet has become a difficult task.  As a result I have uploaded a copy of GPOVault.msi to this blog which can be downloaded from the following link:

https://sites.google.com/site/cbblogspotfiles/gpovault.msi

To compare two group policy objects perform the following steps:

1. Expand the Forest - Domains and the domain and select the "Change Control" leaf.

2. In the details pane, select the Contents tab, which will display a list of GPOs. At this point, you probably need to select the "Uncontrolled" child tab to see your normal GPOs.

3. Select the GPOs for which you want to see the differences (hold down the Ctrl key as you select each GPO), then right-click and select Differences - HTML Report. (You can also select to output to XML format as the figure shows.)

4. A report will display the differences between the selected GPOs, as the figureshows.

Wednesday, June 6, 2012

Microsoft SCM - Export Only Critical Severity

Microsoft SCM is a great tool for quickly deploying security baselines to your organisation.  Microsoft SCM version 2 and higher provides security policies which fall into 4 severity categories:
  • Critical
  • Important
  • Optional
  • None
For the average enterprise organisation, they want to implement all policies stipulated under the Critical severity category as most settings in the critical category are in alignment with the former Enterprise Client (EC) baseline.

When you export a Microsoft baseline however to a GPO, it exports policies in all categories - something you want to be very caucious doing as it will significantely reduce functionality.  The "Important" category aligns with the older Specialized Security-Limited Functionality (SSLF), a model that "looks at disabling everything then allowing what is required". 

So how do you go about exporting just policies in the Critical category?

To export all policies in the Critical category, perform the following steps:

Create a custom baseline, for example select one of the Microsoft baselines and then click Duplicate in the Actions pane. Now select your custom baseline, then change to "simple view" by clicking the button to the left  of Advanced View above the middle pane, click the drop-down menu labeled Group View and select Simple View. Now sort the settings by severity by clicking the top of column labeled Severity. Next, you can use shift-click to click multiple settings, then click Delete in the Actions pane to remove them from the baseline. Use this method to remove the settings with a severity other than critical. Now you can export the baseline with only the desired severity.