Audit policies are not applied on one DC with event 4719 in eventvwr

Finding:
==========
Server的安全性事件有大量的4719 Audit Policy Change產生, 故判斷Audit Policy並沒有正確套用


Resolution:
===========
1. 先透過資料夾選項顯示隱藏的檔案
2. 檢查是否有下面的設定檔, 如果有請刪除之
   C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
3. 確認刪除完後請執行gpupdate /force

Windows Server 2012 , WMI query fails which results in backup failure.

CAUSE

========

Windows Server 2012 and Windows Server 2012 R2 have a known issue when they rebuild the WMI namespace. Specifically, both the removal MOF file and the installation MOF file are processed when the standard mofcomp command is issued to rebuild the WMI namespace. This can result in the installation MOF file being processed before the removal MOF file is processed. When this occurs, the WMI namespace is not present after the rebuild.

RESOLUTION

============

To resolve this issue use the following steps: 

1. Open an elevated Command Prompt by right-clicking on the shortcut to Command Prompt and choosing Run As Administrator on the host computer. 

2. Use the CD  command to navigate to the  %windir%\System32\Wbem directory. 

3. Run the following command: 

for /f %x in ('dir /b *.mof ^| findstr /v /i uninstall') do mofcomp %x

4. Return to the VMM Admin console and refresh the host computer. 

These steps rebuild the WMI repository on the host. After the next host update in Virtual Machine Manager, the hosts should report that they are in the   Ready state. 

Getting SCOM alerts "A server did not respond to HTTP request, Server did not respond to HTTP request LookupUserRequest"

Resolution

Add registry key

HK_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Create a DWORD ClientAuthTrustMode and set value to 2.

“ClientAuthTrustMode” can take values between 0-2. By Default this registry is not present in the system which means that g_eClientAuthMode is set to Machine trust.

0 : Machine Trust

1 : Exclusive Root Trust

2 : ExclusiveCATrust

How to run wmi service in a standalone host process?

1) Run following commands,

     net stop winmgmt

     winmgmt /standalonehost

     net start winmgmt

OR 

2)

   net stop winmgmt

   sc config winmgmt type= own

   net start winmgmt