Sep 13, 2007

How to reset secure channel for DCs

This post is about resetting secure channel between domain controller and PDC. Another type of secure channel resetting, much more common for most of administrators, is done between a member machine and AD, which can be achieved by:
netdom reset /domain:YourDomainName

Instead of running above command, many administrators will simply disjoin and rejoin domain. It should resolve the problem -*if*- it's indeed a secure channel issue. Disjoin/rejoin will reset many other things along the way therefore it's cleaner.

Now back to our topic. Resetting secure channel for a DC should be done only when the a problematic DC can't authenticated with PDC. Symptoms include:

- "The target principal name is incorrect"
- \\IP\shared folder works but not \\computerName\share
- Replication fails but network seems to be fine (all ports are open)
- User get "access denied"
- Kerberos event 3 or 4


1. Identify PDC

    "netdom query fsmo"

2. Disable the KDC service on the DC in question (the DC whose password you want to reset), (don't forget to) reboot
3. On DC in question, run

    netdom resetpwd /server:PDC_name /userd:Domain\admin /passwordd:admin_pwd

4. Reboot again regardless if step 3 is successful (you should focus on why step 3 fails though)
5. Enable and start KDC
6. Verify if this resolve the issue
7. (Optional) Even it's not required, but you are strongly encouraged to reboot the DC again. Also if the reset was for troubleshooting replication issues, it's recommended to trigger a KCC cycle to re-generate the replication topology.

You can reset secure channel as many times as you want, but it only resolves issues that are out-of-sync in nature (remember computer accounts have password too and need to authenticated to each other). It won't help you if you have underlying network or DNS issue. And most AD issues are caused by mis-configured DNS, I should say!

In short, if you have a member server/workstation that don't seem to talk to the rest of the domain, you may want to reset secure channel on the workstation. If you have a DC that doesn't replicate or doesn't talk to other DCs, you want to reset that DC's secure channel. The commands used are quite different.

Edit (2011.11.05):
Similar to what you can do with member servers, if a DC's secure channel fails to reset, you can just demote it and promote it back. However there are a few things you need to take into consideration before demote:
  • Is this DC holding any fsmo role? Can you still transfer roles(most likely you can't due to failing secure channel)? Do you need to seize its roles?
  • If you have to do a force demote, do remember to perform metadata clean up
  • Is this DC a DNS server? Remember to remove it from your zone server list. Also consider the impact to clients that are using this server as their DNS server
  • Any other services this DC provides?
Last but not least, I can't stress enough how important DNS/connectivity is. If there is something wrong with DNS/network, demote/promote won't fix the issue.

May 16, 2007

escape apostrophe in ldap search filter in VBscript

It took me much time to figure out how to search a user whose name has "'"(apostrophe) inside. Basically you use another apostrophe to escape the apostrophe. Please see example:


Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=strongline,dc=home' WHERE objectCategory='user' AND cn ='D''Arcy, Who'"

REM ====>>>> use another apostrophe to escape one astrophe. It's hard to see the difference between two apostrophes and a double quote sign, please copy the code into an editor such as Notepad++ that can better show codes.

Set objRecordSet = objCommand.Execute

May 15, 2007

SMS Logs

Client side logs: Admin$\system32\ccm\logs
Site Server logs: SMSfolder\Logs
Management Point logs: SMS_CCM\Logs
if a MP is itself a client, the client side log will be in SMS_CCM

Tracue Utility is essential for watching SMS logs!

Apr 20, 2007

What does Kerberos ticket renewable time mean to you.

1. By default a user ticket(TGT) life time is 10 hours, it can be renewed up to 7 days
2. Tickets and keys obtained from the KDC are stored in a credentials cache, an area of volatile memory protected by the LSA. The credentials cache is never paged to disk. All objects stored there are destroyed when a security principal logs off or the system is shut down.
3. If you work non-stop for more than 7 days, it doesn't mean you have to type in your password again. The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT silently, without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy is destroyed when the user's logon session is destroyed.
4. However, there are changes in the background if you leave an open logon session over 7 days limit. Changes are:
1) You will get a new ticket, obviously, in the background
2) If you have any membership changes, it will be reflected in the new ticket without having you log off/log back on.
3) User Rights Assignments change will be reflected
4) If you don't force the user to log off, which could also means he/she can have access that you don't want him/her to have because his/her ticket remains valid in its lift time.

What's SPN's role in Kerberos

When a client needs to access a service or resource from a target server, it goes to DC to request a Service Ticket first. Because a target server can provide more than one services, in its request, the client has to include what type of resource/service it wants, this is done by including SPN in the request.

So it's easy to understand that, in an AD environment, servers(namely services providers) have to registered their SPN properly in AD in order to advertise/provide services properly. For example, Exchange server will normally register exchangeAB, exchangeMDB, exchangeRFR, and SMTP SPNs. Likewise, DC will register ldap, ntfrs, etc.

There are a few special SPNs that all servers will register automatically. HOST is one of them, sometimes in the form of cifs.

When the KDC gets a Service Ticket Request from a client, it extracts the SPN from the request, locate the server in its database(in Windows world, it's AD) based on SPN. KDC then prepares the ticket, encrypted it with the resource server's master key or service account's master key, and returns the ticket to client.

Kerberos error KRB_APP_ERR_MODIFIED (in Event ID 4 for AD) will occur if a service ticket was encrypted with one key while to be decrypted with another. This happens when a ticket is sent to a wrong computer, which in turn is often caused by duplicated DNS records, different computers have same name, etc. It can also be caused in the following scenario:

Target server (named DesiredServer)provides a service named "serviceA"; serviceA is running a service account named "ServiceAaccount"

Ideally, SPN 'serviceA\Targetserver' should be registered under DesiredServer's name. However in our example, it was registered under a different server's name, say, "WrongServer". Or same SPN 'serviceA\Targetserver' was registered twice under both "DesiredServer" and "WrongServer"

A client is requesting serviceA, it applies the service ticket from a DC with SPN 'serviceA' specified

DC searches its database based on SPN provided. It gets "WrongServer" as result. DC encrypts the ticket with "WrongServer"'s master key

The ticket is still sent to "DesiredServer" for service, and "DesiredServer" won't be able to decrypted the ticket.

A Kerberos error is logged on "DesiredServer"

Or there are chances that, when a ticket should be encrypted with a service account's key, but instead, it is encrypted with the computer's master key.

Apr 19, 2007

Kerberos Event ID 4 - draft

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 4/18/2007

Time: 2:01:16 AM

User: N/A

Computer: computer1


The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ The target name used was COMPUTER2. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CORPDOMAIN.COM), and the client realm. Please contact your system administrator.

Theory that needs more study to verify:

A client requested service/resource from COMPUTER2, it got ticket that had been encrypted with COMPUTER2's key. But somehow it sent the ticket to COMPUTER1, who couldn't decrypt the ticket because it didn't have correct key.

Cause: 1. DNS or other name resolution error causes the client sending ticket to wrong machine. Check if there is any wrong/duplicate A/PTR records for COMPUTER1 and COMPUTER2

2. Computer2 didn't have one of its SPNs registered. When a request for that service with respective ticket comes in, the ticket then is sent to the local computer account, which has host/SPN(or cifs/SPN) automatically created. In this case, host/SPN isn't the service that is expected, therefore the error generated.

Example: COMPUTER2 is a sql server, it should have had a sql/SPN registered for its service account, but it didn't. When a client asks for sql service from computer2, ideally the ticket should be sent to sql service but since there isn't sql/SPN record in AD, the ticket is sent to local machine account(computer2) instead. The local computer tries to use its automatically generated cifs/SPN(host/SPN) to decrypt the ticket and fails.

Microsoft Link

(search on keyword KRB_AP_ERR_MODIFIED)

Apr 11, 2007

How to set up WebDav folder



WebDav has to be a separate site with no host header.

1. Open the properties, go to "Web Site"\Advanced\, make sure "Host header value" is empty

2. Go to "HTTP Headers", remove all "Custom HTTP Headers"

3. The root folder will be shared as \.

To add other folders to be shared:

1. Windows Explorer

2. Open the properties of the folder, Web Sharing

3. In "Share on" dropdown list, select the website we created

4. Select "Select this folder", give it an alias



1. Go to "My network places"

2. Add an alias

Apr 10, 2007

Scheduled Task won't run

When this happens I am sure you will be told to check your permissions here and there, but you are sure you have all needed permissions set perfectly. So you put yourself into google search, still, everybody talks about nothing but permissions.

And -

Here is another important thing to check: to run as a schedule tasks, the credential used must have "Log on as batch job" privilege. This will be added for you automatically when you created jobs, sweet. However, if it is removed later on with whatever reason, or overrided by Group Policy, that is when issue starts.

Mar 24, 2007

Domain Controller Location Process

Mar 9, 2007

Jan 31, 2007

Issues when RRAS on the Domain Controller

A lot small companies have various weird issues while all configurations look good:

Jan 23, 2007

What to do when you are blacklisted

Jan 15, 2007


ADUC doesn't list all properties in GUI. To change what properties to be listed, modify the file "systemroote\system32\dssec.dat".

Jan 9, 2007

Reply to meeting request gets NDR

Manager sends the meeting request and the attendees accept it and immediately they get and NDR stating "The following recipient(s) could not be reached" with a deleted user account's name in it.

This can happen if the deleted user had been delegated access to the managers mailbox and the check box which states "Send meeting requests and responses only to my delegates not to me" had been checked in outlook delegates tab.

In certain cases you would still see the check box ticked and grayed out even after the delegatee has been removed from the outlook setting. You could add someone else as a delegatee and then remove the tick and then remove the delegatee again to clear the checkbox.

SMTP Tar Pitting in Windows 2003 SP1

What is SMTP tar pitting?

Tar pitting is the practice of deliberately inserting a delay into certain SMTP communications that are associated with spam or with other unwanted traffic. To be effective, these kinds of communications typically rely on generating a high volume of traffic. By slowing an SMTP conversation, you can dramatically reduce the rate at which automated spam can be sent or at which a dictionary attack can be conducted. Legitimate traffic may also be slowed by tar pitting.

The tar pit feature is available in Microsoft Windows Server 2003 and in several third-party SMTP servers. The tar pit feature in Windows Server 2003 works by slowing all responses that contain SMTP protocol 5.x.x error codes.

Tar pitting is a feature of Windows 2003 so Exchange 2000 can benefit too.