Event ID
Description
528
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
Search This Blog
Apr 7, 2010
Mar 21, 2010
I am now Windows 2008 certified!
Passed 70-649 two weeks ago, which gave me three certificates:
MCTS: Active Directory
MCTS: Network
MCTS: Application Infrastructure
Two more exams to get my MCITP: Enterprise Admin
Update (Jun 12): Passed 70-747. One more exam (70-680) to get my MCITP:Enterprise Admin
Update (Sep 23): Passed 70-680. Now I am MCITP: Enterprise Admin!
MCTS: Active Directory
MCTS: Network
MCTS: Application Infrastructure
Two more exams to get my MCITP: Enterprise Admin
Update (Jun 12): Passed 70-747. One more exam (70-680) to get my MCITP:Enterprise Admin
Update (Sep 23): Passed 70-680. Now I am MCITP: Enterprise Admin!
Nov 24, 2009
Suggested Thresholds for Essential Counters
This is excerpted from an MS article for w2k resource kit. Most of the numbers should still be applicable to newer version of OSes.
Resource
Object/Counter
Threshold
Comments
Disk
PhysicalDisk\% Disk Time
90%
Disk
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\Disk
Depends on manufacturer's specifications
Check the disk's specified transfer rate to verify that the logged rate doesn't exceed specifications.(1)
Resource
Object/Counter
Threshold
Comments
Disk
PhysicalDisk\% Disk Time
90%
Disk
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\Disk
Depends on manufacturer's specifications
Check the disk's specified transfer rate to verify that the logged rate doesn't exceed specifications.(1)
Sep 22, 2009
Account Logon vs. Logon/Logoff events in security log
Ever confused by the "Account Logon" events and "Logon/Logoff" events in your Security Log? Read on.
[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?
The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.
[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?
The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.
Sep 3, 2009
Backup and restore TCP/IP stack config using command line
netsh -c interface dump > ipconfig.txt
netsh -f ipconfig.txt
netsh -f ipconfig.txt
Apr 22, 2009
Jan 28, 2009
Change TSM client password on cluster
Or when there are more than one scheduler services.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
Jan 15, 2009
Replacing a cert without losing existing cert in IIS
http://support.microsoft.com/kb/295281
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Dec 30, 2008
How Outlook contact properties map to LDAP attributes
>>>>>>> Taken from OpenLDAP <<<<<<<<
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
Sep 22, 2008
VB applet that create event logs on Windows 2000 servers
Recently I've been working on a monitoring solution so I need a tool that can generate event logs to trigger the monitoring agent. There are a few tools from MS Support Tools or Resource Kit Tools that can do this but they all have some limitations. For example, some can create logs for existing sources, the other can't create log for existing source/ID.
Blackhole routers and how they affect your AD environment
Recently I've been working on a Kerberos authentication issue with servers that connect to DCs via VPN. The servers can join domain fine, users can log into domain from these servers, and browsing domain resources seem no problem. However, for a particular application, it always fails to get the AS ticket from DC.
Apr 23, 2008
Apr 4, 2008
RPC troubleshooting basics
1. Verify the status and startup type for the following services on the server that gets the error:Type of computer RPC service RPC Locator service
Windows Server 2003-based domain controller Started, Automatic Stopped, Manual
Windows Server 2003-based member server Started, Automatic Stopped, Manual
Windows Server 2003-based standalone server Started, Automatic Stopped, Manual
Windows 2000 Server-based domain controller Started, Automatic Started, Automatic
Windows 2000 Server-based member server Started, Automatic Started, Manual
Windows 2000 Server-based standalone server Started, Automatic Stopped, Manual
If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
2. Verify that the following keys exist in the registry (the keys are grouped according to operating system).
Windows XP, Windows Server 2003 and Microsoft Windows 2000
Verify that the ClientProtocols key exists under the HKEY_Local_Machine\Software\Microsoft\Rpcregistry subkey and that the ClientProtocolsentry contains at least the following five default values: Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
3. Verify that DNS is working correctly.
4. Verify connectivity:
1) Ports greater than 1024 are not blocked. (portqry)
2) Not blackhole in network path (ping -l -f)
3) Firewall/AV/Backup software/NIC drivers etc.
4) there are ports available for RPC (netstat)
Windows Server 2003-based domain controller Started, Automatic Stopped, Manual
Windows Server 2003-based member server Started, Automatic Stopped, Manual
Windows Server 2003-based standalone server Started, Automatic Stopped, Manual
Windows 2000 Server-based domain controller Started, Automatic Started, Automatic
Windows 2000 Server-based member server Started, Automatic Started, Manual
Windows 2000 Server-based standalone server Started, Automatic Stopped, Manual
If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
2. Verify that the following keys exist in the registry (the keys are grouped according to operating system).
Windows XP, Windows Server 2003 and Microsoft Windows 2000
Verify that the ClientProtocols key exists under the HKEY_Local_Machine\Software\Microsoft\Rpcregistry subkey and that the ClientProtocolsentry contains at least the following five default values: Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
3. Verify that DNS is working correctly.
4. Verify connectivity:
1) Ports greater than 1024 are not blocked. (portqry)
2) Not blackhole in network path (ping -l -f)
3) Firewall/AV/Backup software/NIC drivers etc.
4) there are ports available for RPC (netstat)
Mar 13, 2008
Beyond AdminSDHolder Object
Many people should know the object AdminSDHolder and what it does by now. It checks and reverts back protected group's ACL periodically, if found modified. This is a desirable feature (if you know how it works otherwise you will really be surprised). However, on the top of the above knowledge, it's also tricky to get a user's permission changed if he is a former member of protected group.
For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.
1. Change adminCount's value to 0
2. Enable "inheritance"
For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.
1. Change adminCount's value to 0
2. Enable "inheritance"
Feb 14, 2008
Alternative Way To Recover Deleted Objects
The recommended way to recover a deleted user or group is through Authorized Restore. It's not always desirable, however. It requires you to take the DC offline, normally for a time length that most of business can't tolerant, depending on how fast you can retore from backup.
With Windows 2003 AD, Microsoft provides another way to move tomestoned objects back to their original state, partially. Basically, you have to specify "Return Deleted Objects" in order to search deleted objects; and you then remove its isDeleted attribute and replace the DN with the location you want this object to be.
Side note: Controls are a mechanism, defined in the LDAP standard, used to extend the LDAP protocol to provide additional functionality beyond what is defined in standard LDAP while remaining compatible with other LDAP-compliant software. AD supports 22 controls, including "return Deleted Objects" control.
With Windows 2003 AD, Microsoft provides another way to move tomestoned objects back to their original state, partially. Basically, you have to specify "Return Deleted Objects" in order to search deleted objects; and you then remove its isDeleted attribute and replace the DN with the location you want this object to be.
Side note: Controls are a mechanism, defined in the LDAP standard, used to extend the LDAP protocol to provide additional functionality beyond what is defined in standard LDAP while remaining compatible with other LDAP-compliant software. AD supports 22 controls, including "return Deleted Objects" control.
Subscribe to:
Posts (Atom)