Search This Blog
Dec 13, 2013
Dec 12, 2013
Attributes used in ANR (Ambiguous Name Resolution)
- GivenName
- Surname
- displayName
- LegacyExchangeDN
- msExchMailNickname
- RDN
- physicalDeliveryOfficeName
- proxyAddress
- sAMAccountName
How to run an ANR search:
(anr=John Doe)
(anr=J D)
(anr=J Doe) etc....
Nov 1, 2013
Logon Session (Console & RDP) Tracking Notes
A few notes about how Windows handles session creation/switch when I was writing an app to track user logon time. Maybe useful for somebody.
Content:
1. Observation
2. How to handle properly
=========================================
= Observations
=========================================
disconnect from a remote session: remotedisconnect
logoff from console: logoff(user), consoledisconnect(user), consoleconnect(system)
(a system logon screen session can be identified by its "logonUI.exe" process, a subsequent logon will take over this session - meaning same session nuber. In this case, it will be only one event: sessionLogon)
lock a session: sessionLock
switch to an existing session: consoledisconnect(1st user) -> consoleconnect(system) -> consoledisconnect(system) -> consoleconnect(2nd user) -> unlock(2nd user)
unlock directly from orignal screen: consoleUnlock
if "switch user" clicked, then unlock: consoledisconnect(user)->consoleconnect(sytem takes over) -> consoledisconnect(disconnect system)-> consoleconnect(original user) -> sessionunlock(original user).
switch then a new logon: lock old user(sessionlock) -> disconnect old user(DisconnectConsole) -> System takes over(ConsoleConnect) -> new user takes over (sessionLogon)
remote disconnect: RemoteDisconnect
remote New connect:
-> remoteConnect(?)
-> sessionLogon
remote REconnect (existing logon sesseion somewhere):
-> remoteconnect(system)
-> if(existing was on console and open)
-> existingSessionDisconnect(user)
-> then system has to spawn a new session to take over (sessionConnect)
-> remoteDisconnect(system)
-> remoteconnect(user)
=========================================
= How to handle properly
=========================================
There are many session switch that are very confusing at the first sight. For example, for a simple user switch, their may be up to 5 session switch events. The key thing to remember is whethre user has an existing session already.
- once a user obtained session #, he/she keeps that same session # unles she/he logs off. None other session switch events will change this owning relationship;
- Logically, user gets a new session # only when she/he logon
- If a user connects back on a same session or unlock a same session that he obtained prior, then only one switch envent, sessionUnlock or session logon will be fired;
- if a user takes a brand new session, or take session from others, then ConsoleDisconnect/connect will happen multiple times. Basically, TS has to break existing session from another user, connect under System, disconnect System session, then finally users takes the session
Content:
1. Observation
2. How to handle properly
=========================================
= Observations
=========================================
disconnect from a remote session: remotedisconnect
logoff from console: logoff(user), consoledisconnect(user), consoleconnect(system)
(a system logon screen session can be identified by its "logonUI.exe" process, a subsequent logon will take over this session - meaning same session nuber. In this case, it will be only one event: sessionLogon)
lock a session: sessionLock
switch to an existing session: consoledisconnect(1st user) -> consoleconnect(system) -> consoledisconnect(system) -> consoleconnect(2nd user) -> unlock(2nd user)
unlock directly from orignal screen: consoleUnlock
if "switch user" clicked, then unlock: consoledisconnect(user)->consoleconnect(sytem takes over) -> consoledisconnect(disconnect system)-> consoleconnect(original user) -> sessionunlock(original user).
switch then a new logon: lock old user(sessionlock) -> disconnect old user(DisconnectConsole) -> System takes over(ConsoleConnect) -> new user takes over (sessionLogon)
remote disconnect: RemoteDisconnect
remote New connect:
-> remoteConnect(?)
-> sessionLogon
remote REconnect (existing logon sesseion somewhere):
-> remoteconnect(system)
-> if(existing was on console and open)
-> existingSessionDisconnect(user)
-> then system has to spawn a new session to take over (sessionConnect)
-> remoteDisconnect(system)
-> remoteconnect(user)
=========================================
= How to handle properly
=========================================
There are many session switch that are very confusing at the first sight. For example, for a simple user switch, their may be up to 5 session switch events. The key thing to remember is whethre user has an existing session already.
- once a user obtained session #, he/she keeps that same session # unles she/he logs off. None other session switch events will change this owning relationship;
- Logically, user gets a new session # only when she/he logon
- If a user connects back on a same session or unlock a same session that he obtained prior, then only one switch envent, sessionUnlock or session logon will be fired;
- if a user takes a brand new session, or take session from others, then ConsoleDisconnect/connect will happen multiple times. Basically, TS has to break existing session from another user, connect under System, disconnect System session, then finally users takes the session
Oct 10, 2013
AD CA basic - study notes
- There are 3 snapins for certificate-related management
- on client, there is Certificates snappin, this manages the actual certificates
- on server, you have CA snapin and Certificate Templates snapin
- Just because you have a certificate template, doesn't mean CA is going to use it
- In order to issue a certain type of certificate, you have to let CA know that you want to issue that type of cert:
- In CA snapin, right click server name, New Certificate Template To Issue
- To check the current template that your CA can issue, click on "certificate templates"
- To manage your templates (in use/not in use), in CA snapin, expand CA server name, right click "Certificate Templates", select manage
- After #3, you are in "Certificate Templates" snapin
- Templates listed in here can be in use or not in use, depending on if you have perform #3 above
- You can directly publish a built-in template, but more typically, you should clone a template, make change on clone, then publish it (not a clone any more since we have made changes)
- For client to request:
- on a client machine, open Certificate snapin
Optionally you can use IIS Admin Console or certreq command line - Generate a request, send it to CA admin
- CA admin approves it
- Client enrolls the cert
- You can automate #6 by enabling auto enrollment in group policy
- Enterprise CA vs. Standalone CA
- standalone CA doesn't have certificate templates
- standalone doesn't support auto-enrollment
Apr 26, 2013
KMS, host keys, client keys, etc.
- One KMS can host multiple host keys - for example, it can host both Windows 2012 & Office host keys at the same time
- Host keys are confidential info for companies who bought the license; while client keys are publicly available from Microsoft's website. Client key for a product is same for all companies who chose to use KMS activation.
- Higher host keys is inclusive in that it covers older, lower products in the same product family. For example, once you install Windows Server 2012 Enterprise Edition, you won't need separate keys to cover standard edition or Windows 2008 servers. The same key covers all.
- Procedure that can solve vast majority of activation issues in KMS environment
- make sure DNS is working (can resolve KMS host name correctly), or just use IP address in below commands
- check if client is using KMS activation
- slmgr -dlv
- it should show in output that this is a KMS client. If it's not a KMS type client:
- slmgr -upk
- slmgr -ipk "product key of the OS version/edition".
You can google and find the product key - check if your client can resolve KMS SRV record
ping _vlmcs._TCP.yourDomain.name
if not resolving, you can manually add this record in DNS
if resolving, your activation should work. Go to the verification step - If you don't want to use SRV record, you can also manually tell OS where to find KMS host
slmgr -skms "A record of KMS host" or
slmgr -skms "IP of KMS host" - verify and active
slmgr -ato
Nov 20, 2012
Replication error'ed out with "no more endpoints"
1.
When right click “replicate now”, and the error
message is “error 1753: There are no more endpoints available from the endpoint
mapper”, it’s complaining the source DC not able to find a RPC endpoint from
target DC. To make it more confusing, these two DCs are replicating to all their
other partners - they just don’t want to replication with each other (one
direction)
3.
In our case, it sounds like root DC(source) was
brought to a wrong child DC (target) for replication as per above KB.
4.
However when I check all related A/CNAME
records, they are all CORRECT. All WINS records are correct too. Clean DNS
cache on both client side and DNS server side didn’t help either
5.
It turns out it’s child’s delegated zone in root
zone has incorrect glue record (right click child zone, properties, name
servers tab). Windows apparently is capable of detecting such misconfiguration but chose not to
auto correct, which is weird.
Lesson learned: when a DC's CNAME or A is resolved to a wrong IP while all its references in visible zones are correct, please check the Name Servers tab of stud node (of child zone) in parent DNS server. Also, when promote/demote child DCs, or change their IPs, please make sure changes are made in the Name Servers tab too ( I mistakenly assume that dcpromo program would do that automatically)
Sep 17, 2012
Pin point AD object deletion in event log
Ref: Technet blog here
This has been done before object being restored.
This has been done before object being restored.
- Find out DN of the deleted object (using ldifde or adrestore).
Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf - Know when the object was deleted, and on which DC
Repadmin /Showobjmeta DCname “DN of the deleted object” > Delshowmeta.txt
In the log, find attribute isDeleted, note the time - Go to the source DC, in security log, find the logs at specific time. Event log IDs are
630(2k3)/4726(2k8) for user objects
647(2k3)/4743(2k8) for computer objects
May 31, 2012
Unable to restore deleted AD object
When follow instructions in this link to recover a deleted object, I got error message "illegal modify operation". One of the workaround in the comment worked for me (the restore-adobject method): add a -NewName argument in the restore-adobject statement.
LDAP method didn't work well as it showed only first 1000 objects under "deleted objects" container while we had way more that number.
LDAP method didn't work well as it showed only first 1000 objects under "deleted objects" container while we had way more that number.
Apr 3, 2012
WMI Association Class
There is a special type of WMI class called "association class". This type of class binds two normal, related classes together. A typical example is association class for NIC-related classes. For each NIC in a system, there are two WMI classes for it: Win32_NetworkAdapter & Win32_NetworkAdapterConfiguration. The former mainly includes NIC hardware info, such as speed, MAC, media connection status, etc; the later mainly includes configuration info on a NIC, such as IP, DHCP, DNS, etc. More than often, you need to obtain info from both classes, and that's where association class comes to help.
Still using NIC as our example, windows defines an association class called Win32_NetworkAdapterSetting, through which you can access info from both above-mentioned classes. An association class include two members, one called element, the other called setting. Not surprisingly, element links to a Win32_NetworkAdapter object (because it is the element) and setting links to a Win32_NetworkAdapterConfiguration object (because it is the setting stuff). Below is how you use it:
$ac = Get-WmiObject -Class win32_NetworkAdapterSetting #gets all NIC info
$connectedAdapters = $ac | where {([wmi]$_.element).netConnectionStatus -eq 2}
$connectedAdapters | foreach {([wmi]$_.setting)|select caption, dhcpEnabled,IPaddress,dnsServerSearchOrder }
Still using NIC as our example, windows defines an association class called Win32_NetworkAdapterSetting, through which you can access info from both above-mentioned classes. An association class include two members, one called element, the other called setting. Not surprisingly, element links to a Win32_NetworkAdapter object (because it is the element) and setting links to a Win32_NetworkAdapterConfiguration object (because it is the setting stuff). Below is how you use it:
$ac = Get-WmiObject -Class win32_NetworkAdapterSetting #gets all NIC info
$connectedAdapters = $ac | where {([wmi]$_.element).netConnectionStatus -eq 2}
$connectedAdapters | foreach {([wmi]$_.setting)|select caption, dhcpEnabled,IPaddress,dnsServerSearchOrder }
Mar 8, 2012
[Powershell] Try-Catch fails to catch an exception?
I was running a script that does WMI query and found that my try-catch-final statement seemed not working. The exception was still shown on console instead of handled by my catch block.
It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.
There are two ways to make it work. One is to make all exception terminating by below assignment:
$ErrorActionPreference = "Stop"; #Make all errors terminating
Remember to reset the preference at the end of your script as this is global.
$ErrorActionPreference = "Continue"
Or right after get-WMIobject statement, check the value of $?
if ($?){
#processing block
}
else {
throw $error[0].exception
}
It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.
There are two ways to make it work. One is to make all exception terminating by below assignment:
$ErrorActionPreference = "Stop"; #Make all errors terminating
Remember to reset the preference at the end of your script as this is global.
$ErrorActionPreference = "Continue"
Or right after get-WMIobject statement, check the value of $?
if ($?){
#processing block
}
else {
throw $error[0].exception
}
Retrieving Terminal Server Configuration Settings Using Powershell
It was quite easy for Windows 2003 TS servers with Win32_TerminalServiceSetting WMI class, there are tons of documents on the Net. It took me some time, however, to find out that MS change the class considerably for Windows 2008.
It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.
In short, you get info with below commands (w2k3 and w2k8 respectively):
gwmi Win32_TerminalServiceSetting -computername -namespace root/cimv2/TerminalServices -authentication 6
or
gwmi Win32_TerminalServiceSetting -computername [-namespace root/cimv2]
It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.
In short, you get info with below commands (w2k3 and w2k8 respectively):
gwmi Win32_TerminalServiceSetting -computername
or
gwmi Win32_TerminalServiceSetting -computername
Feb 23, 2012
Enable LDAP over SSL Using Certificate Generated From A Different Machine
The procedure is pretty simple and well documented in KB 321051, so there is nothing special here. However the tricky part is you have to submit the request from the same DC in order to make LDAPS work because this way ensures you have the private key for the certificate.
In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.
A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.
In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.
A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.
Jan 22, 2012
Attempt to remove glue record on delegated zone crashes DNS console
- Windows 2008 R2
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes
There are a few other people had same issue, seems to be a bug as far as I see it.
Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.
Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes
There are a few other people had same issue, seems to be a bug as far as I see it.
Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.
Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.
Dec 19, 2011
Largest Delta? What is it?
[
Short version: typically you don't have to pay attention to this stat. As long as number of "fails" is zero, AD replication is healthy.
Note: When you have replication fails and subsequently remedy the problem, the number of "fails" in "replsummary" report is not going to change to zeros right away. The report of this command is a snapshot of history, so it takes a bit time for all fails to disappear.
]
Repadmin /replsummary result is simple, but yet somewhat confusing. A few notes:
Short version: typically you don't have to pay attention to this stat. As long as number of "fails" is zero, AD replication is healthy.
Note: When you have replication fails and subsequently remedy the problem, the number of "fails" in "replsummary" report is not going to change to zeros right away. The report of this command is a snapshot of history, so it takes a bit time for all fails to disappear.
]
Repadmin /replsummary result is simple, but yet somewhat confusing. A few notes:
- If you don't specify /bysrc or /bydest, it will list status for both directions. You want to pay attention to Destination DSA as AD replication is pull-based.
- Most critical column is "fails". If there is no fails, obviously you don't have much to worry about
- Most confusing column is "largest delta". It's common misunderstanding (on the Net at least) that value in this column should be less then 1hr. However, depending on how large your AD environment is, and how frequent changes happen in a particular Naming Context, value in this column could be very large (days)
- Microsoft's official interpretation for "largest delta": longest replication gap amongst all replication links for a particular DC", which is not really helpful. I personally had hard time to understand this interpretation itself.
- This value is for the particular DC, among all its replication partners, the longest time that it hasn't replicated anything against whatever NC. This value has to be read together with /showrepl command against that DC.
Nov 1, 2011
How to troubleshoot account lockout issue
[Note] Event ID applicable to Windows 2003 DC only, but it shouldn't be too difficult to find related W2k8 event IDs.
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus
- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds
- Failure code in event ID 675(This is corresponding kerberos error code, full list here) - 0x18: original wrong password
- 0x12: this will be logged after the fact that account has already been locked
- 2 being interactive
- 3 network
- 5 service
- 10 Remote interactive
Subscribe to:
Posts (Atom)