Ever confused by the "Account Logon" events and "Logon/Logoff" events in your Security Log? Read on.
[Edit: Dec 19, 2011]: This is applicable to Windows 2003. In Windows 2008, "account logon" is changed to "credential validation" to better reflect what it really is.
****************************************
This is a complete copy/paste from MSDN.
****************************************
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories?
The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
Here's the low down on what is the difference between Logon/Logoff and Account Logon events, and how to decipher Account Logon events.
Search This Blog
Sep 22, 2009
Sep 3, 2009
Backup and restore TCP/IP stack config using command line
netsh -c interface dump > ipconfig.txt
netsh -f ipconfig.txt
netsh -f ipconfig.txt
Apr 22, 2009
Jan 28, 2009
Change TSM client password on cluster
Or when there are more than one scheduler services.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
On the active node, open command prompt
>dsmc -optfile="the opt file that you want to change"
>q se
>set password
Failover to second node, do the same.
Jan 15, 2009
Replacing a cert without losing existing cert in IIS
http://support.microsoft.com/kb/295281
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Recently I ran into a problem when I tried to generate a CSR. The current cert in use was from VeriSign and we wanted to switch to thawte. The problem was that the option "Replace current cert" was grayed out because existing cert was still valid. The above KB is the perfect workaround.
Dec 30, 2008
How Outlook contact properties map to LDAP attributes
>>>>>>> Taken from OpenLDAP <<<<<<<<
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
. Outlook Field - LDAP Attribute(s) (1)
-----------------------------------
Summary
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title
Sep 22, 2008
VB applet that create event logs on Windows 2000 servers
Recently I've been working on a monitoring solution so I need a tool that can generate event logs to trigger the monitoring agent. There are a few tools from MS Support Tools or Resource Kit Tools that can do this but they all have some limitations. For example, some can create logs for existing sources, the other can't create log for existing source/ID.
Blackhole routers and how they affect your AD environment
Recently I've been working on a Kerberos authentication issue with servers that connect to DCs via VPN. The servers can join domain fine, users can log into domain from these servers, and browsing domain resources seem no problem. However, for a particular application, it always fails to get the AS ticket from DC.
Apr 23, 2008
Apr 4, 2008
RPC troubleshooting basics
1. Verify the status and startup type for the following services on the server that gets the error:Type of computer RPC service RPC Locator service
Windows Server 2003-based domain controller Started, Automatic Stopped, Manual
Windows Server 2003-based member server Started, Automatic Stopped, Manual
Windows Server 2003-based standalone server Started, Automatic Stopped, Manual
Windows 2000 Server-based domain controller Started, Automatic Started, Automatic
Windows 2000 Server-based member server Started, Automatic Started, Manual
Windows 2000 Server-based standalone server Started, Automatic Stopped, Manual
If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
2. Verify that the following keys exist in the registry (the keys are grouped according to operating system).
Windows XP, Windows Server 2003 and Microsoft Windows 2000
Verify that the ClientProtocols key exists under the HKEY_Local_Machine\Software\Microsoft\Rpcregistry subkey and that the ClientProtocolsentry contains at least the following five default values: Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
3. Verify that DNS is working correctly.
4. Verify connectivity:
1) Ports greater than 1024 are not blocked. (portqry)
2) Not blackhole in network path (ping -l -f)
3) Firewall/AV/Backup software/NIC drivers etc.
4) there are ports available for RPC (netstat)
Windows Server 2003-based domain controller Started, Automatic Stopped, Manual
Windows Server 2003-based member server Started, Automatic Stopped, Manual
Windows Server 2003-based standalone server Started, Automatic Stopped, Manual
Windows 2000 Server-based domain controller Started, Automatic Started, Automatic
Windows 2000 Server-based member server Started, Automatic Started, Manual
Windows 2000 Server-based standalone server Started, Automatic Stopped, Manual
If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
2. Verify that the following keys exist in the registry (the keys are grouped according to operating system).
Windows XP, Windows Server 2003 and Microsoft Windows 2000
Verify that the ClientProtocols key exists under the HKEY_Local_Machine\Software\Microsoft\Rpcregistry subkey and that the ClientProtocolsentry contains at least the following five default values: Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
3. Verify that DNS is working correctly.
4. Verify connectivity:
1) Ports greater than 1024 are not blocked. (portqry)
2) Not blackhole in network path (ping -l -f)
3) Firewall/AV/Backup software/NIC drivers etc.
4) there are ports available for RPC (netstat)
Mar 13, 2008
Beyond AdminSDHolder Object
Many people should know the object AdminSDHolder and what it does by now. It checks and reverts back protected group's ACL periodically, if found modified. This is a desirable feature (if you know how it works otherwise you will really be surprised). However, on the top of the above knowledge, it's also tricky to get a user's permission changed if he is a former member of protected group.
For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.
1. Change adminCount's value to 0
2. Enable "inheritance"
For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.
1. Change adminCount's value to 0
2. Enable "inheritance"
Feb 14, 2008
Alternative Way To Recover Deleted Objects
The recommended way to recover a deleted user or group is through Authorized Restore. It's not always desirable, however. It requires you to take the DC offline, normally for a time length that most of business can't tolerant, depending on how fast you can retore from backup.
With Windows 2003 AD, Microsoft provides another way to move tomestoned objects back to their original state, partially. Basically, you have to specify "Return Deleted Objects" in order to search deleted objects; and you then remove its isDeleted attribute and replace the DN with the location you want this object to be.
Side note: Controls are a mechanism, defined in the LDAP standard, used to extend the LDAP protocol to provide additional functionality beyond what is defined in standard LDAP while remaining compatible with other LDAP-compliant software. AD supports 22 controls, including "return Deleted Objects" control.
With Windows 2003 AD, Microsoft provides another way to move tomestoned objects back to their original state, partially. Basically, you have to specify "Return Deleted Objects" in order to search deleted objects; and you then remove its isDeleted attribute and replace the DN with the location you want this object to be.
Side note: Controls are a mechanism, defined in the LDAP standard, used to extend the LDAP protocol to provide additional functionality beyond what is defined in standard LDAP while remaining compatible with other LDAP-compliant software. AD supports 22 controls, including "return Deleted Objects" control.
Sep 13, 2007
How to reset secure channel for DCs
This post is about resetting secure channel between domain controller and PDC. Another type of secure channel resetting, much more common for most of administrators, is done between a member machine and AD, which can be achieved by:
Instead of running above command, many administrators will simply disjoin and rejoin domain. It should resolve the problem -*if*- it's indeed a secure channel issue. Disjoin/rejoin will reset many other things along the way therefore it's cleaner.
Now back to our topic. Resetting secure channel for a DC should be done only when the a problematic DC can't authenticated with PDC. Symptoms include:
- "The target principal name is incorrect"
- \\IP\shared folder works but not \\computerName\share
- Replication fails but network seems to be fine (all ports are open)
- User get "access denied"
- Kerberos event 3 or 4
Step-by-step:
1. Identify PDC
2. Disable the KDC service on the DC in question (the DC whose password you want to reset), (don't forget to) reboot
3. On DC in question, run
4. Reboot again regardless if step 3 is successful (you should focus on why step 3 fails though)
5. Enable and start KDC
6. Verify if this resolve the issue
7. (Optional) Even it's not required, but you are strongly encouraged to reboot the DC again. Also if the reset was for troubleshooting replication issues, it's recommended to trigger a KCC cycle to re-generate the replication topology.
You can reset secure channel as many times as you want, but it only resolves issues that are out-of-sync in nature (remember computer accounts have password too and need to authenticated to each other). It won't help you if you have underlying network or DNS issue. And most AD issues are caused by mis-configured DNS, I should say!
In short, if you have a member server/workstation that don't seem to talk to the rest of the domain, you may want to reset secure channel on the workstation. If you have a DC that doesn't replicate or doesn't talk to other DCs, you want to reset that DC's secure channel. The commands used are quite different.
Edit (2011.11.05):
Similar to what you can do with member servers, if a DC's secure channel fails to reset, you can just demote it and promote it back. However there are a few things you need to take into consideration before demote:
netdom reset /domain:YourDomainName
- \\IP\shared folder works but not \\computerName\share
- Replication fails but network seems to be fine (all ports are open)
- User get "access denied"
- Kerberos event 3 or 4
"netdom query fsmo"
3. On DC in question, run
netdom resetpwd /server:PDC_name /userd:Domain\admin /passwordd:admin_pwd
5. Enable and start KDC
6. Verify if this resolve the issue
7. (Optional) Even it's not required, but you are strongly encouraged to reboot the DC again. Also if the reset was for troubleshooting replication issues, it's recommended to trigger a KCC cycle to re-generate the replication topology.
Edit (2011.11.05):
Similar to what you can do with member servers, if a DC's secure channel fails to reset, you can just demote it and promote it back. However there are a few things you need to take into consideration before demote:
- Is this DC holding any fsmo role? Can you still transfer roles(most likely you can't due to failing secure channel)? Do you need to seize its roles?
- If you have to do a force demote, do remember to perform metadata clean up
- Is this DC a DNS server? Remember to remove it from your zone server list. Also consider the impact to clients that are using this server as their DNS server
- Any other services this DC provides?
May 16, 2007
escape apostrophe in ldap search filter in VBscript
It took me much time to figure out how to search a user whose name has "'"(apostrophe) inside. Basically you use another apostrophe to escape the apostrophe. Please see example:
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=strongline,dc=home' WHERE objectCategory='user' AND cn ='D''Arcy, Who'"
REM ====>>>> use another apostrophe to escape one astrophe. It's hard to see the difference between two apostrophes and a double quote sign, please copy the code into an editor such as Notepad++ that can better show codes.
Set objRecordSet = objCommand.Execute
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=strongline,dc=home' WHERE objectCategory='user' AND cn ='D''Arcy, Who'"
REM ====>>>> use another apostrophe to escape one astrophe. It's hard to see the difference between two apostrophes and a double quote sign, please copy the code into an editor such as Notepad++ that can better show codes.
Set objRecordSet = objCommand.Execute
May 15, 2007
SMS Logs
Client side logs: Admin$\system32\ccm\logs
Site Server logs: SMSfolder\Logs
Management Point logs: SMS_CCM\Logs
if a MP is itself a client, the client side log will be in SMS_CCM
Tracue Utility is essential for watching SMS logs!
Site Server logs: SMSfolder\Logs
Management Point logs: SMS_CCM\Logs
if a MP is itself a client, the client side log will be in SMS_CCM
Tracue Utility is essential for watching SMS logs!
Subscribe to:
Posts (Atom)