| Name | Number(h) | Type | Usage |
| 00 | U | Workstation service | |
| 01 | U | Messenger service | |
| 01 | G | Master Browser | |
| 03 | U | Messenger service | |
| 06 | U | Remote Access Server service | |
| 1F | U | NetDDE service | |
| 20 | U | File Server service | |
| 21 | U | Remote Access Server client service | |
| 22 | U | Exchange Interchange (MSMail Connector) | |
| 23 | U | Exchange Store | |
| 24 | U | Exchange Directory | |
| 30 | U | Modem Sharing Server service | |
| 31 | U | Modem Sharing client service | |
| 43 | U | SMS Clients Remote Control | |
| 44 | U | SMS Administrators Remote Control Tool | |
| 45 | U | SMS Clients Remote Chat | |
| 46 | U | SMS Clients Remote Transfer | |
| 87 | U | Microsoft Exchange MTA | |
| 6A | U | Microsoft Exchange IMC | |
| BE | U | Network Monitor Agent | |
| BF | U | Network Monitor Application | |
| 03 | U | Messenger service | |
| 00 | G | Domain Name | |
| 1B | U | Domain Master Browser | |
| 1C | G | Domain Controllers | |
| 1D | U | Master Browser | |
| 1E | G | Browser Service Elections | |
| 1C | G | IIS | |
| 00 | U | IIS |
Search This Blog
Oct 13, 2006
NetBIOS name resource types
Network issues that affect TCP/IP and RPC traffic across firewall or VPN after Windows 2003 SP1
After you install Windows Server 2003 Service Pack 1 (SP1), you may
experience issues that affect server-to-server communication for TCP/IP
traffic or remote procedure call (RPC) traffic across firewall or
virtual private network (VPN) products in rare and specific network
configurations.
Before carrying any troubleshooting, check the following KBs:
Q899148 Some firewalls may reject network traffic that originates from
Windows Server 2003 Service Pack 1-based computers
Q898060 Installing security update MS05-019 or Windows Server 2003
Service Pack 1 may cause network connectivity between clients and
servers to fail
experience issues that affect server-to-server communication for TCP/IP
traffic or remote procedure call (RPC) traffic across firewall or
virtual private network (VPN) products in rare and specific network
configurations.
Before carrying any troubleshooting, check the following KBs:
Q899148 Some firewalls may reject network traffic that originates from
Windows Server 2003 Service Pack 1-based computers
Q898060 Installing security update MS05-019 or Windows Server 2003
Service Pack 1 may cause network connectivity between clients and
servers to fail
Sep 13, 2006
DFSR notes 1
- Basic: DFS Namespace and DFS Replication are totally separate things despite the fact that they can work together and often work together
- You configure DFSR to replicate physical folders then publish them into namespaces
- You can’t create file under DFS namespace? (Access denied.) However you can do so on physical folders
Answer: this is because target folder can be created only on shared folders. And I grant Read only on those shared folders. - You can add(associate) multiple target folders into one folder in namespace. DFS Namespace will give you chance to create RG(you don’t have to). You will be referred to one of the targets when accessing using DFS namespace.
- Looks like we have to create RB then create namespace folder from RB, or vice versa. We can’t create both ready and connect them.
- To configure one-way replication, we can disable one of the sending connections in RG. However this is not recommended by Microsoft (see Planning Guide). Instead, NTFS permissions should be used to control replication direction.
- Domain controllers don’t have to run on R2. On servers that are involved in replication or act as name space server have to run R2. R2 schema (version 31) is that is required.
End#
Aug 3, 2006
Virtual memory, physical memory, page file, and 32bit/64bit limitations
Despite the huge amount of documents available on the Net, there are still the same huge amount of misunderstanding of above concepts.
Physical Memory: This is the easiest to under stand. Read it as RAM
Virtual Memory: Addressible space to the OS. It would be much more accurate if we call it Virtual Space
Page File: Due to the expense of RAM, we use disk space as an extension of physical memory.
Page: The allocation unit for memories
Paging Out: When certain criteria are met, an occupied page in RAM will be written to Page File to make space for other process. For example when a page in RAM occupied by a process has not been accessed for a period of time, and another process requests space while there is not free space, Paging Out happens.
Paging In: When a process refers a page that is not in RAM, the page will be Paging In.
4GB Virtual Memory Limit: All 32bit OS will have 4GB Virtual Memory for its processes
4GB Physical Memory Limit: All 32bit computers can address on 4GB RAM if no other technology, such as PAE, is deployed
32bit Windows OS running on 32bit hardware happen to have same Virtual Memory limit and Physical Memory limit, but they are different limits.
Available Memory: It could be one of three things
- Space that is still not used by process in its Virtual Memory
- Space that is still available in Physical Memory (RAM)
- Space that is still available in RAM+Page File
Most of the time, it means Available Physical Memory. But it could often refer to Available Virtual Memory. This is what becomes confusing.
/3GB Switch: By default, 32bit Windows divide the 4GB Virtual Space into two 2GB spaces, one for kernel mode, one for user mode. For applications, such as Exchange, that need a lot space in user mode, you can specify /3GB switch to increase user mode space by 1GB by reducing kernel mode space. This feature is available only on Windows 2000 Advance Edition and higher
PAE: PAE is a technology to extend the RAM space that can be access by a 32bit CPU. It's similar to LBA in hard disk.
So as you can see, you may use up both Virtual Memory and Physical Memory. It could be very confusing as 1) not everyone understands the memory management completely; 2) not all application/OS reports memory allocation errors clearly. But there are a few things you REALLY need to remember:
- If you use up Virtual Memory(again, really it's a space resource only!), it won't help by adding additional RAM. Imaging that if a city is using up its phone numbers, it won't help to have more phones! The only solution will be either reducing the number of users or increasing the length of phone number system)
- If you use up Physical Memory, you can buy more RAM up to the hardware limit. If you have 4GB already on a 32bit computer, you are not getting better to have another 1GB RAM (if PAE is not used).
- If you use up Physical Memory, do a little troubleshooting before rush for more RAM. More than often this is caused by a poor-coded program that leaks memory.
A few important performance counters:
- Memory, committed Bytes: memory that has been allocated for processes ( either those in RAM or those in page file)
- Memory: Pages Input/Sec: how many pages were read from page file into RAM
- Memory: Pages Output/Sec: see above
- Memory, Available MBytes: how much free RAM
- Prcess, Working Set: The number of pageable memory blocks in a process' address space that were recently referenced (i.e. still in physical RAM). When a process references pageable memory that is not currently in its working set, a page fault occurs.
- Paging File, %pagefile in use: this is an indicator if your pagefile has a proper size. It should be 50-75% used.
Physical Memory: This is the easiest to under stand. Read it as RAM
Virtual Memory: Addressible space to the OS. It would be much more accurate if we call it Virtual Space
Page File: Due to the expense of RAM, we use disk space as an extension of physical memory.
Page: The allocation unit for memories
Paging Out: When certain criteria are met, an occupied page in RAM will be written to Page File to make space for other process. For example when a page in RAM occupied by a process has not been accessed for a period of time, and another process requests space while there is not free space, Paging Out happens.
Paging In: When a process refers a page that is not in RAM, the page will be Paging In.
4GB Virtual Memory Limit: All 32bit OS will have 4GB Virtual Memory for its processes
4GB Physical Memory Limit: All 32bit computers can address on 4GB RAM if no other technology, such as PAE, is deployed
32bit Windows OS running on 32bit hardware happen to have same Virtual Memory limit and Physical Memory limit, but they are different limits.
Available Memory: It could be one of three things
- Space that is still not used by process in its Virtual Memory
- Space that is still available in Physical Memory (RAM)
- Space that is still available in RAM+Page File
Most of the time, it means Available Physical Memory. But it could often refer to Available Virtual Memory. This is what becomes confusing.
/3GB Switch: By default, 32bit Windows divide the 4GB Virtual Space into two 2GB spaces, one for kernel mode, one for user mode. For applications, such as Exchange, that need a lot space in user mode, you can specify /3GB switch to increase user mode space by 1GB by reducing kernel mode space. This feature is available only on Windows 2000 Advance Edition and higher
PAE: PAE is a technology to extend the RAM space that can be access by a 32bit CPU. It's similar to LBA in hard disk.
So as you can see, you may use up both Virtual Memory and Physical Memory. It could be very confusing as 1) not everyone understands the memory management completely; 2) not all application/OS reports memory allocation errors clearly. But there are a few things you REALLY need to remember:
- If you use up Virtual Memory(again, really it's a space resource only!), it won't help by adding additional RAM. Imaging that if a city is using up its phone numbers, it won't help to have more phones! The only solution will be either reducing the number of users or increasing the length of phone number system)
- If you use up Physical Memory, you can buy more RAM up to the hardware limit. If you have 4GB already on a 32bit computer, you are not getting better to have another 1GB RAM (if PAE is not used).
- If you use up Physical Memory, do a little troubleshooting before rush for more RAM. More than often this is caused by a poor-coded program that leaks memory.
A few important performance counters:
- Memory, committed Bytes: memory that has been allocated for processes ( either those in RAM or those in page file)
- Memory: Pages Input/Sec: how many pages were read from page file into RAM
- Memory: Pages Output/Sec: see above
- Memory, Available MBytes: how much free RAM
- Prcess, Working Set: The number of pageable memory blocks in a process' address space that were recently referenced (i.e. still in physical RAM). When a process references pageable memory that is not currently in its working set, a page fault occurs.
- Paging File, %pagefile in use: this is an indicator if your pagefile has a proper size. It should be 50-75% used.
Jul 12, 2006
why a locked out user can still unlock a workstation
This is because unlock process check against only cache hash of password locally. It doesn?t do another logon process with DC. Please see
Account Passwords and Policies : ForceUnlockLogon section
Information About Unlocking a Workstation.
Screensaver Password Works Even If Account Is Locked Out.
Account Passwords and Policies : ForceUnlockLogon section
Information About Unlocking a Workstation.
Screensaver Password Works Even If Account Is Locked Out.
Jun 2, 2006
How to identify what service is listening on what port?
Open a command prompt and type
Netstat -ano
This command outputs a list of all listening ports, associated process IDs, and the port number
Now run
tasklist /svc
This will give you the service name that maps to a particular PID
Jul 13.
Further to above, a "new" option, -b, is available in netstat command after Windows 2003 SP1. This will show you what image occupies which port.
Netstat -ano
This command outputs a list of all listening ports, associated process IDs, and the port number
Now run
tasklist /svc
This will give you the service name that maps to a particular PID
Jul 13.
Further to above, a "new" option, -b, is available in netstat command after Windows 2003 SP1. This will show you what image occupies which port.
May 9, 2006
DFS, FRS, DFSR
- FRS is a service for replication files between servers
- DFS is a servcie to maintain shared namespaces between servers. It provides both unique name space and referral so users can have access to shared folders by using unique namespace without having to know where the resources are
- DFS is NOT responsible for replications. Synchronization between different link targets can be achieved by using FRS, manual copy(robocopy etc.) or thirdparty tools
- Sysvol folder on DCs is replicated using FRS
- In Windows 2003 R2, DFSR, DFS' own replication service replaces FRS (or any other replication service) to sync the folders/files
- FRS is not designed for replicating big files or huge amount of data
- DFS is a servcie to maintain shared namespaces between servers. It provides both unique name space and referral so users can have access to shared folders by using unique namespace without having to know where the resources are
- DFS is NOT responsible for replications. Synchronization between different link targets can be achieved by using FRS, manual copy(robocopy etc.) or thirdparty tools
- Sysvol folder on DCs is replicated using FRS
- In Windows 2003 R2, DFSR, DFS' own replication service replaces FRS (or any other replication service) to sync the folders/files
- FRS is not designed for replicating big files or huge amount of data
Apr 24, 2006
How to control remote desktop permissions
There are 3 ways to control who can have remote access via RDP/Terminal Service
1. Add/Remove users to/from Remote Desktop Users group. This is the recommended way;
2. Define "Allow log on through Terminal Services" in security policy
3. Terminal Services Configuration/Connections/The connection you want to change/Properties/Security/Advanced
Grant or clear permissions here. To enable remote login, a user needs at least the following permissions: Query Information, Logon, and Connect.
By default, administrators can log into DC remotely, admin and RD Users can log into non-DC machine remotely.
1. Add/Remove users to/from Remote Desktop Users group. This is the recommended way;
2. Define "Allow log on through Terminal Services" in security policy
3. Terminal Services Configuration/Connections/The connection you want to change/Properties/Security/Advanced
Grant or clear permissions here. To enable remote login, a user needs at least the following permissions: Query Information, Logon, and Connect.
By default, administrators can log into DC remotely, admin and RD Users can log into non-DC machine remotely.
Apr 17, 2006
Kerberos, SPN, ktpass, and AD interoperability with Non-windows clients
A good understanding of kerberos is required before reading this post.
First of all, SPN is used to identify/locate a service.
Second of all, interoperability could mean any of the following 4 things:
1) An AD account can log into AD domain from a non-Windows box;
2) An service running on non-Windows box can leverage AD to authenticate it's clients using kerberos
3) An AD account can log into a MIT kerberos 5 realm from its AD domain.
4) Trust relationship between an AD domain and a kerberos realm
We will discuss 2) only in this post
When a client wants to use Kerberos as its authentication method, it has to know the name of the service it seeks and the host that provides the service in order to compose a SPN in its service request.
On the server side, of course, the SPN(s) should be registered properly.
When the KDC gets a Service Ticket Request from a client, it extracts the SPN from the request, locate the server in its database(in Windows world, it's AD) based on SPN. KDC then prepares the ticket, encrypted it with the resource server's master key or service account's master key, and returns the ticket to client.
Now the client presents the ticket to the resource server. Resource server is able to decrypt the ticket because the ticket is encrypted with its master key (or the host has service account's master key). Finally a service will or will not be provided based on the analysis of client's token.
If a resource server is a non-windows box, it will not have its account in AD, neither does it have master key. That is where ktpass comes into play. First, we create an account to repensent this non-windows box in AD. Second, we need to register SPN(s) against this account. Third, we need to generate and transfer the master key to the non-windows box so it can use it later to decrypt tickets.
Note: A master key is a hash of an account's password. It's stored in both AD and locally on a Windows box. For a non-Windows box, it's in a type of file called keytab
To perform the second and third tasks, run ktpass as follows:
ktpass -princ fakedServiceName/fakedMachineName@ad.domain.name.COM -mapuser adDomainNetBiosName\theAccnt4unixBox -pass pwdOfTheUnixBox -out c:\keyTabfileToBeTransferedToUnixBox.keytab
What the above command does is to
1) register SPN fakedServiceName/fakedMachineName@ad.domain.name.COM on the account theAccnt4unixBox;
2) generate a keytab file that can be transferred to non-Windows box later
3) enable the account option "Use DES ecryption types for this account".
The option in item 3) has to be enabled because AD supports only DES-CBC-CRC and DES-CBC-MD5 encryption. For the same reason, non-Windows client should use only the above 2 methods as their kerberos ticket encryption type. For Sun Java client, it can be specified in krb5.conf file or krb5.ini file.
So whenever the corss-platform kerberos authentication doesn't work, it's good to check the following:
1) Is the environment set up properly? For example, is the SPN registered? Is your network letting kerberos traffic get thru?
2) Does the corresponding user account in AD have "DES" option enabled? If you just enable the option, you need to reset the password and generated new keytab file
3) If you change the password, a new keytab file will need to be generated and merged into non-Windows box again.
4) What is configured in krb5.conf (or krb5.ini)? This link explains some basic settings
5) If all above didn't yield good results, a network trace will be very helpful
Side notes:
1) To set up a windows workstation for a MIT kerberos 5 realm, use ksetup
2) Keyword: "KDC has no support for encryption type (14)", "KRB5KDC_ERR_ETYPE_NOSUPP", unix, "active directory"
3) keytab file can be created either on unix host (such as "net ads keytab create") or on DC (ktpass)
First of all, SPN is used to identify/locate a service.
Second of all, interoperability could mean any of the following 4 things:
1) An AD account can log into AD domain from a non-Windows box;
2) An service running on non-Windows box can leverage AD to authenticate it's clients using kerberos
3) An AD account can log into a MIT kerberos 5 realm from its AD domain.
4) Trust relationship between an AD domain and a kerberos realm
We will discuss 2) only in this post
When a client wants to use Kerberos as its authentication method, it has to know the name of the service it seeks and the host that provides the service in order to compose a SPN in its service request.
On the server side, of course, the SPN(s) should be registered properly.
When the KDC gets a Service Ticket Request from a client, it extracts the SPN from the request, locate the server in its database(in Windows world, it's AD) based on SPN. KDC then prepares the ticket, encrypted it with the resource server's master key or service account's master key, and returns the ticket to client.
Now the client presents the ticket to the resource server. Resource server is able to decrypt the ticket because the ticket is encrypted with its master key (or the host has service account's master key). Finally a service will or will not be provided based on the analysis of client's token.
If a resource server is a non-windows box, it will not have its account in AD, neither does it have master key. That is where ktpass comes into play. First, we create an account to repensent this non-windows box in AD. Second, we need to register SPN(s) against this account. Third, we need to generate and transfer the master key to the non-windows box so it can use it later to decrypt tickets.
Note: A master key is a hash of an account's password. It's stored in both AD and locally on a Windows box. For a non-Windows box, it's in a type of file called keytab
To perform the second and third tasks, run ktpass as follows:
ktpass -princ fakedServiceName/fakedMachineName@ad.domain.name.COM -mapuser adDomainNetBiosName\theAccnt4unixBox -pass pwdOfTheUnixBox -out c:\keyTabfileToBeTransferedToUnixBox.keytab
What the above command does is to
1) register SPN fakedServiceName/fakedMachineName@ad.domain.name.COM on the account theAccnt4unixBox;
2) generate a keytab file that can be transferred to non-Windows box later
3) enable the account option "Use DES ecryption types for this account".
The option in item 3) has to be enabled because AD supports only DES-CBC-CRC and DES-CBC-MD5 encryption. For the same reason, non-Windows client should use only the above 2 methods as their kerberos ticket encryption type. For Sun Java client, it can be specified in krb5.conf file or krb5.ini file.
So whenever the corss-platform kerberos authentication doesn't work, it's good to check the following:
1) Is the environment set up properly? For example, is the SPN registered? Is your network letting kerberos traffic get thru?
2) Does the corresponding user account in AD have "DES" option enabled? If you just enable the option, you need to reset the password and generated new keytab file
3) If you change the password, a new keytab file will need to be generated and merged into non-Windows box again.
4) What is configured in krb5.conf (or krb5.ini)? This link explains some basic settings
5) If all above didn't yield good results, a network trace will be very helpful
Side notes:
1) To set up a windows workstation for a MIT kerberos 5 realm, use ksetup
2) Keyword: "KDC has no support for encryption type (14)", "KRB5KDC_ERR_ETYPE_NOSUPP", unix, "active directory"
3) keytab file can be created either on unix host (such as "net ads keytab create") or on DC (ktpass)
Mar 21, 2006
How often intrasite replication happens?
In Windows 2000 AD, once a DC gets a modification, it sends out a notification to its closest replication partner 5 minutes later, and send the subsequent notifications to the other replication partners with 30 seconds pause.
If you change the forest level to Windows 2003, the numbers change to 15 seconds and 3 seconds respectively.
These values are stored in the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parametersms\Replicator notify pause after modify (secs)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parametersms\Replicator notify pause between DSAs (secs)
In AD, you can find the value on the cross-reference object for each directory partition in the Configuration container.
DSReplicationNotifyFirstDSADelay
DSReplicationNotifySubsequentDSADelay
If you change the forest level to Windows 2003, the numbers change to 15 seconds and 3 seconds respectively.
These values are stored in the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parametersms\Replicator notify pause after modify (secs)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parametersms\Replicator notify pause between DSAs (secs)
In AD, you can find the value on the cross-reference object for each directory partition in the Configuration container.
DSReplicationNotifyFirstDSADelay
DSReplicationNotifySubsequentDSADelay
Feb 12, 2006
Mailbox-enabled, mail-enalbed account, mail-enabled contact, vs. distribution list
New users to Exchange (or AD) more than often are confused with the above recipient types. Below is a brief explanation.
- Mailbox-enabled User: full functional object in AD/Exchange. Can send/receive email using local Exchange org, has SID and access to domain resources, and has mailbox on local Exchange server
- Mail-enabled User: has external email address only so can send/receive email only externally. Can be seen in GAL. Has SID and access to domain resources
- Mail-enalbed Contact (or just Contact): Same as Mail-enabled User but lacks of SID therefore doesn't have access to domain resources
- DL: A security group or distribution group with email address. If it's for email purpose only, make it a distribution group.
This is a very basic knowledge for whoever works on Exchange/AD, but I was amazed by the number of people who didn't know.
- Mailbox-enabled User: full functional object in AD/Exchange. Can send/receive email using local Exchange org, has SID and access to domain resources, and has mailbox on local Exchange server
- Mail-enabled User: has external email address only so can send/receive email only externally. Can be seen in GAL. Has SID and access to domain resources
- Mail-enalbed Contact (or just Contact): Same as Mail-enabled User but lacks of SID therefore doesn't have access to domain resources
- DL: A security group or distribution group with email address. If it's for email purpose only, make it a distribution group.
This is a very basic knowledge for whoever works on Exchange/AD, but I was amazed by the number of people who didn't know.
Jan 17, 2006
A time consuming case with kerbreos error
Situation:
==========
two DCs domain
PDC failed due to hard disk corruption, Exchange stopped. After that the customer tried to seize all fsmo roles but failed. (Side note: this was because he didn't have a DNS on BDC).
Then what he did was to restored BDC using a cloned image, changed the time back to the date when the image was made.
Still the exchange services failed to start. So he built a brand new forest+exchange and that ran properly.
Goal
====
Now he wanted to get old mails back
Troubleshooting
===============
1. Created DNS and verified that all records were registerred correctly
2. Exchange services still couldn't start
3. Netdiag reported:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.xxx.com (192.168.231.104). [SEC_E_WRONG_PRINCIPAL]
System Log reported:
Event ID : 4
Raw Event ID : 4
Category : None
Source : Kerberos
Type : Error
Generated : 2005-12-6 0:43:43
Written : 2005-12-6 0:43:43
Machine : MAIL
Message : The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/dc.xxx.com. The target name used was ldap/dc.xxx.com/xxx.com@xxx.com. This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (xxx.COM), and the client realm.
Please contact your system administrator.
5. checked into AD with ldifde dump, there was not any duplicate machine account, service principal name whatsoever.
6. There was not dupliate A records in either forward lookup zone or reverse lookup zone
7. All report on DC was perfectly OK
8. Reset secure channel on Exchange server was successful, but problem persisted
9. Found that we could not open ADUC on Exchange server, nor could we remotely connect to DC using Event Viewer
10. Capture network traffic trace, the error was "krb5krb_ap_err_modified", which still pointed to duplicated machine accounts or SPNs. But we did not have any duplicates
*** What else that is not correctly reported by all above information could be wrong ? ****
11. Disjoined Exchange from domain (in order to get a fresh computer account in domain)
12. Got error "target principal name incorrect" when we re-joined it back
13. We got another copy of network trace. In it we found
KERBEROS: Error code (error-code[6]) = Pre-authentication information was invalid
14. we tried everything we could think of, such as to stop antivirus, check Stored User and Password, etc. No luck.
Resolution:
===========
15. Reset the secure channel for the DC itself. (But weird enough that DC didn't report anything wrong if there had been secure channel issue!)
You can reset single DC environment password as follows:
nl_test /sc_change_pwd:domain
or
netdom resetpwd /server:IPofDC ......(do NOT stop KDC)
==========
two DCs domain
PDC failed due to hard disk corruption, Exchange stopped. After that the customer tried to seize all fsmo roles but failed. (Side note: this was because he didn't have a DNS on BDC).
Then what he did was to restored BDC using a cloned image, changed the time back to the date when the image was made.
Still the exchange services failed to start. So he built a brand new forest+exchange and that ran properly.
Goal
====
Now he wanted to get old mails back
Troubleshooting
===============
1. Created DNS and verified that all records were registerred correctly
2. Exchange services still couldn't start
3. Netdiag reported:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.xxx.com (192.168.231.104). [SEC_E_WRONG_PRINCIPAL]
System Log reported:
Event ID : 4
Raw Event ID : 4
Category : None
Source : Kerberos
Type : Error
Generated : 2005-12-6 0:43:43
Written : 2005-12-6 0:43:43
Machine : MAIL
Message : The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/dc.xxx.com. The target name used was ldap/dc.xxx.com/xxx.com@xxx.com. This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (xxx.COM), and the client realm.
Please contact your system administrator.
5. checked into AD with ldifde dump, there was not any duplicate machine account, service principal name whatsoever.
6. There was not dupliate A records in either forward lookup zone or reverse lookup zone
7. All report on DC was perfectly OK
8. Reset secure channel on Exchange server was successful, but problem persisted
9. Found that we could not open ADUC on Exchange server, nor could we remotely connect to DC using Event Viewer
10. Capture network traffic trace, the error was "krb5krb_ap_err_modified", which still pointed to duplicated machine accounts or SPNs. But we did not have any duplicates
*** What else that is not correctly reported by all above information could be wrong ? ****
11. Disjoined Exchange from domain (in order to get a fresh computer account in domain)
12. Got error "target principal name incorrect" when we re-joined it back
13. We got another copy of network trace. In it we found
KERBEROS: Error code (error-code[6]) = Pre-authentication information was invalid
14. we tried everything we could think of, such as to stop antivirus, check Stored User and Password, etc. No luck.
Resolution:
===========
15. Reset the secure channel for the DC itself. (But weird enough that DC didn't report anything wrong if there had been secure channel issue!)
You can reset single DC environment password as follows:
nl_test /sc_change_pwd:domain
or
netdom resetpwd /server:IPofDC ......(do NOT stop KDC)
Dec 21, 2005
Group Policy Basics
Key Points
1. Group Policy is a mechanism to manage a wide range of settings from a central point
2. You can create multiple group policies. You can link one group policy to different level
3. You can link a same group policy to different places, you can also link multiple policies to one place
4. Group policy linked to different level has different precedence
5. Group Policy is applied in the order of local, site, domain, and OU, meaning GPO that is linked to OU has highest priority
6. Besides the above precedence, ?no override? and ?block policy inheritance? settings will affect the behavior of group policy application
7. Group policy can be filtered by security group or WMI filters
8. Under some special circumstance, you may want to enable ?loopback process?.
9. IMPORTANT: do NOT unlink/remove ?Default Domain Policy? and ?Default Domain Controller Policy?
For account policy, it can be set either on domain-level (AD environment) or local-level (workgroup). Account policies defined on other level will not take effect against domain user accounts, but it will take effect against local user accounts on the computer that is under the OU.
References
==========
1. Group Policy is a mechanism to manage a wide range of settings from a central point
2. You can create multiple group policies. You can link one group policy to different level
3. You can link a same group policy to different places, you can also link multiple policies to one place
4. Group policy linked to different level has different precedence
5. Group Policy is applied in the order of local, site, domain, and OU, meaning GPO that is linked to OU has highest priority
6. Besides the above precedence, ?no override? and ?block policy inheritance? settings will affect the behavior of group policy application
7. Group policy can be filtered by security group or WMI filters
8. Under some special circumstance, you may want to enable ?loopback process?.
9. IMPORTANT: do NOT unlink/remove ?Default Domain Policy? and ?Default Domain Controller Policy?
For account policy, it can be set either on domain-level (AD environment) or local-level (workgroup). Account policies defined on other level will not take effect against domain user accounts, but it will take effect against local user accounts on the computer that is under the OU.
References
==========
Dec 16, 2005
Setting Up An Exchange Infrastruture For Small Business Step By Step (Part II)
This post is removed as it's too lengthy. Anyone who is interested can email me for a copy. Thanks.
Nov 25, 2005
About Lingering Object
- What is a lingering object?
Lingering object is object that exists on only readable GC but not on the writable DC in the domain that contains the object. You can produce a lingering object as follows:
1) Suppose you have two domains, root.local and child.root.local
2) Take a GC in root domain offline, let's say it is called gc.root.local
3) Remove a user account from child.root.local, let's say it's called poorGuy
4) Wait for more than tombstone time (60 days in Windows 2000, 180 days in Windows 2003)
5) Put the GC in root domain back to network
At this point, we still have the poorGuy on gc.root.local. Because the deletion has been actually garbage collected and replicated to all other DCs, gc.root.local is not going to delete poorGuy on itself through replication. And because child.root.local is a read only partition to gc.root.local, you can't delete poorGuy using normal UI. poorGuy is a lingering object now on gc.root.local. - How to remove lingering object?
Lingering object could cause varity of issues, including email non-delivery, duplicates in GAL, blocking the replication of particular partition.
Q314282 has a very detailed steps for removing lingering objects. But very few people can get it right at the first few times. Below are key points:
1) Use the DSA guid that is a DC from writable domain. In above example, select a DC from child.root.local
2) run the procedure on a GC that contains lingering object
3) Make sure you delete leaf object before parent object
TIPS:
- If both source and destination DCs are Windows 2003, you can use "repadmin /removelingeringobjects" option
- For environment that has a lot GC, it's strongly recommended to use script. Otherwise, before you finish removal on the last GC, lingering object may be replicated back to first GC already.
- If you really want to use manual procedure, you can disable inbound replication on the GC that you just finish removal. Once you finish removal on all GCs, you can then enable inbound replication again. "repadmin /options +diable_inbound_repl"
Nov 24, 2005
How to analyze "ntfrsutl ds" output
1. Please review "How FRS works" before reading this post. Read report with fixed-width font!
2. For DFS folder that doesn't participate in replication (in other words, the folder has only one subscriber), you won't see it in either nTFRSReplicaSet object(which is under System container) or nTFRSSubscriptions object (which is under computer object)
3. The first part of the output gives us the information such as: from which DC it reads configuration info
4. The second part reads the computer objects. From here you can know to what replica set this computer is a member of. [SUBSCRIBER section]
You can also see all the links in the same section in the form of "rootlink"
NOTE: Again, a root/link is not replication-enabled will not appear under this section
5. The third part reads the information from System container. It starts with a line look like "SETTINGS: DFSSETNAME", followed by the link names "SET: ROOTLINK"
subsection "MEMBER" let you know who are the member servers,
subsection "CXTION" stands for "connection object", which gives you to whom this member server will replicate with
so, it would look like
SETTINGS: setName
L___ SET: RootLink
L____ MEMBER (link back to computer object)
L___ CXTION: points to another MEMBER
2. For DFS folder that doesn't participate in replication (in other words, the folder has only one subscriber), you won't see it in either nTFRSReplicaSet object(which is under System container) or nTFRSSubscriptions object (which is under computer object)
3. The first part of the output gives us the information such as: from which DC it reads configuration info
4. The second part reads the computer objects. From here you can know to what replica set this computer is a member of. [SUBSCRIBER section]
You can also see all the links in the same section in the form of "rootlink"
NOTE: Again, a root/link is not replication-enabled will not appear under this section
5. The third part reads the information from System container. It starts with a line look like "SETTINGS: DFSSETNAME", followed by the link names "SET: ROOTLINK"
subsection "MEMBER" let you know who are the member servers,
subsection "CXTION" stands for "connection object", which gives you to whom this member server will replicate with
so, it would look like
SETTINGS: setName
L___ SET: RootLink
L____ MEMBER (link back to computer object)
L___ CXTION: points to another MEMBER
Nov 5, 2005
Setting Up An Exchange Infrastruture For Small Business Step By Step (Part I)
This post is deleted due to it's length. Please email me for a copy if you are interested.
Aug 28, 2005
How DNS client works on a multi-homed Windows computer?
The resolver queries the DNS servers in the following order:
1. The resolver sends the query to the first server on the preferred adapter's list of DNS servers and waits for one second for a response.
2. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
3. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.
4. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
5. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
1. The resolver sends the query to the first server on the preferred adapter's list of DNS servers and waits for one second for a response.
2. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
3. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.
4. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
5. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
Aug 16, 2005
Local computer SID, domain SID, and their implications
- For any computer who is not a DC, it has a local computer SID
- DC doesn't have a local computer SID (or you can view it in another way: DC has a computer SID that is same as domain SID)
- Builtin users/groups have well-known SIDs that are identical in all environment
- All other local user SID = local computer SID + local RID
- All other domain user/computer account SID = domain SID + domain RID
- When you grant permissions to a local account, authorization is checked based on user name/password, it will never check the SID.
What it means is, if you assign permissions to user1 on computer1 against a shared folder. On computer2, you happen to have a user with same name and password, then the user1 on computer2 will have access to the share folder on computer1, which may not be desirable. - When you grant permissions to a domain account, authorization is checked based on domain account SID. What it means, even you have a user from a different domain, or from local SAM, with same user name and password, you are still not be able to access a resource that you are not supposed to have permissions as your SID is different from what is listed.
Another implication is, as a domain user, once you are granted some kind of permissions, you won't lose it even you change you name/password.
=======
There are a few SID-related tools, they are either from Support Tools, or Resource Kit.
- getsid \\server1 account \\server2 account
Getsid was designed to compare SIDs between two accounts, so it requires two paramenters: one source account and a target account. It's annoying when you simply want to know an account's SID - you have to list same account twice. You can put domain name in the place of server1 and server2
When query for a computer's SID, keep in mind that computer account has a $ sign at the end.
Example: get the SID for your computer:
getsid \\DomainName computerName$ \\DomainName computerName$
- sid2name SID [optional server name]
- There used to be a well-known utility called newSID made by SysInternals (bought by MS later). This was the main tool back in the age when we used clone software(such as Ghost) to deploy images. As you can image, clone image has same SID (for the computer account) therefore causes problems if clones and original are put on the same network in same domain. NewSID will change clone's SID for you. This is no longer supported and MS retired this tool. Nevertheless, if you can find a copy of the tool, it's still very helpful at times.
Subscribe to:
Posts (Atom)