New users to Exchange (or AD) more than often are confused with the above recipient types. Below is a brief explanation.
- Mailbox-enabled User: full functional object in AD/Exchange. Can send/receive email using local Exchange org, has SID and access to domain resources, and has mailbox on local Exchange server
- Mail-enabled User: has external email address only so can send/receive email only externally. Can be seen in GAL. Has SID and access to domain resources
- Mail-enalbed Contact (or just Contact): Same as Mail-enabled User but lacks of SID therefore doesn't have access to domain resources
- DL: A security group or distribution group with email address. If it's for email purpose only, make it a distribution group.
This is a very basic knowledge for whoever works on Exchange/AD, but I was amazed by the number of people who didn't know.
Search This Blog
Feb 12, 2006
Jan 17, 2006
A time consuming case with kerbreos error
Situation:
==========
two DCs domain
PDC failed due to hard disk corruption, Exchange stopped. After that the customer tried to seize all fsmo roles but failed. (Side note: this was because he didn't have a DNS on BDC).
Then what he did was to restored BDC using a cloned image, changed the time back to the date when the image was made.
Still the exchange services failed to start. So he built a brand new forest+exchange and that ran properly.
Goal
====
Now he wanted to get old mails back
Troubleshooting
===============
1. Created DNS and verified that all records were registerred correctly
2. Exchange services still couldn't start
3. Netdiag reported:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.xxx.com (192.168.231.104). [SEC_E_WRONG_PRINCIPAL]
System Log reported:
Event ID : 4
Raw Event ID : 4
Category : None
Source : Kerberos
Type : Error
Generated : 2005-12-6 0:43:43
Written : 2005-12-6 0:43:43
Machine : MAIL
Message : The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/dc.xxx.com. The target name used was ldap/dc.xxx.com/xxx.com@xxx.com. This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (xxx.COM), and the client realm.
Please contact your system administrator.
5. checked into AD with ldifde dump, there was not any duplicate machine account, service principal name whatsoever.
6. There was not dupliate A records in either forward lookup zone or reverse lookup zone
7. All report on DC was perfectly OK
8. Reset secure channel on Exchange server was successful, but problem persisted
9. Found that we could not open ADUC on Exchange server, nor could we remotely connect to DC using Event Viewer
10. Capture network traffic trace, the error was "krb5krb_ap_err_modified", which still pointed to duplicated machine accounts or SPNs. But we did not have any duplicates
*** What else that is not correctly reported by all above information could be wrong ? ****
11. Disjoined Exchange from domain (in order to get a fresh computer account in domain)
12. Got error "target principal name incorrect" when we re-joined it back
13. We got another copy of network trace. In it we found
KERBEROS: Error code (error-code[6]) = Pre-authentication information was invalid
14. we tried everything we could think of, such as to stop antivirus, check Stored User and Password, etc. No luck.
Resolution:
===========
15. Reset the secure channel for the DC itself. (But weird enough that DC didn't report anything wrong if there had been secure channel issue!)
You can reset single DC environment password as follows:
nl_test /sc_change_pwd:domain
or
netdom resetpwd /server:IPofDC ......(do NOT stop KDC)
==========
two DCs domain
PDC failed due to hard disk corruption, Exchange stopped. After that the customer tried to seize all fsmo roles but failed. (Side note: this was because he didn't have a DNS on BDC).
Then what he did was to restored BDC using a cloned image, changed the time back to the date when the image was made.
Still the exchange services failed to start. So he built a brand new forest+exchange and that ran properly.
Goal
====
Now he wanted to get old mails back
Troubleshooting
===============
1. Created DNS and verified that all records were registerred correctly
2. Exchange services still couldn't start
3. Netdiag reported:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.xxx.com (192.168.231.104). [SEC_E_WRONG_PRINCIPAL]
System Log reported:
Event ID : 4
Raw Event ID : 4
Category : None
Source : Kerberos
Type : Error
Generated : 2005-12-6 0:43:43
Written : 2005-12-6 0:43:43
Machine : MAIL
Message : The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/dc.xxx.com. The target name used was ldap/dc.xxx.com/xxx.com@xxx.com. This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (xxx.COM), and the client realm.
Please contact your system administrator.
5. checked into AD with ldifde dump, there was not any duplicate machine account, service principal name whatsoever.
6. There was not dupliate A records in either forward lookup zone or reverse lookup zone
7. All report on DC was perfectly OK
8. Reset secure channel on Exchange server was successful, but problem persisted
9. Found that we could not open ADUC on Exchange server, nor could we remotely connect to DC using Event Viewer
10. Capture network traffic trace, the error was "krb5krb_ap_err_modified", which still pointed to duplicated machine accounts or SPNs. But we did not have any duplicates
*** What else that is not correctly reported by all above information could be wrong ? ****
11. Disjoined Exchange from domain (in order to get a fresh computer account in domain)
12. Got error "target principal name incorrect" when we re-joined it back
13. We got another copy of network trace. In it we found
KERBEROS: Error code (error-code[6]) = Pre-authentication information was invalid
14. we tried everything we could think of, such as to stop antivirus, check Stored User and Password, etc. No luck.
Resolution:
===========
15. Reset the secure channel for the DC itself. (But weird enough that DC didn't report anything wrong if there had been secure channel issue!)
You can reset single DC environment password as follows:
nl_test /sc_change_pwd:domain
or
netdom resetpwd /server:IPofDC ......(do NOT stop KDC)
Dec 21, 2005
Group Policy Basics
Key Points
1. Group Policy is a mechanism to manage a wide range of settings from a central point
2. You can create multiple group policies. You can link one group policy to different level
3. You can link a same group policy to different places, you can also link multiple policies to one place
4. Group policy linked to different level has different precedence
5. Group Policy is applied in the order of local, site, domain, and OU, meaning GPO that is linked to OU has highest priority
6. Besides the above precedence, ?no override? and ?block policy inheritance? settings will affect the behavior of group policy application
7. Group policy can be filtered by security group or WMI filters
8. Under some special circumstance, you may want to enable ?loopback process?.
9. IMPORTANT: do NOT unlink/remove ?Default Domain Policy? and ?Default Domain Controller Policy?
For account policy, it can be set either on domain-level (AD environment) or local-level (workgroup). Account policies defined on other level will not take effect against domain user accounts, but it will take effect against local user accounts on the computer that is under the OU.
References
==========
1. Group Policy is a mechanism to manage a wide range of settings from a central point
2. You can create multiple group policies. You can link one group policy to different level
3. You can link a same group policy to different places, you can also link multiple policies to one place
4. Group policy linked to different level has different precedence
5. Group Policy is applied in the order of local, site, domain, and OU, meaning GPO that is linked to OU has highest priority
6. Besides the above precedence, ?no override? and ?block policy inheritance? settings will affect the behavior of group policy application
7. Group policy can be filtered by security group or WMI filters
8. Under some special circumstance, you may want to enable ?loopback process?.
9. IMPORTANT: do NOT unlink/remove ?Default Domain Policy? and ?Default Domain Controller Policy?
For account policy, it can be set either on domain-level (AD environment) or local-level (workgroup). Account policies defined on other level will not take effect against domain user accounts, but it will take effect against local user accounts on the computer that is under the OU.
References
==========
Subscribe to:
Posts (Atom)