Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for December 24th, 2010

Kerberos explained in detail

Posted by Awinish on December 24, 2010


I found below article on Technet Blogs which explain in-depth of Kerberos Protocol.

http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

http://blogs.technet.com/b/tkarch/archive/2007/03/19/kerberos-demystified.aspx

http://technet.microsoft.com/en-us/library/bb742431.aspx

 

Advertisements

Posted in Directory Services | Tagged: , | Leave a Comment »

Changes Invoked by A USN Rollback On DC That Should NOT Be Undone

Posted by Awinish on December 24, 2010


If you encounter “Netlogon Paused” or “Rebuilding Indices” error, the recommended approach is to demote and re-promote the DC. The workaround mentioned below shall only be used  in a SINGLE forest DC but not as a practice.

The below explanation [In Italics]was provided by Arren Conner[MS].

[ The disabling of inbound & outbound replication, the pausing of the NETLOGON service plus the rejection of writes to NTDS.DIT are the configuration changes that the OS makes in response to a USN rollback. Undoing these protections is an example of exactly what an administrator should NOT do in response to a USN rollback except in a very specific senario – the recovery of a single DC in a single DC forest

The point of pausing NETLOGON is to prevent DSGETDC calls from discovering DCs in USN Rollbacks. The point of setting the “DS not writable” registry key is to avoid data loss by writing object creates, modifies and deletes to a compromised DC. The point of disabling replication is to prevent inconsistencies in object and attribute values in the local copies of Active Directory on replica DCs. Undoing this projections is an example of exactly what NOT to do in the event of a USN rollback.

The logging of the NTDS General event 2103 means that an AD Database was rolled back in time using an unsupported method. Known triggers for this error include

·         P2V conversions of live DCs in a multi-DC forest

·         Booting virtualized DCs from a snapshot restore

·         Booting previous images of a DC made from an imaging  program like Ghost

·         Booting from an older of the two images of a DC installed on a mirrored drive

Operations that are tolerated (but perhaps with smaller side effects like restoring a member computer to a version that predates the current password change)) on member computers become unsupported by applications like Active Directory that rely on USN version #s’.]

In order to avoid complete infrastructure failure, it is always better to run at least two domain controllers per domain followed by regular system state backup of the DC.

You might have seen the below error rarely while working on the AD. The error “Netlogon Paused” occurs due to either restoring AD database using snapshot or abnormal restart of the DC which corrupts AD database called NTDS,DIT.  Another error known as “Rebuilding Indices” occurs when a domain controller is restored from the snapshot or rebooted abnormally . When the Netlogon service goes into the pause mode it deprives users from authenticating through that DC.

Event Type:      Error
Event Source:      NTDS General
Event Category:      Service Control
Event ID:      2103
Date:            11/29/2009
Time:            12:16:22 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      Server
Description:
The Active Directory database has been restored using an unsupported restoration procedure.
Active Directory will be unable to log on users while this condition persists.

The below is not the best way to get rid of netlogon pause, but surely this trick worked for me lot of times, saving my time from demote & promote the DC.

To resolve Netlogon pause issue,do the below operation.

-To get a single domain controller out of USN Rollback:
-Open Regedit
-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
-Locate the key Dsa Not Writable=dword:00000004
-Delete the entire key
-Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL
-Reboot.

Again, the better way to handle this kind of issue is to demote and promote the DC.

Thanks to Arren Conner for suggesting appropriate title for this article and his explanation.

 

Posted in Directory Services | Tagged: , | 5 Comments »

Mystery Over Broken Secure Channel

Posted by Awinish on December 24, 2010


Secure channel is used for secure communication between client-client-server or vice-versa, but when secure channel is broken lot of  issues are encountered. If secure channel of domain controller is broken, it can be reset using netdom utility but if the secure channel is broken for domain member clients/server, the only way to reset is disjoing the client/server from the domain and rejoining it back.

The question is why secure channel breaks and there can be various reasons like connectivity issues, machine is prepared from image/clone but NewSid/Sysprep tool has not be executed to assign new SID to the system. All the domain system maintains unique SID and it it is either duplicated or there is any conflict leads to broken secure channel. The secure channel can also be broken if domain systems are not able to refresh their password due to duplicate SPN or host name.

What’s a Secure Channel

http://www.windowsitpro.com/article/domains2/what-s-a-secure-channel

Like domain users, each domain machine account maintains their own password and authenticate to the AD same way users in the domain does. Machine password refresh is initiated by machine not by AD and there is no password expiry  date for domain machine account like AD users. Machine can be disconnected from the domain for the long time, becasue when it is connected back to domain it refresh its password. The issues arises when machine is contacting DC for refreshing password found there is already system running on the domain with same host name or SID, then password refresh doesn’t happen and due to conflict secure channel is broken.

How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller(Article is Applicable from 2000-2008 R2)

http://support.microsoft.com/kb/260575

Machine Account Password Process

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Password Age for Machine Accounts do not expire

http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

Windows machine account passwords and VM snapshots

http://blogs.msdn.com/b/sudhakan/archive/2010/01/07/experimenting-with-windows-machine-account-passwords-and-vm-snapshots.aspx

Typical Symptoms when secure channel is broken

http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Impact of Cloning and Virtualization on Active Directory Domain Services by Dean Wells(AD Expert, An Ex MVP, Now MS employee)

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM406

 

Posted in Directory Services | Tagged: | Leave a Comment »

Inter/Intra Forest Migration Using ADMT Tool

Posted by Awinish on December 24, 2010


ADMT Version
OS required by ADMT tool
Source Domain
Target/Destination Domain System OS support
ADMT 3.0 Windows Server 2003 Has no requirement for functional levelDCs: Windows NT
Windows 2000 Server
Windows Server 2003
Minimum functional level: Windows 2000 Native Windows NT
Windows 2000 Professional
Windows XPWindows 2000 Server
Windows Server 2003
ADMT 3.1 Windows Server 2008 Has no requirement for functional levelDCs: Windows 2000 Server
Windows Server 2003
Windows Server 2008* Do Not support the migration of domain objects from Windows NT4
Minimum functional level: Windows 2000 Native*Minimum functional level: Windows 2000 Native*Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 DC
KB:976659*You cannot uninstall ADMT 3.1 after you perform an in-place upgrade to Windows Server 2008 R2.KB: 974625
Windows 2000 Professional
Windows XP
Windows VistaWindows Server 2000
Windows Server 2003
Windows Server 2008
ADMT 3.2 Windows Server 2008 R2 Minimum functional level:  Windows Server 2003DCs: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Minimum functional level:
Windows Server 2003
Windows XP
Windows Vista
Windows 7Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

The above table has been used from Ana Paula M Franco blogs, since it was in Portuguese, i converted into English to be understand by others.

Download ADMT 3.2 guide from below.

http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

http://technet.microsoft.com/en-us/library/cc974332%28WS.10%29.aspx

http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllers

http://support.microsoft.com/kb/976659

ADMT 3.2: Common Installation Issues

http://blogs.technet.com/b/askds/archive/2010/07/09/admt-3-2-common-installation-issues.aspx

Checklist: Performing an Intraforest Migration

http://technet.microsoft.com/en-us/library/cc974337%28WS.10%29.aspx

Checklist: Performing an Interforest Migration

http://technet.microsoft.com/pt-pt/library/cc974327%28WS.10%29.aspx

Establishing Migration Accounts for Your Migration

http://technet.microsoft.com/en-us/library/cc776438%28WS.10%29.aspx

Best Practices for Active Directory Migration

http://technet.microsoft.com/pt-pt/library/cc974412%28WS.10%29.aspx

How to install ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller

http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/26/how-to-install-admt-3-2-on-windows-2008-r2-sp1-domain-controller.aspx

Migrating All User Accounts

http://technet.microsoft.com/en-us/library/cc974368%28WS.10%29.aspx
http://remoteitservices.com/content/migrating-users-windows-2003-windows-2008-using-admt-31-0

Migrated Users Get Prompted To Change Password at First Logon Even After Migrating Their Password with the PES

http://blogs.technet.com/b/askds/archive/2010/05/12/migrated-users-get-prompted-to-change-password-at-first-logon-even-after-migrating-their-password-with-the-pes.aspx

Migrate Workstations and Member Servers

http://technet.microsoft.com/en-us/library/cc974402%28WS.10%29.aspx

http://blogs.technet.com/b/askds/archive/2010/07/10/migrating-vista-and-windows-7-profiles-with-admt-3-2.aspx

Enabling Migration of Passwords

http://technet.microsoft.com/en-us/library/cc974435%28WS.10%29.aspx

Migrating Vista and Windows 7 profiles with ADMT 3.2

http://blogs.technet.com/b/askds/archive/2010/07/10/migrating-vista-and-windows-7-profiles-with-admt-3-2.aspx

Managing Users, Groups, and User Profiles

http://technet.microsoft.com/en-us/library/cc974331%28WS.10%29.aspx

Translating Security in Add Mode

http://technet.microsoft.com/en-us/library/cc974439%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc782157%28WS.10%29.aspx

http://technet.microsoft.com/es-es/library/cc780450%28WS.10%29.aspx

Troubleshooting KB’s

http://support.microsoft.com/kb/841820

Troubleshooting Password Migration Issues

http://technet.microsoft.com/en-us/library/cc974377%28WS.10%29.aspx

Troubleshooting Computer Migration Issues

http://technet.microsoft.com/en-us/library/cc974341%28WS.10%29.aspx

ADMT, RODC’s, and Error 800704f1

http://blogs.technet.com/b/askds/archive/2009/10/19/admt-rodc-s-and-error-800704f1.aspx

 

Posted in Directory Services | Tagged: , | 5 Comments »