Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for December 24th, 2010

Kerberos explained in detail

Posted by Awinish on December 24, 2010

I found below article on Technet Blogs which explain in-depth of Kerberos Protocol.



Posted in Directory Services | Tagged: , | Leave a Comment »

Changes Invoked by A USN Rollback On DC That Should NOT Be Undone

Posted by Awinish on December 24, 2010

If you encounter “Netlogon Paused” or “Rebuilding Indices” error, the recommended approach is to demote and re-promote the DC. The workaround mentioned below shall only be used  in a SINGLE forest DC but not as a practice.

The below explanation [In Italics]was provided by Arren Conner[MS].

[ The disabling of inbound & outbound replication, the pausing of the NETLOGON service plus the rejection of writes to NTDS.DIT are the configuration changes that the OS makes in response to a USN rollback. Undoing these protections is an example of exactly what an administrator should NOT do in response to a USN rollback except in a very specific senario – the recovery of a single DC in a single DC forest

The point of pausing NETLOGON is to prevent DSGETDC calls from discovering DCs in USN Rollbacks. The point of setting the “DS not writable” registry key is to avoid data loss by writing object creates, modifies and deletes to a compromised DC. The point of disabling replication is to prevent inconsistencies in object and attribute values in the local copies of Active Directory on replica DCs. Undoing this projections is an example of exactly what NOT to do in the event of a USN rollback.

The logging of the NTDS General event 2103 means that an AD Database was rolled back in time using an unsupported method. Known triggers for this error include

·         P2V conversions of live DCs in a multi-DC forest

·         Booting virtualized DCs from a snapshot restore

·         Booting previous images of a DC made from an imaging  program like Ghost

·         Booting from an older of the two images of a DC installed on a mirrored drive

Operations that are tolerated (but perhaps with smaller side effects like restoring a member computer to a version that predates the current password change)) on member computers become unsupported by applications like Active Directory that rely on USN version #s’.]

In order to avoid complete infrastructure failure, it is always better to run at least two domain controllers per domain followed by regular system state backup of the DC.

You might have seen the below error rarely while working on the AD. The error “Netlogon Paused” occurs due to either restoring AD database using snapshot or abnormal restart of the DC which corrupts AD database called NTDS,DIT.  Another error known as “Rebuilding Indices” occurs when a domain controller is restored from the snapshot or rebooted abnormally . When the Netlogon service goes into the pause mode it deprives users from authenticating through that DC.

Event Type:      Error
Event Source:      NTDS General
Event Category:      Service Control
Event ID:      2103
Date:            11/29/2009
Time:            12:16:22 AM
Computer:      Server
The Active Directory database has been restored using an unsupported restoration procedure.
Active Directory will be unable to log on users while this condition persists.

The below is not the best way to get rid of netlogon pause, but surely this trick worked for me lot of times, saving my time from demote & promote the DC.

To resolve Netlogon pause issue,do the below operation.

-To get a single domain controller out of USN Rollback:
-Open Regedit
-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
-Locate the key Dsa Not Writable=dword:00000004
-Delete the entire key
-Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL

Again, the better way to handle this kind of issue is to demote and promote the DC.

Thanks to Arren Conner for suggesting appropriate title for this article and his explanation.


Posted in Directory Services | Tagged: , | 5 Comments »

Mystery Over Broken Secure Channel

Posted by Awinish on December 24, 2010

Secure channel is used for secure communication between client-client-server or vice-versa, but when secure channel is broken lot of  issues are encountered. If secure channel of domain controller is broken, it can be reset using netdom utility but if the secure channel is broken for domain member clients/server, the only way to reset is disjoing the client/server from the domain and rejoining it back.

The question is why secure channel breaks and there can be various reasons like connectivity issues, machine is prepared from image/clone but NewSid/Sysprep tool has not be executed to assign new SID to the system. All the domain system maintains unique SID and it it is either duplicated or there is any conflict leads to broken secure channel. The secure channel can also be broken if domain systems are not able to refresh their password due to duplicate SPN or host name.

What’s a Secure Channel

Like domain users, each domain machine account maintains their own password and authenticate to the AD same way users in the domain does. Machine password refresh is initiated by machine not by AD and there is no password expiry  date for domain machine account like AD users. Machine can be disconnected from the domain for the long time, becasue when it is connected back to domain it refresh its password. The issues arises when machine is contacting DC for refreshing password found there is already system running on the domain with same host name or SID, then password refresh doesn’t happen and due to conflict secure channel is broken.

How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller(Article is Applicable from 2000-2008 R2)

Machine Account Password Process

Password Age for Machine Accounts do not expire

Windows machine account passwords and VM snapshots

Typical Symptoms when secure channel is broken

Impact of Cloning and Virtualization on Active Directory Domain Services by Dean Wells(AD Expert, An Ex MVP, Now MS employee)


Posted in Directory Services | Tagged: | Leave a Comment »

Inter/Intra Forest Migration Using ADMT Tool

Posted by Awinish on December 24, 2010

ADMT Version
OS required by ADMT tool
Source Domain
Target/Destination Domain System OS support
ADMT 3.0 Windows Server 2003 Has no requirement for functional levelDCs: Windows NT
Windows 2000 Server
Windows Server 2003
Minimum functional level: Windows 2000 Native Windows NT
Windows 2000 Professional
Windows XPWindows 2000 Server
Windows Server 2003
ADMT 3.1 Windows Server 2008 Has no requirement for functional levelDCs: Windows 2000 Server
Windows Server 2003
Windows Server 2008* Do Not support the migration of domain objects from Windows NT4
Minimum functional level: Windows 2000 Native*Minimum functional level: Windows 2000 Native*Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 DC
KB:976659*You cannot uninstall ADMT 3.1 after you perform an in-place upgrade to Windows Server 2008 R2.KB: 974625
Windows 2000 Professional
Windows XP
Windows VistaWindows Server 2000
Windows Server 2003
Windows Server 2008
ADMT 3.2 Windows Server 2008 R2 Minimum functional level:  Windows Server 2003DCs: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Minimum functional level:
Windows Server 2003
Windows XP
Windows Vista
Windows 7Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

The above table has been used from Ana Paula M Franco blogs, since it was in Portuguese, i converted into English to be understand by others.

Download ADMT 3.2 guide from below.

Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllers

ADMT 3.2: Common Installation Issues

Checklist: Performing an Intraforest Migration

Checklist: Performing an Interforest Migration

Establishing Migration Accounts for Your Migration

Best Practices for Active Directory Migration

How to install ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller

Migrating All User Accounts

Migrated Users Get Prompted To Change Password at First Logon Even After Migrating Their Password with the PES

Migrate Workstations and Member Servers

Enabling Migration of Passwords

Migrating Vista and Windows 7 profiles with ADMT 3.2

Managing Users, Groups, and User Profiles

Translating Security in Add Mode

Troubleshooting KB’s

Troubleshooting Password Migration Issues

Troubleshooting Computer Migration Issues

ADMT, RODC’s, and Error 800704f1


Posted in Directory Services | Tagged: , | 5 Comments »