Archive: Author Archive

NIC2012

1 comment January 16th, 2012

This weekend I attended at the NIC2012 conference in Oslo.

Many interesting sessions were on the schedule like DS MVP Brian Desmond’s “What’s new in Windows Server 8 Active Directory” and “Kerberos uncovered”.

Key notes from WinServer 8 AD:

  • USN Rollback preventions when restoring a snapshot (PDCe needs to be on a Win Server 8 DC)
  • Support for cloning DCs (handy when you have to deploy dozens of them)
  • GUI for the AD Recycle Bin and Fine Grained Password Policy
  • Dcpromo.exe is gone (you promote a DC from the server manager)
  • AD delivers the mechanism for file server access with Claims Based Authentication
  • A huge amount of new Powershell cmdlets

Unfortunately it looks like the video for this session is missing, though I’d recommend you to have a look at some other sessions like:

“Kerberos uncovered” by Brian Desmond:
http://vimeo.com/nicconf/review/35059113/4695c41e86

”How to Not Screw Up Your PKI Environment“ by Brian Komar:
http://vimeo.com/nicconf/review/35053082/aaff51b192

“What’s new in Windows 8 Hyper-V” by Ronald Beeklaar:
http://vimeo.com/nicconf/review/35059126/939388d621

 

All sessions: http://www.nic2012.com/nic2012_agenda

 

 

Reset the Secure Channel

No comments October 25th, 2011

When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expire, the computer itself will initiate a password change with a DC in its domain.

When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.

Traffic like NTLM pass through authentication is typically signed traffic.

So what will happen if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.

The SC is down.

Tools like “netdom” could be used to reset the password, but this only worked to reset the SC between two DCs. It was not possible to reset the SC on a domain member. The computer had to rejoin the domain.

Syntax:

netdom resetpwd /server:<Name of a DC> /userd:domain\administrator /passwordd:admin_password

Netdom was written back in the NT4 days, and a new tool has taken over. Not just taken over for Netdom, but also for tools like Nltest. Windows PowerShell.

To reset the SC between a computer and a DC:

Open PowerShell on the computer and run the *cmdlet:

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

In Win8 there are thousands of new cmdlets, so if you have not began to look at PS. Now is a good time.

 

References:

PowerShell 2.0 for XP, 2003, Vista, 2008: http://support.microsoft.com/kb/968929

Symptoms of a broken SC: http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Test-ComputerSecureChannel cmdlet: http://technet.microsoft.com/en-us/library/dd367893.aspx

 

Accessing Dynamics CRM 2011 from the Internet

2 comments October 19th, 2011

To access Dynamics CRM 4 (on premise) from the Internet, you’d to configure IFD and you could use i.e. ISA in a DMZ if you didn’t want the CRM server to be facing the Internet.

If you decided to use ISA you couldn’t use the built-in security provided by ISA/UAG, but you had to just tunnel all traffic through and let the CRM server authenticate the user. This was not so cool, but it was fairly easy to set up and configure.

With the release of Dynamics CRM 2011 things started to get a little more complicated. If you wanted to access CRM from the Internet you’d to configure claims-based authentication, ADFS 2.0 and IFD. UAG was not supported.

I was taken by surprise when I read about this, since Microsoft uses UAG to make i.e. Exchange and SharePoint more secure. Did they forget about CRM?

Products like Citrix Access Gateway began to take a sole lead.

Things changed with the release of UAG Service Pack 1. CRM is now supported to be published via UAG. You don’t need to set up ADFS and claims. Let the UAG do the job to secure and authenticate the users. With or without two-factor authentication like RSA.

Easy to configure, easy to understand 🙂

 

 

Reference:

Publishing: http://technet.microsoft.com/en-us/library/hh490315.aspx
UAG: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

 

Gadges…

No comments October 8th, 2011

We recently had a two day visit by some folks from Microsoft Norway. Good food and drinking, driving ATVs, and talking. We talked much about how MS saw the future and things like Lync, Intune, Hyper-V, Windows mobile, Win 8 and Win Server 8.

We are in the middle of a Oracle consolidation, so what is better than giving us some really cool t-shirts and say good luck?

dfsr migration

No comments August 29th, 2011

If you only have 2008 DCs, and you are replicating SYSVOL with FRS. You could/would/should migrate to DFS replication.

Like with any major changes you do to your domain, you should run a dcdiag before you do anything.

I just saw a case where an old Reference was still alive and stalled the migration. The DC (SYSVOL member) was cleaned out long ago, but it looked like it failed removing all traces. The solution was to delete the reference manually with adsiedit.

 

dcdiag:

Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references.  Note, that  these problems can be reported because of
latency in replication.  So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if  the problem persists after replication has had
reasonable time to replicate changes.
 
[1] Problem: Missing Expected Value
 
Base Object: CN=Win2008-DC01,OU=Domain Controllers,DC=spurs,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
 
[2] Problem: Missing Expected Value
 
Base Object: CN=Win2000-DC1, OU=Domain Controllers,DC=spurs,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "Server Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs Account Object.
 

Beware that the “VerifyEnterpriseReferences” tested from a Win2008 DC will report back a “Missing Expected Value” for msDFSR-ComputerReferenceBL. This is expected since the 2008 version of dcdiag don’t know that SYSVOL is still replicated with FRS.

So, don’t touch DFSR references.

Migrating step-by-step:

http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

 

 

Folder Redirection + Microsoft Dynamics CRM 2011 = false

8 comments June 22nd, 2011

Consider the following environment:

3 x Win2008R2 SP1 RDS (terminal servers with load balancing)
1 x Win2008R2 SP1 Microsoft Dynamics CRM 2011 (Rollup pack 2 at the moment)
CRM for Outlook installed on the RDS servers.

Since you don’t want users to save documents, pictures, etc. on the RDS servers, and you want the users environment to be the same no matter what RDS server they happen to be routed to, you configure Folder Redirection and Roaming Profiles.

Doing this will leave your MS CRM installation in an unsupported state as MS CRM 4 and CRM 2011 don’t support Folder Redirection.

Problems I experienced:

If you open up a window from CRM and then you close it, you’ll get: An error occurred. Send Report to Microsoft?

If you open CRM for Outlook as a normal user, and you try to track an email, you’ll get and error stating that it didn’t work. If you look in the Event log on the RDS server you’ll see:

EventID 5972 Source MSCRMAddin

I opened a support case with Microsoft, and got in contact with the MS CRM team. They told me that Folder Redirection (FR) is unsupported in MS CRM, so I had to remove FR if they should be able to investigate any further.

That would be a huge drawback, since we uses load balancing between the RDS’s, and the users would be saving documents directly on the RDS servers. Ouch!


Solution: Remove Folder Redirection completly

Solution (unsupported):

There are two files (caches) that have to be local on the RDS for CRM to work. “EmailCache.sdf” and “OutlookSyncCache.sdf”.

They are located in the “%userprofile%\AppData\Roaming\Microsoft\MSCRM” folder. If you redirect “Appdata(Roaming)” those two files will be on a file share. That will cause problems for the CRM client and present you some weird errors.

So if you have to use FR, you can’t redirect “AppData”. That folder has to be local. The rest of the folders didn’t seem to cause any problems redirecting.

There are no official KB’s stating that Folder Redirection is unsupported in CRM 4 and CRM 2011, but it is. The CRM support team told me the product team was working on it, and there might come a resolution in the upcoming versions / rollups.

COYS!

Active Directory Topology Diagrammer

No comments June 11th, 2011

An updated version of ADTD was just realased. Go get it if you like to have a graphical documentation of your domain. It requires MS Visio. The older version worked with the Visio trial version. I’ve not tested if this version do.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13380

Configure Folder Redirection

7 comments May 21st, 2011

Without Folder Redirection, users might/will save data on their local profile on their computer. If they accidentally delete such a file, you don’t have a backup of it (unless you take backups of workstations which I doubt…).

Configuring Folder Redirection is fairly easy, but you should get it configured correctly.

In this step-by-step I will just use a domain controller (DC) to store the user folders. I always strive to keep DCs dedicated and don’t mix other roles to them. If you don’t have the HW or budget I guess you don’t have a choice.

Open up the “Share and Storage Manager” (that came along with Win2008, which in fact is a great tool).

In the Action frame, choose “Provision Share”:

Click “Browse” and “Make new folder”. Give it a meaningful name like “FolderRedir” or similar:

   

  Edit the NTFS permissions:

Remove the inheritance so it don’t get permissions from its parent folder:

Permissions:

Administrators: Full Control, “This folder, subfolders and files”
System: Full Control, “This folder, subfolders and files”
Users (or a group containing the domain users): READ & Execute + “Create folders / Append data”, “
This folder only”
Creator Owner: Full Control, “Subfolders and files only

Give it a share name and make it administrative (add a $ at the end of the share name):

Enable “Access-based enumeration” (optional). This feature will only list folders the user has access to when browsing:

Set the share permissions:

Domain admins: Full Control
Users (or a group containing the domain users): Full Control

If you use DFS, you should consider placing the folder redirection on the DFS for redundancy. If you don’t have it, just click Next:

Hit Next and Create the good stuff.

With the share and NTFS permissions in place, you have to create a Group Policy Object (GPO):

Open the Group Policy Management Consol:

Create a new GPO, and give it an informative name. I.e. “GPO_FolderRedir”.

Navigate to “User Configuration – Windows Settings – Folder Redirection”. You now have to decide what you want to redirect. You can redirect all, or just a few. “Documents”, “Desktop”  and “Favorites” are handsome to pick if you don’t pick all.

If all your users should be on the same share, you should use the “Basic” setting. If you have different shares for different domain groups you can use the “Advanced” setting.

Set “Root Path” = the share path you created earlier.

On the Settings tab, untick the “Grant the users exclusive rights to Documents” if you want domain admins to have access to the redirected folders. If you don’t untick it now and the folders are created, unticking it at a later time will not give domain admins access to the already created folders. You have to take ownership on the folder to gain access. If a user logs on the redirection will not work as the user has to be the owner.

Now you can link the GPO to an OU (not a Container like “Users”) where the users resides.
When the users logs on, the folders are created automatically and the permissions are set correctly. If the user saves i.e. a Word document to My Documents, it’s saved on the file server.

If you have terminal server users, folder redirection in conjunction with Roaming Profiles is a m.u.s.t!

COYS! 
(even though Manchester City bought a Champions League place)

A good friend…

No comments March 15th, 2011

In Star Wars, “R2-D2” was Luke Skywalker’s good friend. If you’re running a domain with FRS, D2 is your good friend. Even thought (2008) R2 (and DFSR) should be your buddy.

So when should you call your D2 buddy and give him a run?

You experience:

  • One of your DCs are in Journal Wrap
  • The local FRS jet database has become corrupt
  • Assertions in the FRS service
  • Missing FRS junction points
  • Missing FRS attributes/objects
  • Missing SYSVOL/NETLOGON share
  • Corrupt/missing NTFS journal
  • You are bored… (meaning the list is long)

Setting the backup/restore flag , a.k.a. “Burflags”, to D2, and you restart the NTFRS service things start moving.

HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

The bad DC will move all its SYSVOL data, if it holds any, into the “NtFrs_PreExisting_See_EventLog” folder. The bad DC will compare all these files with the ones of an upstream partner. It will compare the file IDs and the MD5 checksum from the upstream partner with the local ones. If a match is found, it will copy this file from the Pre-Existing folder into the original location. If it don’t match, it will copy the file from its partner.

When the replication has finished (Event ID 13516 is logged), you can delete the content in the Pre-Existing folder to free up space.

RpcSs expected value WIN32_SHARE_PROCESS

2 comments February 12th, 2011

If you have a domain with a mixture of Win2003 and Win2008 domain controllers, you might get some ”false-positive” errors running DCDIAG.exe.

Starting test: Services
      Invalid service type: RpcSs on DC-Win2003, current value
      WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
......................... DC-Win2003 failed test Services

If you run DCDIAG from a Win2003 DC it will not report any errors, but if you run it from a Win2008 DC it will report this error.

I.e. from a Win2008 DC:

Dcdiag /e (testing all DCs in the domain)

or

Dcdiag /s:DC-Win2003 /test:services (run test only against DC-Win2003).

If you look at the service on a Win2003 DC, its Type is 0x10 (own), while on a Win2008 DC its 0x20 (shared).

HKLM\System\CCS\Services\RpcSs\Type

So when you run DCDIAG from a Win2008 DC it assumes the Type should be 0x20 on all DCs it runs a diagnostic on. The DCDIAG version on Win2008 will not check if it’s testing against a Win2003 DC.

If you try to change how this service runs on a Win2003 DC with: ”sc config rpcss type= share”, it will change the Type to 0x20 and a DCDIAG (/e) will be clean.

I had to ask the MS DS team about this, since there ain’t a KB regarding this and they made a KB regarding this issue. If you google it you will get various recomendations to change the RpcSs service to run as shared. The DS team said this is expected behavior from DCDIAG. You should NOT change the way this service run on a Win2003 DC. Leave it as it is, as it will not share its memory space of the instance of svchost with anyone (nobody is requesting to share the space). Even if you change it to shared.

Reference: http://blogs.technet.com/b/askds/archive/2011/02/11/friday-mail-sack-the-year-3000-edition.aspx