Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

How to Remotely Promote Server Core to a Read Only Domain Controller (RODC)

If you would like to promote a Windows 2008 server core o/s to a RODC but the server is at a remote location, you can run into multiple road blocks. Firewall ports need to be opened, remote management needs to be enabled plus you need configuration information configured. The following text should help assist you in building this remote installation.

By default Server core has the firewall enabled. To open up the ports on the Firewall requires either setting up group policy if a domain machine or logging locally and configuring. By default, when a server role is installed, the correct ports are automatically configured to allow the role to function as well as to allow remote management, so no additional work is required.

Configuring the firewall:
To open the firewall for remote management, as a local admin from a command prompt on server core, key in the following:
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Enabling Remote Management:
To enable remote management via the Remote Shell, as a local admin from a command prompt on server core key in the following:
Winrm quickconfig

If you want to run this on a secure channel you can open an HTTPS listener, as a local admin from a command prompt on server core key in the following:
winrm quickconfig -transport:https

Installing the DNS role:
To install DNS, from a command prompt on the remote workstation key in the following (Be sure to replace servercore = Remotely Managed Server):
Winrs -r:servercore start /w ocsetup DNS-Server-Core-Role

Promoting to an RODC: (Performing a Staged RODC Installation)

Start by pre-creating the server account (From Microsoft’s pre-staged deployment):

Save the text below and execute the following command to pre-create the RODC account (Note: Be sure to replace DomainName with your Domain Name)
dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:DomainName.com /unattend:\\longhorn\netlogon\precreate.txt

The next line is the start of pre-create RODC unattended text file
; DCPROMO unattend file
; Usage:
; dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:pbbergs.com /unattend:\\longhorn\netlogon\precreate.txt
;
[DCInstall]
; Read-Only Replica DC promotion (stage 1)
DCAccountName=servercore
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="PBBERGS\Denied
RODC Password Replication Group"
PasswordReplicationAllowed="PBBERGS\Allowed RODC
Password Replication Group"
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
ReplicationSourceDC=Longhorn.pbbergs.com

The end of the pre-create RODC unattended file

To install the Domain Services role and promote the server core to a Domain Controller, from a command prompt on the remote workstation key in the following:
Winrs -r:servercore dcpromo /unattend:c:\unattended\promote.txt

The next line is the start of the dcpromo RODC unattended text file

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend: \\longhorn\netlogon\answer.txt
;
[DCInstall]
;
ReplicaOrNewDomain=Replica
ReplicationSourceDC:"pbbergs.com"
InstallDNS=Yes
ConfirmGc=Yes
CriticalReplicationOnly=Yes
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=pa$$w0rd
; Run-time flags (optional)
RebootOnCompletion=Yes

The end of the dcpromo RODC unattended text file

Hopefully this article has helped you to get started, it is not trivial, and it took me multiple attempts on many steps to get it correct and working.

I would love to hear feedback on your success or problems that may have arisen in your attempt to remotely promote a server core to a RODC. You can write to me at pbbergs@msn.com.

External Forest Trust Configuration with a Firewall - Windows 2003 and NT4

An external forest trust relies on NetBIOS name resolution, dns is not involved.

All trust communication traffic flows between the Windows 2003 PDCe and the PDC.  It doesn’t matter how you have your LMHosts table setup or your firewall setup the trust is only going to work with these two being able to talk to one another. 

WINS Configuration

Using the web site LMHost Creator create the lmhost files for the trust for name resolution. (Per KB180094)

                        I highly recommend using this site to generate the LMHosts file!!!

Windows 2003

10.0.0.1                       NT4_Server     #PRE #DOM:NT4_Domain                 ß The name NT4_Server should be your PDC
10.0.0.1                       "NT4_DOMAIN     \0x1b" #PRE  

NT4

10.0.0.1                       2003_Server    #PRE #DOM:2003_Domain                ßThe name 2003_Server should be your PDCe
10.0.0.1                       "2003_DOMAIN    \0x1b" #PRE

Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.

Note Make sure that you space these entries correctly. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC). Replace PDCName with the NetBIOS name of your PDC, and replace domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters, plus the backslash, plus the NetBIOS hex representation of the service type).

To help determine where the sixteenth character is, copy the following line to your Lmhosts file:
# IP Address "123456789012345*7890"

Line up the double quotation marks (") by adding or removing spaces from the comment line, and put the \ on the sixteenth column (the column marked with the asterisk). You must use spaces after the name and before the \, not a tab.                   

Name Resolution Tests

Windows 2003

Nbtstat –R       -           Purges and reloads the remote cache name table
Nbtstat  -c        -           Lists NBT's cache of remote [machine] names and their IP addresses

NT4

Nbtstat –R       -           Purges and reloads the remote cache name table
Nbtstat  -C       -           Lists NBT's cache of remote [machine] names and their IP addresses

Note The -c is case sensitive and must be lowercase (Uppercase for NT4). After you type this text, you should receive a display that is similar to the following:

 Node IpAddress: [10.0.0.5] Scope Id: []

      NetBIOS Remote Cache Name Table

             Name Type Host Address Life [sec] ----------------------------------------------------------

             PDCName <03> UNIQUE 10.0.0.1 -1

             PDCName <00> UNIQUE 10.0.0.1 -1

             PDCName <20> UNIQUE 10.0.0.1 -1

             Domain  <1B> UNIQUE 10.0.0.1 -1

 Configuring Domain Controller Ports

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s.  These define which ports will be made available to there requesting DC's.

Start Registry Editor (Regedt32.exe).

Restrict FRS Traffic to a Specific Static Port - KB319553

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
New     =          Reg_DWORD
Name   =          RPC TCP/IP Port Assignment
Value   =          10000              (Decimal)

Restricting Active Directory replication traffic to a specific port - KB224196
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
New     =          REG_DWORD
Name   =          TCP/IP Port
Data     =          10001              (Decimal)

RPC dynamic port allocation - KB154596 (Only allow ports 10002 - 10200 for RPC from other machines)
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\
Create a New Key = Internet

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\
Add the values
"Ports" (MULTI_SZ)                            =          10002-10200
"PortsInternetAvailable" (REG_SZ)       =          Y
"UseInternetPorts" (REG_SZ)               =          Y 

If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only)

 NTFRSUTL version server_name

 If the two can communicate through the firewall via FRS the response will provide the current version number

 If you would like to validate connectivity between the NT4 and PDCe use the tool PortQryUI

Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact are via the output provided by the tool.

For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

 Configure 2003 Firewall Ports – KB179442 (This is between a dmz’d DC and an internal DC, these settings are for AD replication as well) 

135

TCP

RPC

RPC Connector Helper (Machines connect to find out what high port to use)

137

TCP

UDP

NetBIOS Name

138

 

UDP

NetBIOS Netlogon and Browsing

139

TCP

 

NetBIOS Session

123

 

UDP

NTP

389

TCP

UDP

LDAP

636

TCP

 

LDAP SSL

3268

TCP

 

LDAP GC

3269

TCP

 

LDAP GC SSL

42

TCP

 

WINS Replication

53

TCP

UDP

DNS

88

TCP

UDP

Kerberos

445

TCP

UDP

SMB over IP (Microsoft-DS)

123

 

UDP

NTP

10000

TCP

 

RPC NTFRS

10001

TCP

 

RPC NTDS

10002 –10200

TCP

 

RPC – Dynamic High Open Ports

 

ICMP

 

 

Configure NT4 Firewall Ports (If there is only an NT4 box outside the firewall than the previous is unneeded)

135

TCP

UDP

RPC Connector Helper

137

TCP

UDP

NetBIOS Name

138

 

UDP

NetBIOS Netlogon and Browsing

139

TCP

 

NetBIOS Session

42

TCP

 

WINS Replication

123

 

UDP

NTP

10000 – 10200

TCP

 

RPC – Dynamic High Open Ports

Made following Changes in Default Domain Controller Group Policy

Computer Configuration \ Windows Settings \ Security Settings \ Security Options     
     
Microsoft network client: Digitally sign communications (always) DISABLED  (Default ENABLED)
     
Microsoft network client: Digitally sign communications (if server agrees) ENABLED  (Default ENABLED) 
    
Microsoft network server: Digitally sign communications (always) DISABLED  (Default ENABLED)
   
Microsoft network server: Digitally sign communications (if client agrees) ENABLED  (Default ENABLED)
   
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)
   
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED  (Default ENABLED)
   
Domain member: Digitally sign secure channel data (when it is possible) ENABLED  (Default ENABLED)
   
Network access: Restrict anonymous access to Named Pipes and shares DISABLED (Default ENABLED)
   
Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED (Default ENABLED)
   
Network access: Do not allow anonymous enumeration of SAM accounts  DISABLED (Default ENABLED)
   
Network access: Allow anonymous SID/Name translation  ENABLED (Default DISABLED)
   
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)
   
Domain member: Require strong (Windows 2000 or later) session key DISABLED (Default ENABLED) 

Made following Changed in Registry of 2003 PDCe  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous 1 (default 0)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess 0 (default 1) 

Once all these steps have been completed the Trust can now be established

          How to establish trusts with a Windows NT-based domain in Windows Server 2003

There is a complete set of troubleshooting options available on KB889030

User Account Lockout Troubleshooting

Do any of these symptoms sound familiar?

·         A users account keeps getting locked out, even though they haven’t even had to enter their credentials except to maybe unlock their screensaver
·         A scheduled task quit working, such as a night backup job
·         Services that used to start up at boot up will no longer start even if attempted manually

These are typical symptoms of a recently changed password where other resources are using this same account but are unaware of the recent password change.  Things to check to assist in this troubleshooting are:
·         Is the account logged onto more than one machine
    o   A user could have mapped drives to a resource from one machine, on a different machine he changes his password and then the first machine attempts to stay mapped to a drive and the password is no longer correct and eventually locks the user out.
·   If a service is running that is attempting to authenticate and has an invalid password, it may attempt multiple times and lockout the account

Also ensure to review any mobile devices that your user might be using.  If they have a cell phone/tablet with an embedded password the handheld maybe attempting to authenticate.  This error will show up in the event logs and may the hardware may show up as a router or switch.

To help try and track down where the account is getting locked out use eventcombMT.exe from the Account Lockout tools found out Microsoft's website.  Use the built in search AccountLockouts.  Once the Event logs have been inspected and a new text file has been created, search within this text file for the locked account in question.

 You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."

http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

 

Configuring IPv4 as Default over IPv6

Starting with Windows Vista and Server 2008, IPv6 is the default over IPv4.  This can be annoying if your enterprise network isn’t prepared to support this.  You can modify this default behavior by OR’ing and registry setting on your machine.

The registry setting is the DisabledComponents registry value and it controls a series of bit flags as defined below:

·         Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0

·         Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0

·         Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0

·         Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0

·         Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0

·         Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0

Note Bits beyond Bit 5 are not used at this time

 

A single byte consists of 8 bits, these bits can have a value of 1 or 0.  In the DisabledComponents instance each of the first five bits refer to a switch, with 1 being on a 0 being off.  This can also be thought of as either true/false or on/off.

The zero bit refers to 0 or 1
The one bit refers to 0 or 2
The two bit refers to 0 or 4
The three bit refers to 0 or 8
The four bit refers to 0 or 16
The five bit refers to 0 or 32
The six bit refers to 0 or 64
The seven bit refers to 0 or 128

If you add all the bits up when set to a one the maximum value is 255.  Why do I bring this up?  In order to modify a bit you need to not modify the bits around it.  So first off you realize that the last three bits aren’t used so the maximum value will be – 1 + 2 + 4 + 8 + 16 + 0 + 0 + 0 = 31.  So the largest this key can ever be (Barring disabling IPv6 which will be set to the DWord of 0xFFFFFFFF).

So on to setting the default of IPv4 over IPv6 is to examine the fifth bit if it is zero then you need to modify the value by adding 16.  If the current value is equal to or greater than 16 than you know that the fifth bit is already set.

To take an example:

If the key is equal to 10, then you can see that:

·          6to4-based interfaces is disabled

·          Teredo-based interfaces is disabled

By adding (Or’ing 00010000) 16 to the key you end up with 26 which says, bits 1, 3 and 4 are all set to a 1 (Or are true).

For additional details refer to the technet article:
http://technet.microsoft.com/en-us/library/bb878057.aspx

I have a seperate Blog on disabling IPv6
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

 

How to Create an Active Directory User Provisioning System

This blog will detail how I created an Active Directory (AD) user provisioning tool with PowerShell.  It probably won’t be what you expect; the amount of front end entry is almost non-existent. The key to consistency within your enterprise is to take as much of the human element out of the picture as possible.  Without proper edit and control, organizations will find two user objects created by the same employee won’t hold to a standard of entry.  There in lies the key to this project. 

  

Although the code and the process in this endeavor is new, the original project itself is a rewrite.  Previous team members Steve Laskowski, Richard Narum and Dale Peterson have all written Perl or VB.Net in different forms to create an user object.  This newest process was created in Powershell.  The GUI was developed using Primal Forms by Sapien.  There is both a freeware tool as well as a full version, I opted for the full version.  Primal Forms generated all the lines of code for me, I am by no means a .Net developer but this development tool allowed me to create a tool rather quickly.

 

The jr admin running this front end script does not have to have any special permissions within AD.  The user just needs the ability to run the script and be able to save an XML file created by the script to a pre-defined location (Queue).  Once this file has been saved, a backend scheduled task (I execute it every minute from 6:00 am to 6:00 pm) to inspect the folder for a new file specially named as defined below.  The file has a random number built into the system to ensure that duplicate names can be created (Even though you can’t create duplicates) and multiple users can create files at the same time, so as you will see the real power is being able to have a secondary process drop XML files into the queue and the process can process them as required.  This will allow an administrator to run a script and drop all the users they need into a folder and generate as many users as needed.  That was the emphasis behind this project, our Human Resources (HR) synchronization process currently when a user is discovered missing within AD a report is generated, with this new process the user can be created without any intervention on the AD side.  One this is complete, we can then examine synchronizing other LDAP systems such as secondary Oracle db’s.

 

I have provided the Primal Forms so you can modify the form and the attirbutes passed within the xml.  So whatever you want to pass, you can but we went to the absolute minimums so as to keep things consistents as possible.

 

All of the scripts, xml files and cmd file all reside in the same location.

When the GUI is started, there is a cmd file which verifies that PowerShell has been loaded.  The code is displayed below.

As you can see the check is to see if the Powershell executable exists, if not a message is displayed, if so then call frontEndForm.ps1

 

########################################################################

@echo off

Rem Verify that Powershell is loaded on this desktop before proceeding

 

if not exist "%systemroot%\system32\Window~1\v1.0\powershell.exe" goto noPowershell

 

Rem Start up the GUI

net use v: \\server\share\newADUser

v:

cd \

powershell -ExecutionPolicy Unrestricted -command .\frontEndForm.ps1

c:

net use v: /del /y

 

Goto End

 

Rem Can't Proceed, Powershell needs to exist to run the front end script

:NoPowershell

Echo.

Echo.

Echo Powershell not loaded on this workStation

Echo Script aborted

Echo.

Echo.

Pause

 

:End

########################################################################

 

Once the newUser script is called the form has to be built.  There are several drop down boxes that need to be populated, two by XML files and a third by the user objects within AD.

 

 

 

Front End:

There are only four fields for user data entry; User Id, First Name, Middle Initial and Last Name.  Along with this there are eight additional selections; three drop downs and five check boxes.  The drop down boxes Business Unit and Account Type are built from xml files.

 

Business Unit:

The drop down box is populated by the attribute businessUnitNameX and the attribute businessUnitDNX will be used in the backend process to place the new user object in the defined OU.  A partially defined XML file is shown below:

 

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

businessUnitX     - Company the new user is defined to work for

businessUnitNameX - Complete Company Name

businessSMTPX     - E-Mail Domain Name

businessUnitDNX   - Distinguished Name of the OU where the new user will be placed

-->

 

<Configuration>

            <row>

       <businessUnitX>acme</businessUnitX>

       <businessUnitNameX>Acme</businessUnitNameX>

       <businessSMTPX>acme.com</businessSMTPX>

       <businessUnitDNX>OU=Acme,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

            </row>

            <row>

       <businessUnitX>apu</businessUnitX>

       <businessUnitNameX>Acme Pencil Unit</businessUnitNameX>

       <businessSMTPX>acme.com</businessSMTPX>

       <businessUnitDNX>OU=APU,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

            </row>

 

Account Type:

The drop down box is populated by the attribute accountTypeX which will be used in the backend process to prepend the value, along with other values discussed later, on the user account description attribute.  A defined XML file is shown below:

 

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

accountTypeX     - Descriptive value used for association the user type being created

-->

 

<Configuration>

            <row>

       <accountTypeX>Local Administrator</accountTypeX>

            </row>

            <row>

       <accountTypeX>Permanent Employee</accountTypeX>

            </row>

            <row>

       <accountTypeX>Service Account</accountTypeX>

            </row>

            <row>

       <accountTypeX>Temporary Employee</accountTypeX>

            </row>

</Configuration>

 

Account Requested By:

This drop down box is populated by all the user accounts, within AD, that exist from a base defined in the XML configuration file.  This leads me into the XML Configuration file, my goal was to allow this script to be installed by just modifying the four XML files.  The values within the Configuration file are

 

Configuration.xml

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

Description           - Description to be placed in user attribute

OrganizationalUnit - Distinguished name where to place newly created user

Description           - Value to be placed in the new user's description attribute

Root                    - Root location of where share is to be created for the new user

ScriptPath            - Executable for the logon script for the new user

HomeDrive          - Drive letter for the home drive for the new user

xmlLocation         - Location of xml files that contain the request for the new user .\ = same location as configuration files (Must end with a \)

expirationLength   - Length of time in days, before the account is expired

sqlServerX           - Optional SQL Server Database, if populated then script expects to write to sqlDataBaseX audit details

sqlDataBaseX      - SQL database

-->

 

<Configuration>

   <row>

        <descriptionX>User Account Created by Powershell Script</descriptionX>

        <rootX>\\usera\useradmin$\user</rootX>

        <scriptPathX>logonScript.cmd</scriptPathX>

        <homeDriveX>z</homeDriveX>

        <xmlLocationX>\\server\share\newADUser\queue\</xmlLocationX>

        <userBaseX>OU=Employees,OU=Users,DC=acme,DC=com</userBaseX>

        <expirationLengthX>90</expirationLengthX>

        <smtpServerX>smtp.acme.com</smtpServerX>

        <emailFromX>adAdmin@acme.com</emailFromX>

        <emailToX>NewActiveDirectoryUserDL@acme.com</emailToX>

        <sqlServerX>sqlServer</sqlServerX>

        <sqlDatabaseX>adAuditDB</sqlDatabaseX>

   </row>

</Configuration>

 

StorageGroups.xml

<?xml version="1.0"?>

<!-- Below are the server/storage group/Database's that are randomly selected to where a new user will be created

     By duplicating targets you can weight updates to go more often to those if so needed

     Pattern is ExchangeServer\StorageGroup\Database

     To list out all db's in you enterprise bring up the Exchange Management shell as an admin and key in the following

     get-mailboxDatabase

-->

 

<Databases>

            <target>

        <xmlSGX>exchangeServer\StorageGroup1\MailBox1</xmlSGX>

            </target>

            <target>

        <xmlSGX>exchangeServer\StorageGroup2\MailBox1</xmlSGX>

            </target>

</Databases>

 

After “Ok” is selected, the xml file NewUser_UserName_RandomNumber.xml is built via userTemplate.xml from data entered by the jr admin running the gui script.

 

            userTemplate.xml

            <?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script form that is created

aliasX                 - UserId                                                                                                 (Free form entered)

firstNameX        - First name of newly created user                                                           (Free form entered)

mInitialX            - Middle initial of newly created user                                                        (Free form entered)

lastNameX         - Last name of newly created user                                                           (Free form entered)

createdByX        - Computer and User running this tool that created this file                       (From WMI call)

requestedByX     - Person who requested this new user be created                                     (From Drop Down)

businessUnitX     - Business Unit the new user belongs to                                                    (From Drop Down)

accountTypeX     - Type of account this new user is                                                            (From Drop Down)

emailFlgX            - Should this new user not be given an email mailbox                                (Check box - True or False)

postiniFlgX          - Should this new user not be added to Postini for external email inbound (Check box - True or False)

enableAcctFlg     - Should this new user's account be enabled                                             (Check box - True or False)

expireAcctFlg     - Should this new user's account expire after 90 days                                (Check box - True or False)

folderFlgX          - Should this new user not be given an home folder                                   (Check box - True or False)

 

<employee>

            <row>

               <aliasX></aliasX>

               <firstNameX></firstNameX>

               <mInitialX></mInitialX>

               <lastNameX></lastNameX>

               <createdByX></createdByX>

               <requestedByX></requestedByX>

               <businessUnitNameX></businessUnitNameX>

               <accountTypeX></accountTypeX>

               <emailFlgX></emailFlgX>

               <postiniFlgX></postiniFlgX>

              <enableAcctFlgX></enableAcctFlgX>

              <expireAcctFlgX></expireAcctFlgX>

              <folderFlgX></folderFlgX>

           </row>

   </employee>

           

 

Example:

            newUser_pbbergs_1175854108.xml 

            <?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script form that is created

aliasX                 - UserId                                                                                                 (Free form entered)

firstNameX        - First name of newly created user                                                           (Free form entered)

mInitialX            - Middle initial of newly created user                                                        (Free form entered)

lastNameX         - Last name of newly created user                                                           (Free form entered)

createdByX        - Computer and User running this tool that created this file                       (From WMI call)

requestedByX     - Person who requested this new user be created                                     (From Drop Down)

businessUnitX     - Business Unit the new user belongs to                                                    (From Drop Down)

accountTypeX     - Type of account this new user is                                                            (From Drop Down)

emailFlgX            - Should this new user not be given an email mailbox                                (Check box - True or False)

postiniFlgX          - Should this new user not be added to Postini for external email inbound (Check box - True or False)

enableAcctFlg     - Should this new user's account be enabled                                             (Check box - True or False)

expireAcctFlg     - Should this new user's account expire after 90 days                                (Check box - True or False)

folderFlgX          - Should this new user not be given an home folder                                   (Check box - True or False)

 

-->

<employee>

  <row>

    <aliasX>pbbergs</aliasX>

    <firstNameX>Paul</firstNameX>

    <mInitialX>B</mInitialX>

    <lastNameX>Bergson</lastNameX>

    <createdByX>Computer:pbbergsDesktop  User:acme\adminpbbergs</createdByX>

    <requestedByX>Joe Smith</requestedByX>

    <businessUnitNameX>Acme Pencil Unit</businessUnitNameX>

    <accountTypeX>Permanent Employee</accountTypeX>

    <emailFlgX>False</emailFlgX>

    <postiniFlgX>False</postiniFlgX>

    <enableAcctFlgX>True</enableAcctFlgX>

    <expireAcctFlgX>False</expireAcctFlgX>

    <folderFlgX>False</folderFlgX>

  </row>

</employee>

 

Now that the form is loaded the user can begin to enter data.  The first field is the User Id, once entered the script will verify that the Id doesn’t currently exist.  Both the First and Last Name field are required and once landing on the field a value is required before you can exit.  Middle Initial is an optional field.

 

The rest of the fields are:

 

Business Unit drop down allows you to select the company or business unit within the company the new user works for.  This field is associated with an OU, which points to the location where the new user will be placed.

Account Type drop down allows you to define the type of account being created.  This value is used to populate part of the description field for human documentation.

Requested By drop down allows you to select who was the manager that requested the account be created, this also is used to help populate the description field for human documentation.

Create Mailbox check box allows you to choose whether or not to create a mailbox with the new user

Add Account to Postini check box is a field that prompts a manual process that notifies whether or not the account is to be allowed to receive external e-mail

Enable Account check box allows you to choose whether or not to enable account

Expire Account After 90 Days check box allows you to choose whether or not to expire account after 90 days

Create Home Folder check box allows you to choose whether or not to create a home folder for the user

 

When the form entry is completed and the OK button is selected, edit checks are rerun against the forms entered values.  The first, middle and last names first character are capitalized and all the drop down boxes have had a value populated in them, the user created xml file is created and dropped into the location defined by the

 

Once the file has been dropped (xmlLocationL) there is the backend process that will use these same xml files to process the dropped file.  The powershell process is setup to run every minute, via a scheduled task.  If no file exists the process quits, else edit checks are run and if passed the user is created.

 

The scheduled task is just a basic, per minute task defined in the photos below:

 

 

 

 

 

 

 

 

Once the task has been created the service account running the task needs to have enough permissions to create the user account, the mailbox (If selected) and the home folder (If selected).

 

The location to store the code can be anywhere but the folder structure will need to be as illustrated below (Note: Disregard the colored green and orange circles they are part of Carbonite, my cloud based backup system).

 

The users that will be running the gui will require read only permissions for the folder newADUser since this is where the code repository resides.  The only elevated permissions needed for the folder will be read/write for the queue folder.  This is where the gui drops the xml file for processing.

With the storage of the files, as follows:

To download the content (In zipped format), click on the zipped link below. I don't like to present zip'd files but I have too many files to be downloaded individually plus I want to ensure the folder structure is properly configured.  Just remember to limit access to this structure.

https://skydrive.live.com/?cid=3B55FC84ED3C1576#cid=3B55FC84ED3C1576&id=3B55FC84ED3C1576%21655

 

In order to allow the task to run properly you will need to load Powershell v 2.0, this will depend on what o/s you are going to run the scheduled task on. I run it on Windows 2008 R2 which was installed through "Features". To learn how to install this you will need to do a Bing search for your o/s.

 

Next you will need the Active Directory module, again since I am running the script on a 2008 R2 box it is handled via Active Directory Web Services (ADWS). If not using 2008 R2 then you will need to use the Active Directory Management Gateway Service.

Active Directory Administration with Windows Powershell
http://technet.microsoft.com/en-us/library/dd378937(WS.10).aspx

 

Finally, you will need to install the Exchange Management tools. When this was written I used Exchange 2007, so the link below references this version:

http://technet.microsoft.com/en-us/library/bb232090(EXCHG.80).aspx

Active Directory Replication Types

I find myself quite often trying to keep straight all the different replication activities that can occur within an Active Directory (AD) domain.

There is:

· Intrasite Replication

· Urgent Replication

· Intersite Replication

· Intersite Change Notification Replication

· Reciprocal Replication

· Immediate Replication

· Manual Replication

Replication between Domain Controllers (DC’s) occurs without administrative intervention. Replication provides the multimaster database that AD uses to allow all DC’s to have equivalent objects within a given time frame so an object modified at one location can be stored and forwarded to all other DC’s in its domain. How quickly objects are replicated to the rest of the domain, by an individual dc, is computed by the replication rules that exist and/or applied against them.

Intrasite Replication:

Replication between DC’s within a site don’t need to worry about connectivity speed, so the connections between dc’s are optimized for speed. Intrasite Replication within a site notifies a partner DC 15 seconds after a change has occurred and all subsequent DC’s it communicates are delayed by 3 seconds. For Windows 2000’s partners the initial time delay was 300 seconds (5 minutes) and subsequent partners was 30 seconds. So after the delay a partner DC is notified that the notifier has an update. It is up to this partner DC to request the modification. The notifying DC only notifies, it doesn’t push the change. It is up to the notified DC to pull the change. Also, all DC’s within a site are never more than 3 hops away from all other DC’s due to the KCC generating a bidirectional ring topology. This also ensures a quicker convergence within a site.

Urgent Replication:

Urgent notification is just that, it is not bound by the 15 second (Or 5 minutes) time delay of Intrasite Replication. Partner DC’s are immediately notified of changes, this only holds true for intrasite DC’s except if change site notification is enabled.

Intersite Replication:

DC’s between sites don’t follow the same set of rules that intrasite replication does. Changes between sites are setup on a schedule. The schedule is broken up in 15 minute increments, this schedule can also be set to only allow changes to occur at certain times of the day, thereby saving bandwidth at key points of time. The shortest time span for intersite to occur is 15 minutes and the longest is once a week. Note once replication begins between DC’s, the process will not stop until complete. So you won’t have to worry about incomplete replication activity due to time constraints.

Intersite Change Notification Replication:

With bandwidth pipes becoming cheaper and available, many organizations are becoming more well connected, 15 minutes can be a long time. Imagine having to wait for a password unlock not being reset in the proper site and having to wait 15 minutes for replication to occur. Obviously you can force replication but the point is 15 minutes between sites sometimes just isn’t realistic. To bypass the scheduled notification delays you can enable, Intersite Change Notification. Once enabled partners in different sites will be treated equivalently as intrasite replication, with the exception this only holds for NTDS, NTFRS still works on the schedule.

Reciprocal Replication:

Sometimes connectivity isn’t always available, for example a Navy/Cruise ship or a dial up connection.  With this type of topology both sides need to take advantage of the connect time, so both sides can replicate at the same time.  So when the remote site connects up to the Data Center the replication pair should both request and receive any delta’s that are available.  Hence, replication is initiated on the basis of change rather than on a schedule.

Immediate Replication:

If an administrator resets a password for a user who has forgotten their password, the change is immediately replicated back to the PDCe. This isn’t a situation where the PDCe is notified about the change but instead the change is immediately pushed to it. The reason this is so important is that if a user attempts to logon and the password they attempt to use fails, the DC will send the hash from the password (Password itself is never sent over the wire) back to the PDCe to check to see if the password is correct, since there is latency in replication.

Manual Replication:

Manual replication is triggered by the admin. This can occur from either the repadmin command or from AD Sites and Services. This will cross intersite replication schedules if requested. So if you have a Lag Site and the network is enabled, even though your site isn’t scheduled to replicate for possibly days a forced replication will cause the replication to occur. So you need to be aware of this, in a lag site I had set up I had a schedule task that actually enabled and disabled replication to prevent this.

 

Over the next few weeks I hope to expand and add some diagrams to help make this easier to follow, as well as some helpful links.

This can be confusing and I hope I have helped in you grasping this concept.

 

Preventing Lingering Object Replication in Active Directory

One thing you want to prevent in Active Directory is an Islanded DC, one in which you have lost connectivity to.  If a DC is disconnected beyond its "Tombstone Lifetime" it will begin to accumulate Lingering objects.  This isn't something you ever want to happen and if you are put in this situation I would strongly recommend you just flatten the DC, clean up the metadata in your domain and repromote the server.

Read my blogpost on AD clean up for assistance if you do need to remove a failed dc:

If you have an Islanded DC and for some unknown reason it is reconnected, you surely don't want to start replicating tombstoned objects to healthy DC's.  There is a simple fix for this, just enable "Strict Replication Consistency".  This registry setting will prevent replication from a corrupt partner.  You can simply open up the registry and make the modification on each dc in your domain/forest:

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    Strict Replication Consistency
       0 = Disable (Loose)
       1 = Enabled (Strict)

More information: http://technet.microsoft.com/en-us/library/cc784245(WS.10).aspx

Better yet, using RepAdmin just update all DC's from a command prompt (You need to elevate if on Vista/2008 or greater) in your forest.  I pipe the output and save the text file for documentation.

repadmin /regkey * +strict > c:\temp\dcListStrict.log

This will ensure that all your DC's are protected from any partners that are unhealthy and hopefully save you some real headscratching problems that can occur with Lingering objects.  In the example below you can see that only one of the three DC's needed to be updated.  You will also notice that rerunning this does not have an adverse effect.

The output of the above command would look like:

Repadmin: running command /regkey against read-only DC DC01.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" REG_DWORD 0x00000001 (1)

Repadmin: running command /regkey against full DC DC02.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" REG_DWORD 0x00000001 (1)

Repadmin: running command /regkey against full DC DC03.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" value does not exist
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Strict Replication Consistency" REG_DWORD 0x00000001 (1)

Windows 7/Vista clients require elevated privileges to install or update a print driver

Our Help Desk support staff was really perplexed.  They were getting hammered by phone calls whenever a print driver was updated and the Windows 7 clients attempted to upgrade the print driver.  Windows XP clients had no problems upgrading, so obviously there was a UAC issue.

After doing some research a new setting was discovered that by default was set to require elevated permissions to install a new or upgraded print driver.  To allow users to update or install a new driver there are two new gpo settings that need to be configured for your users.

Both reside at the following location:

Computer Configuration / Policies / Administratice Templates / Printers

When installing drivers for a new Connection: "Do not show warning or elevation prompt"

When updating drivers for an existing connection: "Do not show warning or elevation prompt"

By setting both vales as defined above, users will now be able to connect and update their workstations without a Help Desk support visit.

Restoring a DC from a Snapshot

Restoring a Virtual DC from a Snapshot

Sorry about the formatting, I will have to retype at some point... 

This covers Windows 2008 R2 and all previous Windows o/s's

Let me start off by saying, if you are considering using this procedure, it should be your LAST option.  This is by no means is a supported Microsoft procedure and use of it could damage Active Directory.  In moving forward with this, you should also be reassessing your environment and take the proper steps to ensure this recovery model doesn’t have to be used again.

A little background, before the required steps:

Each Domain Controller’s DIT file (NTDS.DIT) is assigned a unique GUID, the name assigned to the DIT is its Invocation Id.  When an AD aware restoration occurs the Invocation Id is modified and any changes that have occurred on this DC between the restoration date and the current date need to be replicated back to this DC from its replication partners.  If a non-AD aware restore occurs the Invocation Id remains the same and the replication partners within the domain won’t replicate back changes.  These changes could be adds, changes or deletes with can creates orphans or within the AD world it is known as Update Sequence Number (USN) rollback.

 

To better understand this, consider the following scenario:

You have three DC’s, in one site, in your domain.  Each DC will keep track of the highest USN received for each partition (At a minimum three -Domain Naming, Configuration and Schema) of its replication partner(s); this is better known as the High Watermark Vector Table (HWVT). 

 

 

Please note the Invocation Id’s are actually 32 (GUID’s) characters in length.  To keep it simple I reduced the length for simplicity.  Also, the last used USN on each DC is noted as the Highest Committed USN.

 

Being it is a Friday, we are going to ensure we take a snapshot of DC-Accounting.  We need to ensure we have a full backup of a highly complex application that maintains all the corporate data.  Losing this data could cripple the business.

 

In figure 1, you will see that the three DC’s have fully replicated with one another, if you inspect the Highest Committed USN and compare it to the HWVT of the other DC’s you will see they are all equivalent.

 

 

Figure 1

DC-Accounting

Invocation Id = 580907

Highest Committed USN = 24873

 

Replication Partner

Invocation Id

HWVT

DC-Engineering

274369

16874

DC-HumanResources

999245

12568

 

 

DC-Engineering

Invocation Id = 274369

Highest Committed USN = 16874

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24873

DC-HumanResources

999245

12568

 

 

DC-HumanResources

Invocation Id = 999245

Highest Committed USN = 12568

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24873

DC-Engineering

274369

16874

 

 

Next let’s look at what happens after an event creates a Change Notification to its replication partners.

 

It is Monday morning and 5 employees were recently hired and the object creation is reflected against the DC, DC-Accounting.  You will note that the Highest Committed USN has incremented from 24873 à 24878.  If you notice (Figure 2) neither DC, DC-Engineering or DC-HumanResources knows about the newest objects.  During the replication cycle each DC will let its replication partner know about the highest USN it has within its DIT, which is determined by transmitting the HWVT.  If the Highest Committed USN (On the requested DC)is larger than the USN sent from its requesting DC then the requested DC will replicate those USN’s that are greater than the requesting DC is aware of.

 

 

Figure 2

DC-Accounting

Invocation Id = 580907

Highest Committed USN = 24878

 

Replication Partner

Invocation Id

HWVT

DC-Engineering

274369

16874

DC-HumanResources

999245

12568

 

 

New Objects

USN

User – Jimmy Falon

24874

User – Karen Wallace

24875

User – Michele Jacobs

24876

User – David O’Shannon

24877

User – Steve Berger

24878

 

 

DC-Engineering

Invocation Id = 274369

Highest Committed USN = 16874

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24873

DC-HumanResources

999245

12568

 

 

DC-HumanResources

Invocation Id = 999245

Highest Committed USN = 12568

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24873

DC-Engineering

274369

16874

 

 

 

As you can see, in Figure 3 the replication has completed. 

 

As the morning rolls on, disaster strikes, a water pipe in the ceiling bursts and destroys the HOST virtual machine hosting the guests of this server, one of which was DC-Accounting.  Recovering this DC and its application takes the highest priority, the companies financial systems have come to a halt and can’t move forward until the guest server, DC=Accounting is recovered.

 

 

Figure 3

DC-Accounting

Invocation Id = 580907

Highest Committed USN = 24878

 

Replication Partner

Invocation Id

HWVT

DC-Engineering

274369

16874

DC-HumanResources

999245

12568

 

 

DC-Engineering

Invocation Id = 274369

Highest Committed USN = 16874

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24878

DC-HumanResources

999245

12568

 

 

DC-HumanResources

Invocation Id = 999245

Highest Committed USN = 12568

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24878

DC-Engineering

274369

16874

 

 

Note: If you recall earlier, the snapshot used for the recovery will have to come from Friday night prior to when the 5 new employees were entered into Active Directory and specifically, they were created on DC-Accounting.

 

You are quickly able to restore the guest DC-Accounting  on a different Host virtual server and getting the DC back online, bringing great praise from the boss and even a nice note from the president.  Little does anyone know that problems lurk that have the potential to create a nightmare.

 

If you examine Figure 4, you will note that both DC-Engineering and DC-HumanResources have HWVT values for DC-Accounting that are greater than what DC-Accounting itself knows about.  In other words both DC-Engineering and DC-HumanResources have objects that were created on DC-Accounting that DC-Accounting doesn’t know about.  Since the restore was unaware of the restoration of the DIT file no steps were taken to notify the partners to  DC-Accounting that it needs to be updated from its own missing records. 

 

To make matters worse, the next five objects created on DC-Accounting will go unreplicated since the USN values for these objects is less than what the other DC’s currently have as DC-Accounting’s HWVT.  This will create more problems since the next 5 USN’s will represent objects other than the 5 previous objects created prior to the water pipe break disaster.

 

 

Figure 4

DC-Accounting

Invocation Id = 580907

Highest Committed USN = 24873

 

Replication Partner

Invocation Id

HWVT

DC-Engineering

274369

16874

DC-HumanResources

999245

12568

 

 

DC-Engineering

Invocation Id = 274369

Highest Committed USN = 16874

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24878

DC-HumanResources

999245

12568

 

 

DC-HumanResources

Invocation Id = 999245

Highest Committed USN = 12568

 

Replication Partner

Invocation Id

HWVT

DC-Accounting

580907

24878

DC-Engineering

274369

16874

 

 

 

The way the DC’s will know to replicate this data back is if the Invocation Id were to change, since the DC’s manage the object replication comparison via the Invocation and its associated HWVT.  If you don’t follow the steps noted below which will generate a new Invocation Id, you will create lingering objects and a whole lot of trouble for yourself.  To take this one step further, you will also need to do an non-authoritative restore on the sysvol, since sysvol also uses USN’s and can also end up with lingering objects!  So sysvol also needs to be properly updated.

 

 

 

Use at your own risk!

 

 

1)      Do your clone recovery

2)      Configure your nic to be unable to talk to the network

3)      Note the value of your Invocation Id

a.       From a command prompt run the following command

                                                               i.      Repadmin /showrepl

4)      Reboot your DC, make sure you boot into Directory Services Restore Mode (DSRM)

5)      Stop the NTFRS service

6)      Start up regEdit

a.       Drill down to HKLM\System\CurrentControlSet\Services\NTDS\Parameters

                                                               i.      Modify the RegKey “Database restored from backup” = 1

1.       If this RegKey doesn’t exist create one as a DWORD and set to a 1

                                                             ii.      If the RegKey DSA Previous Restore Count exists in the same path, note its value.  Upon reboot it should increment by one.  If it didn’t exist it should be created and it should be set to a value of 1.

b.      Drill down to HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process

                                                               i.      Modify the RegKey BurFlags to D2

7)      Reboot the server

8)      Log into the DC

a.       Verify that the Invocation Id has changed

b.      In the Event Log look for the Event Id 1109 (AD restored from backup)

9)      If both events have occurred in bullet 8 then, enable the nic

 

 

Thanks to Ulf and Jorge for assistance

Windows DCDiag Generating - Error 0x6ba "The RPC server is unavailable."

Once you arrive to Windows 2008 with Advanced Firewall and you run DCDiag you could end up with "error 0x6ba The RPC server is unavailable."  This is the result of the remote DC not allowing RPC connections from the firewall being enabled.

To remove this error and allow DCDiag to be run remotely, open up the following rule on the remote DC's Firewall settings:

Remote Service Management (RPC)

To not open this up to widely, I configure the "Scope" tab to only those ip addresses that will be running DCDiag remotely

Upgrade Certificate Server from 32 to 64 bit

In some older documents Microsoft stated that there was no support for upgrades from 32 to 64 bit:  

http://technet.microsoft.com/en-us/library/cc755153(WS.10).aspx

This is no longer the situation and there is support to migrate 32 to 64 bit, the Active Directory Certificate Services Migration Guide covers the steps required: 

http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx

This process went smooth and the previous tech doc was all that was needed.



 

Windows 7/2008 Kerberos Default Encryption and Windows 2003/2000

With the latest o/s release Microsoft modified the default encryption method from RC4 to AES when first attempt to commenicate with a Ticket Granting Ticket Service Request.  As long as the client whether it be Windows 7 or Windows 2008, communicates with a Windows 2008 R2 Domain Controller (DC) everything is all good.  However if the client talks to a Windows 2003/2000 DC then the default of the client is AES and these DC's don't speak in AES.  The clients are intelligent enough to then attempt other encryption methods but the DC will generate an error 27 in the System Event log, giving you the impression that you have problems, as seen below.

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Date:  9/28/2010
Time:  1:21:04 PM
User:  N/A
Computer: DC
 
Description:

While processing a TGS request for the target server krbtgt/DOMAIN.COM, the account Windows7Client@MNPOWER.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

The key to this mystery is the line "The requested etype were 18."  This etype is defined in the RFC3962, http://www.ietf.org/rfc/rfc3962.txt.

Unfortuantely there is no way to stop the Event Log errors, so you will have to modify the default value the clients start with when attempting a Kerberos session.

 

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Value Name:  DefaultEncryptionTypeValue

Type:  Reg_DWORD

Value Data:  0x17(23)

This will now set RC4 as the default value and still allows AES if needed.

 

Since I have a mid-sized environment that was continuously adding new Win7 clients I wasn't about to ask our pc support staff to manually change the registry since that would be a difficult task and once we are up to Windows 2008 R2 FFL, I would like my default to be AES once again.  So I decided to build a WMI Group Policy and apply it to our Workstations OU. Make sure that under the "Common" tab of the new registry key to be sure to select "Remove this item when it is no longer needed", this will then remove the entry if the client doesn't have the policy applied against it.

So I built a preference GPO with the registry settings above and applied it to all my Win7 clients via the WMI Filter below:

select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "1"

 

How to apply a WMI Filter
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

Note:
This will capture both 2008 R2 and Windows 7 Clients so if you only want to apply this against Windows 7, make sure that the GPO is linked to an OU that doesn't contain Windows 2008 R2 servers.

 

Thanks to Mark Parris for his invaluable assistance in this blog.

Posted by Paul Bergson | 1 Comments
Filed under: , , , ,

Invalid service type: RpcSs when running DCDIAG

After recently bringing up a RODC in my default site, all my 2003 RWDC's in all my sites flipped to a single process which is not a good thing for DC's.  I can't be absolutely certain this was the cause but the errors occured on the same day of the RODC promotion.

The erorr in DCDiag should look like something similar to below:

 WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

You can easily fix this either by running an SC command or from RegEdit.  I would recommend SC just to ensure that it is properly configured.

From a command prompt key in the following.  Make sure that you include the "Space" after the "=" otherwise you will get an error.

sc config rpcss type= share  (Remotely ->   sc \\RemoteServer config rpcss type= share)

If you want to do this manually then open up the Registry Editor and drill down

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RpcSs\Type

The value should be Equal to 10 (Hex) if the single process is configured and 20 (Hex) if Multi-Process is configured

 

RODC - Password Replication Policy and Password Cache Management

With the advent of Read Only Domain Controllers (RODC) remote offices no longer have to present a risk for your Active Directory (AD) enterprise secrets.  RODC's by default do not cache ANY user or computer passwords.  This can present a problem if there is a loss of connectivity between the remote site's RODC and a Read Write Domain Controller (RWDC), since without caching since neither a user or computer will be able to authenticate.  You can however specifiy that their passwords be cached either by including a group or specific user in the Password Replication Policy on the RODC at the remote site.  Access to this policy is gained by opening up the RODC computer object and selecting the "Password Replication Policy" tab. 

It is realtively simple to add and remove user and computer objects, simply click on the "Add" or "Remove" button and modify the membership.  Problem is this can be very dynamic, users and computers are consisting coming and going and management of this can become extremely tedious.  Even if you are using group membership, this still has to be maintained.

I have found the use of Powershell was the piece I needed to resolve the problem.  It was important though that I am able to determine where a user or computer exists.  There is no software out there that can determine where an object exists without some clear definition.  Fortunately for me I have a nightly syncronization program between HR and AD that keeps all my users objects address accurate.  Now I just need a way to determine my machine object location. 

After doing some thinking I quickly realized that I already know which machines reside at any one site by the subnet definitions within AD Sites and Services. 

Now that I had things clear in my process, I had to find a way to gather all the information.  I decided that Powershell would be the best path to go, since I had two defined process. 

    • Determine the ip subnets within the site I wanted to build my group for
    • Query for all DNS records within the doman the RODC belongs to
    • Query AD to determine which of the DNS hosts are members of the AD domain
    • Update the computer objects location with a value that defines this sites lcoation
    • Since the users and computers move around so much clear out the current group membership
    • Read all computer and user objects and those that have the specific location defined add to the Site Group

 I have posted both scripts below, you will note that the users "City" attribute is not touched since this should be a managed attribute by your HR department.  Both scripts can be run on within a single task, just make sure that the Dynamic Security group sub-task is run second.

Note: Script 2 will generate churn for DC replication.  This rebuilds the group everytime it is run, so it will cause the group and its membership to be rereplicated wether or not there were any changes.  Not a big deal for small to midsized shops without expensive links or significant numbers of DC's, but if you have 100,000's of objects or 100's of dc's this is not efficient.  I hope to rewrite this to manage delta's only.

1)

import-module activeDirectory
#
# Script       - UpdateSiteLocation.ps1
# Author       - Paul Bergson
# Date Written - 09/22/2010
# Description  - Script will populate the location field of all computer accounts that reside in a specific site
#                  When used in association with the Powershell script to dynamically populate the members
#                  of a security group of all computer and user accounts with the same location.  This group can
#                  be part of the Password Replication Policy (PRP) for an RODC in the defined site.

$ErrorActionPreference = "SilentlyContinue"

# Get the subnets associated with Boswell and place them in the array $ipSubNetAry
$ipSubNetAry = @()                          # Create an empty array
$UpdateSite = "Site-Timbuktu"                # Define the site that you want to build the array for
$locationName = "Timbuktu"                  # Define the value you want populated in the object's "Location" attribute

$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$sites = $forest.Sites
Foreach ($site in $sites)
   {
    $MPSubNets = $site.Subnets
    ForEach($MPSubNet in $MPSubNets)
       {
        If($MPSubNet.site.name -eq $UpdateSite)
           {
            $ipSubNetAry = $ipSubNetAry + $MPSubNet.Name.Substring(0,($MPSubNet.Name.Length-5))
           }
       }
   }
  
# Go get the host records from the sites in the array of the subnets
$dnsRecords = gwmi -computername computer.domain.com -namespace root\microsoftDNS -Query ('select OwnerName, IPAddress from MicrosoftDNS_AType where DomainName = "domain.com"')

# Now that all host records have been captured look for matching subnet's and see if they reside in Active Directory
ForEach ($hostRecord in $dnsRecords)
    {$ServerIpAddress = $HostRecord.IpAddress

         ForEach($ipSubNet in $ipSubNetAry)
             {
              $FoundMatch = $ServerIpAddress.StartsWith($IpSubNet)
            
              if ($FoundMatch)
                {
                    $FQDN = $hostRecord.OwnerName
                    $Sam = $FQDN.Split(".")
                    # Get the AD computer object to see if it needs to be updated
                    # Sam[0] holds the host name from the fqdn when the array is formed
                    $ComputerObj = $Null                         # Clear prior to call otherwise old value stays in object variable
                    $ComputerObj = get-adcomputer -identity $Sam[0] -properties Location
                    if ($error[0])                               # Don't process if host not available          
                       {
                        ForEach($NewComputer in $ComputerObj)
                           {
                           if ($NewComputer.Location -ne $locationName)
                              {write-output $NewComputer.samAccountName     # Not really needed other than if run locally
                               write-output $FoundIpAddress                 # it will provide feedback on the machines updated
                               # Next line does the actual update.  It should be commented out during any testing
                               Set-ADComputer $NewComputer.samAccountName -Location $locationName
                               }
                            }
                       }
                  }
              }
       }

2)

# Program buildDynamicSecurityGroup
# Author  Paul Bergson
# Date Written   September 20, 2010
# Description    This will recreate the membership list of the AD security group "DynamicSecurityGroup".  This group is used to manage
#                whose passwords are cached on the RODC in Timbuktu
#                By using the attribute City on USers and Location on Computers this is a Dynamic Security Group
#                This script is run nightly


# Get the ad cmdlets imported
import-module ActiveDirectory
$siteName = "Timbuktu"

# Clear all current members
  get-adgroupmember DynamicSecurityGroup | %{remove-adgroupmember DynamicSecurityGroup $_.SamAccountName -Confirm:$false}

# Add all users and computers to the $SiteName global security group
 get-aduser -filter{city -like $siteName} | %{Add-ADGroupMember DynamicSecurityGroup $_.SamAccountName}
 get-adcomputer -filter{location -like $siteName} | %{Add-ADGroupMember DynamicSecurityGroup $_.SamAccountName}

KMS Server won't activate additional servers

I have had my KMS server up and running for several years without any problems.  Recently I was working on a new 2008 Standard Server and it wouldn't activate.

I attempted to first use the standard GUI on the Windows Activation screen.  I was even surprised it popped up since KMS usually just works.  I selelcted "Activate Windows online now", a few moments later it came back with the response "The Product key you typed is already in use".

What does that mean? So I thought: forget it, I'm jumping to an elevated command line.

I ran slmgr -ato and I got the message it was activating and waiting for a click on the Ok button.  This was followed by the error message (What can't they open up a window within the program???).

Run 'slui.exe 0x2a 0xc004C008' to display the error text. Error: 0xC004C008

So I ran it as requested:

An error has occured

Code: 0xC004C008

Description: The activation server determined that the specified product key could not be used.

 

Finally something to work with.  It turns out there are limits placed on your KMS server and you have to contact Microsoft to get your KMS server limits increased.  So my sales rep and I contacted Microsoft Licensed Support at 1-866-230-0560.

They requested we send an upgrade request to the address kmsadd@microsoft.com

Ask for an increase in X number of activations on the key with the following details included:

  • Enrollment Number:
  • Company Name:
  • # of Activations:
  • KMS Key to modify:

It sure would have been helpful if Microsoft could have just said, "Hey Dude you have used up all your KMS licenses.  Please contact your local sales rep to get your count increased."

I have now gone through the requested steps and emailed my request but I still have to wait up to two business days for it to complete. 

The email response from their robot:

Thank you for your request for additional KMS activations. You can expect to receive a response within two business days. 

All support and responses provided through this alias will be in English.

 

Please reference Case ID:xxxxxxx for any questions regarding this request.

 

Hopefully the tags on this page help others to quickly solve this problem.              

 

Thanks to Josh Bussiere for his assistance.