Tomek's DS World

Speaking ...

tomek — Mon, 25 Aug 2008 20:58:57 GMT

Next few months looks like a speaking engagements trial for me. In October I will speak at MTS 2008, which is Polish TechEd-like conference organized by our MS sub. I will deliver two sessions:

AD replication under the hood: I will try to explain how AD replication works, what is important to know to effective diagnose its state and also I will try to explain some concepts which are often misunderstood when it comes to replication (urgent replication?? anyone?? :) )
AD geek's edition (actually Polish title translated to English is Directory at home and farm): I hope to have a lot of fun delivering this one, where I will just walk through interesting (not necessary most useful) topics related to AD.

However this will be delivered in Warsaw and in Polish, probably not many of this blog's reader will attend to it :) (but You are welcomed anyway :) )

But this week started with very good news (at least for me :) ) that NetPro has accepted two my session proposals for upcoming TEC 2009 conference:

TEC is conference which was called DEC in a past and I wrote about it in the past (part 1 and part 2). It would be great experience to get to know this event not only from attendee but also from speaker perspective and speak on the same event with many 'well known persons' :).

Anyway ... it looks like after holidays which I'm starting in next week I will have to ramp up and quickly get prepared for MTS as well as start to work on TEC sessions.

Anyone who is reading this blog and will also attend TEC in 2009 is more then welcome to join my sessions. I hope I will manage to deliver content which will be suitable for high demanding TEC audience.

How MS IT manages schema changes

tomek — Wed, 20 Aug 2008 21:02:51 GMT

Schema updates for AD it is something which gives most of customers I'm working with a creeps. They don't like it, they don't want to do this.

I hope that just published document titles Structured Active Directory Schema Management at Microsoft will let them to overcome the fears and prepare schema management process for their organizations.

For some time I've heard that this document is being written but when I've read it now it looks like this is something more then I've been expecting. Besides technical aspects it described entire process, and this word seems to be most important. You have to have a process if You want to do such things effectively in bigger environment.

Nice reading, enjoy it. For those who prefer to watch there is also a corresponding webcast.

"User canceled installation" problem while installing ILM remotely

tomek — Mon, 18 Aug 2008 20:14:07 GMT

One of my fellows MCS consultants was deploying ILM at customer place and hit the strange issue, that ILM installation was terminating silently without any error message. In installer log for this installation following entry was logged at the end of the process:

MSI (c) (20:48) [16:49:34:097]: Windows Installer installed the product. Product Name: Microsoft Identity Integration Server. Product Version: 3.2.559.0. Product Language: 1033. Installation success or error status: 1602.

He asked me about some advice as he ran out of ideas what can be a cause and I've user err.exe to map this error code to "User canceled the installation":

# for decimal 1602 / hex 0x642
ecFavDuplicate ec.h
ERROR_INSTALL_USEREXIT winerror.h
# User cancelled installation.

which was a bit strange as ha has claimed that they were not doing this. It wasn't like a blast and I knew right away what is a cause however based on my experience I've asked him is he doing this in a remote session. He has confirmed this and I've advised him to try to run in on a console. And this did the trick ... installation went smoothly.

Maybe not something which will happen often but maybe it will help somebody with the same problem.

Windows Server 2008 on a laptop

tomek — Sun, 20 Jul 2008 22:27:00 GMT

This topic is buzzing on the Internet for some time, result of this buzz is a web site which is related only for this topic - how to convert Windows Server 2008 in a client OS. To be honest, I was rather skeptical to this idea. I share the same concerns which Sander has expressed in one of his post on a DirTeam.:

why spent so much money on a client OS?

why use server OS as a workstation and turn on all this fancy features which are disabled by default?

what it will give me?

Personally I see at this moment only one business reason to use Windows Server 2008 at the laptop hardware - it is a Hyper-V. When 64-bit environment in VMs is required (and it can be a requirement for example for Exchange 2007 or ILMv2) and you have to stick to using Windows and Microsoft software this is only existing option at this moment.

However after last post from Brian Puhl I've decided to give it a try. No business reason, just curiosity and see what will be user experience with its installation and usage. I took some time at the late Friday afternoon and I've deployed Windows Server 2008 32-bit Standard Edition on my laptop (and yes, I have this advantage that I didn't have to pay for a licence on my own - this is something good when you work for Microsoft :) ). So .. one hour to install it and add to domain - it worked smoothly. Another 30 minutes to load drivers and some required software - all operation took me about 2-3 hours (with copying data from my network backup hard drive).

First impressions .... my Tecra M5 (if you are looking for a new laptop hardware avoid buying Toshibe .. and I mean it ... just get over Toshiba and consider other options) just fly like a bird on the same hardware with 2008 OS loaded on it. Probably it is also an effect of clean new OS, however a memory footprint is somehow smaller for WS2008 when compared to Vista SP1 and fans in my laptop behaves somehow better (I can write with notebook on my laps and I won't get burn ... which might be a case earlier). I'm not sure what is causing this change, but I can observer it. I love the choice of options I can turn on\off with Server OS and I would love to have "Features" in Vista OS as well. Giving to much options to regular users is not probably what they will look like, but for more advanced once ... they will love it (for now I've just turned on Wi-Fi and BitLocker support). For example I didn't turned on or installed and desktop search as I found it not very useful for me. I found out that I'm using search only for e-mails so I've just installed Xobni which works great for my Outlook. Server OS gave me a choice not to use indexer (of course I can disable it also on Vista but it is there by default).

It's a pity that my hardware doesn't support Hyper-V so I can't replace VPC with it but anyway I think I will work with Windows Server 2008 as my personal main OS and will see how it works. Definitely it can be used as a client OS ... however if it is worth it or if you want to risk supportability problems with client software it is totally on You. I know that we won't see Server OS being widely deployed on a clients (and I don't think that it would be good idea) however for some people or developers it might be a vital option to consider - especially if need 64-bit virtualization and you want to get it from Microsoft.

"Access denied" while promoting RODC in a domain

tomek — Tue, 15 Jul 2008 21:26:14 GMT

Some time ago one of my friends at MCS had come across a problem while promoting RODC in a multi domain forest. This problem was "access denied" error when new RODC was promoted in one of child domains. This problem was solved thanks to discussion and involvement of few different individuals and I had a pleasure also to involved in this discussion. While this problem was then also reported by few other people I took some time to reproduce it in my mobile lab (thank's to some magic :) my machine was upgraded to 4GB so I can run VMs and write it at the same time :) ) and present here both problem and its resolution.

I thin we will get KB describing this issue but in the mean time lets Google and Live consume this blog entry and bring this information to those who are seeking for solution :).

Enjoy ....

Symptoms

When promoting Read-Only Domain Controller (RODC) in a domain promotion process fails during directory replication data process. When examining DCPROMO.LOG following entry can be found:

<date and time> [INFO] Error - Active Directory Domain Services could not replicate the directory partition <Domain DN> from the remote Active Directory Domain Controller <DC FQDN>. (8453)
<date and time> [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
30014c7

In addition event log entry with Event ID 1168 is being logged in Directory Services event log which holds following information:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          <date and time>
Event ID:      1168
Task Category: Internal Processing
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      <DC name>
Description:
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
30014c7

Error code c00000022 is translated to Access Denied error message:

C:\>err c0000022
# for hex 0xc0000022 / decimal -1073741790
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.

Cause

During the adprep /rodcprep portion of domain preparation set of ACE entries is being added to NC head of domain in which this process was executed. List of these ACEs can be found in following TechNET article: Read-Only Domain Controller Updates. Two of these new One of entries being added is grant of "Replicate Directory Changes" right for "Enterprise Read-Only Domain Controller" (ERODC) group . This group is being identified by well known SID with RID 498. Full SID for ERODC has following value:

<FOREST ROOT DOMAIN SID>-498

For forest root domain with SID S-1-5-21-329151704-1384884650-1385766050 it will have following value:

S-1-5-21-329151704-1384884650-1385766050-498

Note: We have to use forest root domain SID as ERODC is a universal group which exists in forest root domain.

ERODC group is reflected by well known SID because it is not created automatically during /rodcprep operation. This group is being created afterwards by one of two events:

Transfer of PDC Emulator role to a Windows Server 2008 based DC in a forest root domain. After creation of ERODC group this role can be transferred back to its original holder. For information how to transfer PDC Emulator FSMO role to other DC please reefer to article KB 255504.
Promotion of first RODC in a forest root domain.

Lack of this permission granted to ERDC group will prevent directory information to occur and will cause error described in Symptoms section.

Presence of this ACE entry can be checked using any tool which allows to view permissions on a directory services object. For example using adfind.exe (http://www.joeware.net/freetools/tools/adfind/) with following syntax:

adfind -b DC=W2k,DC=PL -s base ntsecuritydescriptor -sddl+

will result on a DC with proper permissions after /rodcprep in following result:

Using server: rootdc.w2k.pl:389
Directory: Windows Server 2003
dn:DC=W2k,DC=PL
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI
(...)

>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;S-1-5-21-329151704-1384884650-1385766050-498

(...)

>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;WD
1 Objects returned

Note that SID of ERODC group was returned in this ACE as creation of the group didn't took place yet when this tool was executed. Similar information can be obtained using dsacls.exe (standard tool included Support Tool package or shipped with operating system in Windows Server 2008 ):

C:\>>dsacls DC=w2k,dc=pl
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators
Access list:
Allow Everyone                        SPECIAL ACCESS
                                      READ PROPERTY
(...)

Allow W2K\Enterprise Read-only Domain Controllers
                                      Replicating Directory Changes
(...)

The command completed successfully

Note that in this case, ERODC group was specified with a name, as this command was executed after this group was created.

Solution

To correct this situation proper ACE has to be added to security descriptor of NC head on which it is missing and is causing an error. This can be achieved in two ways:

Using GUI ACLs editor in ADU&C or any other tool which allows directory permission management.

Using command line dsacls.exe tool or any other CLI tool which allows to manage directory services permissions, using SID:

dsacls DC=w2k,dc=pl /G "S-1-5-21-329151704-1384884650-1385766050-498:CA;Replicating Directory Changes"

or ERODC group name

dsacls DC=w2k,dc=pl /G "W2k\Enterprise Read-only Domain Controllers:CA;Replicating Directory Changes"

Note: ability to use SID of a group may depend on the tool used to set this ACE on directory. In real environment change NC head DN and domain name \ SID to proper value.

After this modification RODC promotion process should be allowed to be finished.

In proper configuration there should be two ACEs for ERODC group present. One was described above, second is simply "List contents" and "Read all properties" on a NC Head applied to "This object only". In case this ACE is also missing it can be re-created using UI:

or from command line using for example dsacls.exe:

dsacls DC=w2k,dc=pl /G "S-1-5-21-329151704-1384884650-1385766050-498:LCRPLO;;"

So that is basically it regarding this particular issue.

Additional information

In case of multi domain forests such operation might be required to perform not only on a NC of a domain in which new RODC is being promoted but also on other NCs like forest root domain.

Credits

Credits for finding and providing solution to this problem goes to Matjaz Ladava from MCS Slovenia and some great guys at MCS and PSS who were involved in resolution of this problem (Herbert, Roberts and others - kudos to You).

Don't call me disconnector !!!

tomek — Tue, 01 Jul 2008 20:14:15 GMT

Those of You who have attended to Markus Vilcinskas session on last DEC in Chicago should remember this phrase "Don't call me disconnector!". For those who weren't on DEC I will try explain why he didn't wanted to be named as disconnector. Idea for this post came to me after some long and probably fruitless discussion between me and Joe Stepongzi on MMSUG related to disconnectors.

For newbies in ILM (MIIS) world - what is disconnector? Disconnector is an object in connector space (Management Agent view on data source) which isn't connect to any metaverse object. To make it a bit more complicated we have two types of disconnectors:

normal: disconnector which is possible candidate for connection
explicit: disconnector which won't be connected anymore.

So ... why we don't like disconnectors and why we may want to get rid of them (or at least make them connectors)?

First of all you have to remeber, that normal disconnectors are possible candidates for being connectors, which mean that during synchronization these objects are subject of all activities like filter evaluation, join evaluation etc. This costs You performance as executing these tasks means often executing some code, and even if there is no code attached to these actions this means that such object have to evaluated against all defined rules.

Second aspect is manageability. If CS object is in disconnected state this means that from your synchronization logic point of view this object doesn't exists. You can't apply rules or manage these objects. They are disconnected. So .. if you want to bring them into managed state or for example you want to audit these objects for some reason (orphaned accounts) you want to connect these objects to some metaverse object either through joining them or projecting them into metaverse. This will allow your synchronization logic to evaluate them and maybe do something with them.

Once CS object is connected to metaverse object join rules won't be re-evaluated for it unless it will be disconnected. So what if you want to re-evaluate connections of such object in the feature under some circumstances? You can apply technique described in "Correcting incorrect joins" document to do this. It will require some additional logic to be created in synchronization process, however solution might benefit from it in overall from performance and maybe also other points of views.

So ... are disconnectors bad?? As in many other ILM aspects I will say "It depends". It depends what is important for You, how many disconnectors are in CS, are they big burden and are they bringing some impact on environment in case of performance or manageability.

When You will plan your next ILM deployment, except of thinking about attribute flows and provisioning process maybe You should also think about disconnectors. Do You really want them in CS in disconnected state?? Will it hurt performance of solution? Will I need to report them or reflect their existence in some process ... for example when looking for unique value??

I think it is good to think about it ... so ... don't call me disconnector and stay connected to this blog :).

RODC deployment guide

tomek — Mon, 09 Jun 2008 19:42:45 GMT

Another short download information: RODC Deployment Guide just hit TechNet web pages, so anyone interested in deploying Windows Server 2008 with this role have something to read while servers will do its daily business. This part of this guide deals only with deploying RODC in branch office scenario. Other planned parts of this document will describe RODC deployment in DMZ.

RODC compatibility pack for down-level clients

tomek — Thu, 29 May 2008 08:19:16 GMT

Number of RODCs in a production environment is probably not very high now but many peoples and organizations are thinking about it. For those I have good news that new KB article 944043 was published which is delivering RODC compatibility pack for down level clients. In this case 'down level' means XP and 2003.

This fix is fixing (ok, at least it should as I haven't tested it yet) several (10 to be specific) different problems which may affect XP/2003 with conjunctions with RODC. Among others:

problem with time synchronization between XP/2003 and RODC
problem with joining domain and password resets in DMZ
problem with Windows 2003 registering SRV records in sites with RODC when auto site coverage is enabled
... and others as described in KB 944043.

It looks like I have to update my RODC presentation slide deck for RODC which I will present on next Monday :).

Virtualization - is it only a sweet?

tomek — Mon, 19 May 2008 20:51:00 GMT

Probably we all use virtualization which in past few years has become new holy grail of personal computing and not only. We all use them (VMs), basically those of us who are working as developers, consultants or sys admins can't live without them. So it is only good about virtualization ... ? It is cheap, it is handy ... what can be wrong ?

Probably nothing and this is probably only my thought going around my head but some incidents with a network from past Friday and Brian Puhl's blog about problems with networking and IP addresses makes me think that maybe for corporate environments we are missing one piece of a puzzle - CONTROL.

Maybe it isn't so important if we think about VMWare ESX and Hyper-V closed in a data centers and hosting our main business services. Both technologies provides a way to control who can do what on given instance. However what we can't control is hundreds or maybe thousands of VMs running on desktops and laptops here and there in our networks.

As far as I know any of current virtualization products available on a desktop machine is not providing easy way to control simple things like:

how many virtual machines is running on a host
how many VMs user actually CAN run on host
can user attach VMs to physical interface and in result to our network
how many software licenses are being used in VMs.
etc.

This is aspect which completely missing form these products, which may be result of a fact that there is no need for such mechanisms and my thoughts around this are completely incorrect. What I know now is that if we will look at a clash of two sides which are "Administrator" and "User running VMs" the former is standing on a loose position.

From my perspective, what I'm thinking about as a solution on a Windows platform is:

WMI interface which will allow to query for different aspects of virtualization running on a host (I'm not referring here to hypervisor based virtualization, but Hyper-V has some WMI interfaces built-in)
GPO for controlling some of aspects of virtualization products, like:

allow to use virtualization on a host
if VMs can be connected to physical network interfaces

What could be also nice addition would be easy to use interface to distinguish if OS is running inside of VM, for Windows platform preferable as a WMI interface. When I wrote about it on my Polish blog my friend Pawel, who is very skilled guy when it comes to security pointed me out that in security world this isn't something you want to have as malware is checking if it is running in VMs to make analysis a bit harder. However I might think about interface which can be switched on\off by administrator as a solution.

So ... this is something which was going around my head last Friday and maybe I'm completely wrong on this while thing. But ... yes, there is but which makes mi think that I would be very glad to find a bit of more control over virtualization in my network.

Steal this post ... just like Deepak

tomek — Mon, 21 Apr 2008 18:37:02 GMT

... You want to have Your own blog with fresh content ... on different topics ... just steel this post like Deepak Gupta is doing.

Lately he wrote about maximum limits in AD, just like I did. He wrote also about Hyper-V new features, exactly as Natasha did on her blog.

Maybe I should be flattered that I'm writing something interresting but probably he is just copying entire DirTeam site. My friend Andrzej some time ago also had a problem with person who was stealing his posts. This is starting to be some kind of new plague affecting Internet.

I hope that this post will also get stolen by Deepak and will make him more happy as a content author. I hope it will also hit his front page and I really hope that it will pop-up from time to time in search results for somebody who will look for his name.

Sorry for all who are reading this blog for its technical (and maybe not only technical) content. This post is for Deepak ... I hope he will steal this post as well and will display it on his front page.

How far You can actually push AD?

tomek — Fri, 18 Apr 2008 20:46:40 GMT

Have you ever wondered how many objects You can create in Your DIT (actually this was showed some time ago by ~Eric) ? Or how many DC is to many in a domain?

For some time now on one of MS internal distribution groups group of folks were discussing document which describes such limits related to AD (BTW - possibility to be a part of such discussion is one of greatest things related to be an insider). This document is now published. It is short but provides all information, check it out - Active Directory Maximum Limits.

BTW - if this just happens that you are a customer who is near of such limit or had actually crossed it (if this is related to number of objects - call PSS :) ) I would be happy to hear about it either through comments or through e-mail. So far I worked with one particular customer who has actually crossed one of such limits - this was about number of DCs in single domain. But this isn't hard limit - is it more like recommendation and if You know how to handle this You can live with it.

So ... another interesting reading.

How to handle time ...

tomek — Thu, 17 Apr 2008 22:36:37 GMT

Handling time is somehow challenging task. It can;t be stopped so far so we have to live with schedules and clocks. But this won't be about time physics but more mundane thing.

One of my friends has asked me question how to translate pwdLastSet attribute value to some more readable value. My first answer was - what a suprise - adfind.exe. Adfind handles such things pretty well:

C:\Temp>adfind -b "CN=Administrator,CN=Users,DC=w2k,DC=pl" -s base pwdlastset -tdc
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: W03DC1.w2k.pl:389
Directory: Windows Server 2003
dn:CN=Administrator,CN=Users,DC=w2k,DC=pl
>pwdLastSet: 12/22/2005-17:18:55 Central European Daylight Time

Hmmm ... but his answer to this was:

'adfind.exe' is not recognized as an internal or external command,
operable program or batch file.

Well .. if You are getting similar message it is time to change it - get adfind as soon as you can. It will make your AD-life easier. But we are still with a problem - how to translate pwdLastSet attribute value stored as Interval to readable content using system tools or tools delivered by Microsoft (in some environment using third party tools is not something which You can do)

So let's start with some AD pick lock which is LDP.EXE. IN version delivered with Windows 2003 and later it does this magic for us:

CN=Administrators,CN=Builtin,DC=w2k,DC=pl;
1> pwdLastSet: 12/22/2005 16:18:55 Central European Standard

Next tool we can use us well known repadmin.exe with /showtime switch. What we will have to to is remove from this value 7 rightmost digits and pass it to the tool:

C:\Temp>repadmin /showtime 12779738335
12779738335 = 0x2f9bb54df = 05-12-22 15:18.55 UTC = 2005-12-22 16:18:55 local

And last tool I will mention is finally something which is at least related to time, w32tm.exe with /ntte swithc:

C:\Temp>w32tm /ntte 127797383352618256
147913 15:18:55.2618256 - 12/22/2005 5:18:55 PM (local time)

So as You can see our toolbox for this task is pretty rich ... but still, if you can grab a copy of adfind and use it. It is really great tool

SQL 2008, Kerberos and SPNs

tomek — Wed, 09 Apr 2008 21:54:18 GMT

Last weekend I was attending (or better to say I was just passing by as it was short visit) conference organized by some .NET developers and SQL users groups called Community to Community 2008. If You ask me this was really cool event if You think that it was organized only by people from communities and free to attend for all. Hope we will get more of these in Poland soon.

But this isn't my main topic here. I had time to attend only one technical session which was delivered by Marcin Szeliga - Polish SQL MVP. He was talking about SQL 2008 and changes in this product related to security. I'm not really SQL type of guy but I managed to understand most of it :) but he really got my attention when he started to talk about changes in authentication and Kerberos support.

What have attracted my attention was statement that "SQL 2008 doesn't require Service Principal Names to make Kerberos to work anymore, instead of this You can specify SPN in connection string". Hmmm ... I've confirmed what he had said with him after the session and I've said that I will check it ... so here I am with conclusions.

BTW - are SPNs really such problem? I know that it tends to be a problem when it comes to application deployment \ configuration. This is first thing which is likely to be forgotten or which will cause a problem to be configured. It often requires to get to domain admin who has rights to write to servicePrincipalName - I don't know why they are not delegating this for service account which is being used during deployment.

OK - so getting back on track. So during this session I've heard that SPNs are not necessary to be registered and can be specified in connection string. I dug a bit and as often is showed that as often there is a piece of truth in this statement. SQL 2008 has some improvements in Kerberos support and when it comes to SPNs:

Yes, You can specify SPN as a part of connection string and this is optional
Yes, You still require SPNs to be registered for SQL service if:

You will not provide SPN in connection string
You will provide SPN in MSSQLSVC/FQDN:<port|instancename>

In case You will provide SPN as a part of connection string service itself will not try to construct SPN and will use the one provided

so make sure that You have double checked Your configuration settings :)

You don't have to register SPNs for SQL service as long as you will always provide SPN as a part of connection string and You will use one of following formats for it:

serviceacount@domain - which basically is UPN for service account
domain\serviceaccount - which points to specific logon name in domain
machine$@domain - I haven't checked SQL documentation but this probably is valid only when SQL works on one of system built-in accounts
host\FQDN - with same note as above.

So this fits better to what I know about this stuff :).

So good to know about such changes. I'm afraid that it will cause a bit of mess in deployments of applications as right now nobody will talk with directory admins when application with get deployed and then this admin will be the one who will have to solve authentication related problems ... which might be incorrect SPN in connection string.

So just FYI ...

RSAT is available for download

tomek — Tue, 25 Mar 2008 21:47:16 GMT

Wave of information has started to spread across the Internet that RSAT has been finally released for download. So here are links for RSAT download:

All of you who have deployed Windows Server 2008, especially as Core version should like this information.

Critical vuln in MIT Kerberos implementation

tomek — Mon, 24 Mar 2008 20:38:18 GMT

This isn't something which is in line with my day to day work, however this is something which may affect many organizations so I've decided to add my blog to list of sties which will duplicate this information.

Secunia has reported critical vulnerability in MIT Kerberos implementation which can result in remote code execution, DoS or information exposure. I will not cover details as it is all described in Secunia advisory. CERT has also covered this in their bulletin.

As far as I know Microsoft Windows Server Kerberos implementation is not based on MIT and isn't affected. I think that this will be reflected in CERT information soon.

However MIT Kerberos is widely used in various Linux \ Unix systems, Mac OS X and products like Centrify so maybe You want to check if one of Your systems is not affected by this.

When we are in Kerberos neighborhood - when I was reading through Jackson Shaw's blog I found information about establishing MIT Kerberos consortium. Microsoft has also joined this organization. We will see in feature if this will bring something to us as Kerberos users. Hopefully we will see something ...