Pugazh Network

Understanding RPC is a foundation for any successful IT Professional. It’s integral to distributed systems like Active Directory, Exchange, SQL, and System Center. The administrator who has never run into RPC configuration issues is either very new or very lucky. Today I attempt to explain the protocol in practical terms. As always, the best way to troubleshoot is with an understanding of how things are supposed to work, so that when it fails the reasons are obvious.  If you have a metered or capped Internet connection, read this off hours – it’s a biggee. Some context The RPC concept has roots in ARPANET, but got its first business computing use – like so many…

Table of Contents Introduction Why is it important to have an efficient Domain Controller localization process How is DC Locator process working Can DC Locator Process be used by third party applications Conclusion Introduction Using an efficient and reliable Domain Controller localization process is important for AD-integrated systems and applications in order to avoid slowness when processing AD-related operations and to maintain the high availability of AD services. This Wiki article explains the importance of having an efficient localization process and focuses on the DC Locator process used on Windows systems. Why is it important to have an efficient Domain Controller localization process Having an efficient Domain Controller localization process is important because: Sites are often linked…

Summary Forest trusts provide a secure way for resources in an Active Directory forest to trust identities from another forest. This trust is directional. A trusted forest can authenticate users to the trusting forest without allowing the reverse to occur. Windows Server 2012 introduced Enforcement for Forest Boundary for Kerberos Full Delegation. This feature enables an administrator to configure a trusted forest to delegate or deny Ticket-Granting Tickets (TGTs) to services in the forest. The default configuration for this feature is unsafe when incoming trusts are created. This is because the configuration lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. This condition affects…

Symptoms Click here  This article describes the symptoms, cause, and resolution steps for situations where Active Directory operations fail with error 8456 or 8457: “The source | destination server is currently rejecting replication requests” The DCPROMO promotion of a new domain controller in an existing forest fails with the error “The source server is currently rejecting replication requests.” Dialog title text:  Active Directory Installation Wizard Dialog message text: The operation failed because:  Active Directory could not transfer the remaining data in directory partition <directory partition DN path> to domain controller <destination DC>.  “The source server is currently rejecting replication requests.” DCDIAG reports the error “The source server is currently rejecting replication requests” or “The destination server is currently rejecting…

Hi folks, Ned here again. Around six years ago we released Service Pack 1 for Windows Server 2003. Like Windows XP SP2, it was a security-focused update. It was the first major server update since the Trustworthy Computing initiative began so there were things like a bootstrapping firewall, Data Execution Protection, and the Security Configuration Wizard. Amongst all this, the RPC developers added these new configurable group policy settings: Computer Configuration \ <policies> \ Administrative Templates \ System \ Remote Procedure Call Restrictions for unauthenticated RPC clientsRPC endpoint mapper client authentication Which map to the DWORD registry settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc RestrictRemoteClientsEnableAuthEpResolution These two settings add an additional authentication “callback capability” to RPC connections. Ordinarily,…

Troubleshooting an account lockout: Obviously this is a bad situation for Fred, but unfortunately it’s kind of hard to troubleshoot an account lockout without logs from while the problem was happening. As an aside here, if you haven’t examined the Security Compliance Manager tool and its included docs, you should probably take a look. It lays out our recommendations around account lockout policies. There are multiple tools for troubleshooting account lockouts, but sometimes it pays to go old-school: What we want for this are the Netlogon debug logs, which every domain administrator should be familiar with. Netlogon debug logging can show you all kinds of very useful information for troubleshooting authentication issues, particularly with…