-
Domain Controller Locator
The following sequence describes how the Locator is able to find a domain controller: On the client (the computer locating the domain controller), the Locator is initiated as an RPC to the local Net Logon service. The Locator application programming interface (API) (DsGetDcName) is implemented by the Net Logon service. The client collects the information that is needed to select a domain controller and passes the information to the Net Logon service by using the DsGetDcName API. The Net Logon service on the client uses the collected information to look up a domain controller for the specified domain in one of two ways: For a DNS name, Net Logon queries…
-
Domain Controller Issues
Among the most important features of Windows 2000 include the facts that all domain controllers in the same domain are peers of one another and any domain controller can make directory updates. However, given the way in which directory updates are replicated from one domain controller to another, it is possible that difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology the appropriate domain controllers do not receive directory updates when replication occurs. Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can properly locate the resource. If a domain controller is incorrectly…
-
Repair Active Directory computer account secure channel Trust relationship error
We can repair the in three ways 1. Domain-re-joining the Windows computer 2. Using Test-ComputerSecureChannel command using repairing switch. 3. Reset-ComputerMachinePassword command: 4. netdom resetpwd /s:server /ud:domain\User /pd:* to reset a machine password Finally you can verify the secure channel nltest.exe /sc_verify:pugazh.co.in How to re-join the machine without reboot
-
The 411 on the KDC 11 Events
As a Premier Field Engineer, I visit new customers every week and every customer, and I mean every customer, has the KDC 11 events in their system event logs. Consequently, I have to explain to customers what this means and how to clean it up. But rather than just saying, “Look, these accounts have a duplicate SPN’s and use setspn or adsiedit to clean them up”, I like giving the back story about how duplicate SPN’s break authentication and what would happen if the KDC issued Kerberos tickets for resources with duplicate SPN’s. So, here’s the dialogue of my weekly explanation of Kerberos and duplicate SPN’s. By the end, most…
-
How to Track the Who, What, When and Where of Active Directory Attribute Changes – Part II (The Case of the Mysteriously Modified UPN)
How to Track the Who, What, When and Where of Active Directory Attribute Changes – Part I (The Case of the Mysteriously Modified UPN) Quick Review – The story you’re about to hear is true and the names have been changed to protect the innocent… Some unknown process, running on some unknown computer, at some unknown time was changing the UPN on the Active Directory user accounts. Since Contoso is running Windows Server 2003 R2 X64 Domain Controllers, we recommended they search the Security event log for Event ID 642 which indicates a successful “User Account Change”. The Event ID includes information that identifies the attribute which was changed and…
-
Best Practices for Implementing Schema Updates or : How I Learned to Stop Worrying and Love the Forest Recovery
Note: This is general best practice guidance for implementing schema extensions, not the testing of their functionality. There may be some additional best practices around design and functionality of schema extensions that should be considered. Understand that the implementation of a schema extension may well succeed, but the functionality around the extension may not behave as expected. As with any change to the Active Directory infrastructure, the two primary concerns around implementing a schema extension are: 1. Have you tested it, so you can be reasonably sure it will behave as expected when implemented in production? 2. Do you have a roll-back plan? And is it tested? Digging into the…
-
VSS timeouts during backup? What could contribute to that?
Volume Snapshot Services (VSS) was and remains a good addition to the Windows OS. Without going into a lot of detail, this technology coordinates various components to ensure stable point-in-time backups even while applications may be running. Typically, this occurs successfully with only minimal interruption to the application. On occasion there can be problems taking backups of systems that result from configuration issues, missing fixes, to third-party providers and writers that need updates. VSS really does a lot during the course of a normal backup. There are a couple of points during the process that actions must be timely. Failure of components to complete I/O within the allotted time results…
-
Removed DNS from Your Server
This blog post is a lesson on DNS storage and behavior. Read on to learn more. Joining in a conversation…… “….I used server manager to remove the DNS role.” Or “….I uninstalled DNS from my domain controller. “ “….This means, DNS data is now removed from my domain controller, right?” Well, probably not. Background on Storing DNS Data in the Active Directory Database Let’s hit some basics first to make sure we are all on the same page. If you follow the history of Active Directory integrated DNS from Windows 2000 to 2008 R2 you will find some changes along the way. The one change I want to focus on…
-
The Case of the Vanishing Static Reverse DNS Records
Scenario: Imagine finding yourself as an IT administrator faced with over 50,000 reverse DNS records that are placed comfortably in one single, large, super zone. For example’s sake, let’s say it’s 10.in-addr.arpa which happens to be an AD-integrated zone. Normally this is totally fine and actually recommended to do from our standpoint as it’s easier to manage. (Here’s a blog post on how to consolidate multiple reverse DNS zones by “GOATEEPFE” Ashley McGlone, in case you’re interested.) However, a decision is made to break up that super zone into smaller reverse zones for reasons that are, well, whatever that reason may be. There’s a maintenance window coming up, and you’re…
-
Finding Stale DNS SRV Records
Stale DNS SRV records are common due to no scavenging on DNS zones and each zone has to be setup correctly to have this happen. So, I have often found the “contoso.com” setup correctly, but the “_msdcs.contoso.com” is not. So this leads to stale DNS SRV records in DNS from failed domain controllers or due to de register failure during a successful demotion. This is something I have found probably hundreds of times over the years. Managing the DNS is obviously important and a thorough post from Hilde, Brent, and Bryan around the DNS topic can be found here. That said, I have now been tasked upgrading or replacing a…