Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Thursday, February 6, 2014

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

You may encounter the below in Windows 2003 Servers when attempting to perform gpupdate to refresh the group policies

Error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp


To overcome this:
Create the registry keys as below and restart the server
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c
“GroupPolicyMinTransferRate”=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GroupPolicyMinTransferRate”=dword:00000000

Friday, June 14, 2013

Domain Admins Unable to run GPresult


I was faced with a situation that I was unable to run GPresult even with domain admins credentials.
Worked through the procedure below to resolve the issue.

1) Register the userenv.dll file
regsvr32 /n /I c:\windows\system32\userenv.dll

2)  Change Directory to the wbem folder
cd c:\windows\system32\wbem
- Recompile the scersop.mof
 mofcomp scersop.mof
- Optional Repositories you can recompile
mofcomp rsop.mof
mofcomp rsop.mfl  

3) Force Group Policy Update
gpupdate /force

Monday, September 3, 2012

Who Deleted That Active Directory Object?

Have you ever encountered that an AD object be it an user, computer etc is deleted and no one owns up?
In this situation, the usual questions will be when did it happened, where did it happened (Which DC?), who is the culprit.
You can say that you will be able to trace the culprit by pouring over the security logs if you had enabled auditing but picture this, what if you have over 80 domain controllers and you have no idea when did the deletion take place.
The following procedure will help you provide you the means to get the answers

To get the Distinguished Name of the Delete Object

1)  First open up LDP and connect to a server.
2) Next, bind to the DC you are connected to, click connections and then bind again.
(If all the fields are blank, it will bind with the user credentials that you are currently logged on as)
3) Click on Browse and then Search. Make sure that the control to return deleted objects is properly configured so that the deleted objects will be returned
4) Now we will need to search for the deleted objects. If you go to View and then Tree and leave it blank, it will go to the default naming context which by default is the domain naming context. Once this shows up in the left hand side, expand it then go to the deleted objects container , alt click and then choose search. With this, you will just search for that container and we can look for an attribute that we are looking for.
5) Once the object is located, copy the DN and it will be used in the next step

Who, When , Where?
To gather the information to which when and where, repadmin can be used as below

Repadmin /showobjmeta “DN which was copied in step 5 earlier”

You will get the information as below but what we are actually looking for here is in fact the isdeleted attribute.
This will tell you when the object was deleted and from which domain controller

For the who, you may go to the Domain Controller identified earlier to run through the security logs.
The event ID to look for will be Event ID 630

Wednesday, February 8, 2012

Maximum Token Size (Kerberos)



There may be instances where the user has been granted all the required access for them to perform an administrative task. An example is as of below, they are unable to perform a straight forward tasks of switching to another DC.. (Error is as per the screenshot below).

At the first look, it may look like a "disk space" issue as it mentions in the error that "Not enough storage". However, it may be not as it appears superficially.

In this case, the root cause is that token size which the user is having. By default 12000 is the token size and if the size of the Kerberos token exceeds this, the access rights assigned to this user will not be fully granted which will affect the level of access the user is supposed to have.


To verify the token size, Microsoft has provided a tool, Tokensz, for this to be done and it can be downloaded from the link below

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en

The command to run the tool above with the sample output is as below

C:\TEMP\tokensz>tokensz.exe /compute_tokensize

Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 65535

Using user to user

QueryKeyInfo:
Signature algorithm = HMAC-SHA1-96
Encrypt algorithm = Kerberos AES256-CTS-HMAC-SHA1-96
KeySize = 256
Flags = 2083e
Signature Algorithm = 16
Encrypt Algorithm = 18
Start:10/30/2010 0:45:10
Expiry:10/30/2010 8:49:54
Current Time: 10/30/2010 0:45:10
MaxToken (complete context) 1640


Solution:


To overcome this, launch regedit on the machine affected and create a key "MaxTokenSize" in Dword format and enter the value "ffff" in Hex.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"MaxTokenSize"=dword:0000ffff

Restart the machine once its completed.

Retrieving Active Directory Attribute Modification Information



Many a times, we may be required to verify the date /time that an attribute in a object example user account has changed and where is the Site that it was changed.

To do this, the following command can be used

repadmin /showobjmeta DCname "<DN of the user>" >c:\<username>.txt

The command will output the information into a text file with the user's name. A sample of the output is as below. With this you will be able to retrieve the change originated from which DC.

This is extremely good for enterprise with multiple DCs and when time comes for some CSI work to be done, you will know when and where to look.