Friday Mail Sack: No Redesign Edition
Hello folks, Ned here again. Today we talk PDCs, DFSN, DFSR, AGPM, authentication, PowerShell, Kerberos, event logs, and other random goo. Let’s get to it.
- PDCE and user auth
- DFSR full mesh recommendations
- Access Denied when delegating Kerberos
- Clearing Event Logs en mass
- Where to install AGPM
- Using Authentication Mechanism Assurance without MS PKI
- The missing rename-computer cmdlet
- Disabled DFSN referral behaviors
- DFSR replication behavior when staging quota hit
- DFSN browsing differences between DCs and members
- Random Goo
Is the PDC Emulator required for user authentication? How long can a domain operate without a server that is running the PDC Emulator role?
It’s not required for direct user authentication unless you are using (unsupported) NT and older operating systems or some Samba flavors. I’ve had customers who didn’t notice their PDCE was offline for weeks or months. Plenty of non-fully routed networks exist where many users have no direct access to that server at all.
It is used for a great many other things:
- With the PDCE offline, users who have recently changed their passwords are more likely to get logon or access errors. They will also be more likely to stay locked out if using Account Lockout policies.
- Time can more easily get out of sync, leading to Kerberos authentication errors down the road.
- The PDCE being offline will also prevent the creation of certain well-known security groups and users when you are upgrading forests and domains.
- The AdminSDHolder process will not occur when the PDCE is offline.
- You will not be able to administer DFS Namespaces.
- It is where group policies are edited (by default).
- Finally - and not documented by us - I have seen various non-MS applications over the years that were written for NT and which would stop working if there is no PDCE. There’s no way to know which they might be – a great many were home-made application written by the customer themselves – so you will have to determine this through testing.
But don’t just trust me; I am a major plagiarizer!
How Operations Masters Work (see section “Primary Domain Controller (PDC) Emulator”)
The DFSR help file recommends a full mesh topology only when there are 10 or fewer members. Could you kindly let me know reasons why? We feel that a full mesh will mean more redundancy.
It’s just trying to prevent a file server administrator from creating an unnecessarily complex or redundant topology, especially since the vast majority of file server deployments do not follow this physical network topology. The help file also makes certain presumptions about the experience level of the reader.
It’s perfectly ok – from a technical perspective - to make as many connections as you like if using Windows Server 2008 or later. This is not the case with Win2003 R2 (see this old post that applies only to that OS). The main downsides to a lot of connections are:
- It may lead to replication along slower, non-optimal networks that are already served by other DFSR connections; DFSR does not sense bandwidth or use any site/connection costing. This may itself lead to the networks becoming somewhat slower overall.
- It will generate slightly more memory and CPU usage on each individual member server (keeping track of all this extra topology is not free).
- It’s more work to administer. And it’s more complex. And more work + more complex usually = less fun.
I'm trying setup delegation for Kerberos but I can't configure it for user or computer accounts using AD Users and Computers (DSA.MSC). I’m logged as a domain administrator. Every time when I'm trying activate delegation I get error:
The following Active Directory error occurred: Access is denied.
It’s possible that someone has removed the user right for your account to delegate. Check your applied domain security policy (using RSOP or GPRESULT or whatever) to see if this has been monkeyed up:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
"Enable computer and user accounts to be trusted for delegation"
The Default Domain Controllers policy will have the built-in Administrators group set for that user right assignment once you create a domain. The privilege serves no purpose being set on servers other than DCs, they don’t care. Changing the defaults for this assignment isn’t necessary or recommended, for reasons that should now be self-evident.
I want to clear all of my event logs at once on Windows Vista/2008 or later computers. Back in XP/2003 this was pretty easy as there were only 6 logs, but now there are a zillion.
Your auditors must love you :). Paste this into a batch file and run in an elevated CMD prompt as an administrator:
Wevtutil el > %temp%\eventlistmsft.txt
For /f "delims=;" %%i in (%temp%\eventlistmsft.txt) do wevtutil cl "%%i"
If you run these two commands manually, remember to remove the double percent signs and make them singles; those are being escaped for running in a batch file. I hope you have a systemstate backup, this is forever!
Can AGPM be installed on any DC? Should it be on all DCs? The PDCE?
[Answer from AGPM guru Sean Wright]
You can install it on any server as long as it’s part of the domain - so a DC, PDCE, or a regular member server. Just needs to be on one computer.
Is it possible to use Authentication Mechanism Assurance that is available in Windows Server 2008 R2 with a non-Microsoft PKI implementation? Is it possible to use Authentication Mechanism Assurance with any of Service Administration groups Domain Admins or Enterprise Admins? If that is possible what would be the consequences for built-in administrator account, would this account be exempt from Authentication Mechanism Assurance? So that administrators would have a route to fix issues that occurred in the environment, i.e. a get out of jail.
[Answer from security guru Rob Greene]
First, some background:
- This only works with Smart Card logon.
- This works because the Issuance Policy OID is “added to” msDS-OIDToGroupLink on the OID object in the configuration partition. There is a msDS-OIDToGroupLinkBl (back link) attribute on the group and on the OID object.
- The attribute msDS-OIDToGroupLink attribute on the OID object (in the configuration partition)stores the DN of the group that is going to use it.
- Not sure why, but the script expects the groups that are used in this configuration to be Universal groups. So the question about Administrative groups, none of these are Universal groups except for “Enterprise Admins”.
So here are the answers:
Is it possible to use Authentication Mechanism Assurance that is available in Windows Server 2008 R2 with a non-Microsoft PKI implementation?
Yes, however, you will need to create the Issuance Policies that you plan to use by adding them through the Certificate Template properties as described in the TechNet article.
Is it possible to use Authentication Mechanism Assurance with any of Service Administration groups Domain Admins or Enterprise Admins?
This implementation requires that the group be a universal group in order for it to be used. So the only group of those listed above that is universal is “Enterprise Admins”. In theory this would work, however in practice it might not be such a great idea.
If that is possible what would be the consequences for built-in administrator account, would this account be exempt from Authentication Mechanism Assurance?
In most cases the built-in Administrator account is special cased to allow access to certain things even if their access has somehow been limited. However, this isn’t the best way to design your security of administrative accounts if you are concerned about not being able to get back into the domain. You would have similar issues if you made these administrative accounts require Smart Cards for logon, then for some reason the CA hierarchy did not publish a new CRL and the CA required a domain based admin to be able to logon interactively then you would be effectively locked out of your domain also.
I find references on TechNet to a “rename-computer” PowerShell cmdlet added in Windows 7. But it doesn’t seem to exist.
Oops. Yeah, it was cut very late but still lives on in some documentation. If you need to rename a computer using PowerShell, the approach I use is:
That keeps it all on one line without need to specify an instance first or mess around with variables. You need to be in an elevated CMD prompt logged in as an administrator, naturally.
Then you can run restart-computer and you are good to go.
There are a zillion other ways to rename on the PowerShell command-line, shelling netdom.exe, wmic.exe, using various WMI syntax, new functions, etc.
Does disabling a DFS Namespace link target still give the referral back to clients, maybe in with an “off” flag or something? We’re concerned that you might still accidentally access a disabled link target somehow.
[Oddly, this was asked by multiple people this week.]
Disable actually removes the target from referral responses and nothing but an administrator’s decision can enable it. To confirm this, connect through that DFS namespace and then run this DFSUTIL command-line (you may have to install the Win2003 Support Tools or RSAT or whatever, depending on where you run this):
It will not list out your disabled link targets at all. For example, here I have two link targets – one enabled, one disabled. As far as DFS responds to referral requests, the other link target does not exist at all when disabled.
When I enable that link and flush the PKT cache, now I get both targets:
When DFSR staging fills to the high watermark, what happens to inbound and outbound replication threads? Do we stop replicating until staging is cleared?
Excellent question, Oz dweller.
- When you hit the staging quota 90% high watermark, further staging will stop.
- DFSR will try to delete the oldest files to get down to 60% under the quota.
- Any files that are on the wire right now being transferred will continue to replicate. Could be one file, could be more.
- If those files on the wire are ones that the staging cleanup is trying to delete, staging cleanup will not complete (and you get warning 4206).
- No other files will replicate (even if they were not going to be cleaned out due to “newness”).
- Once those outstanding active file transfers on the fire complete, staging will be cleaned out successfully.
- Files will begin staging and replicating again (at least until the next time this happens).
So the importance of staging space for very large files remains to ensure that quota is at least as large as the N largest files that could be simultaneously replicated inbound/outbound, or you will choke yourself out. From the DFSR performance tuning post:
- Windows Server 2003 R2: 9 largest files
- Windows Server 2008: 32 largest files (default registry)
- Windows Server 2008 R2: 32 largest files (default registry)
- Windows Server 2008 R2 Read-Only: 16 largest files
If you want to find the 32 largest files in a replicated folder, here’s a sample PowerShell command:
Get-ChildItem <replicatedfolderpath> -recurse | Sort-Object length -descending | select-object -first 32 | ft name,length -wrap –auto
If I create a domain-based namespace (\\contoso.com\root) and only have member servers for namespace servers, the share can’t browsed to in Windows Explorer. It is there, I just can’t browse it.
But if I add a DC as a namespace server it immediately appears. If I remove the DC from namespace it disappears from view again, but it is still there. Would this be expected behavior? Is this a “supported” way create a hidden namespace?
You are seeing some coincidental behavior based on the dual meaning of contoso.com in this scenario:
- Contoso.com will resolve to a domain controller when using DNS
- When a DC hosts a namespace share and you are browsing that DC, you are simply seeing all of its shares. One of those shares happens to be a DFS root namespace.
- When you are browsing a domain-based namespace not hosted on a DC, you are not going to see that share as it doesn’t exist on the DCs.
- You can see what’s happening here under the covers with a network capture.
- Users can still access the root and link shares if they type them in, had them set via logon script, mapped drive, GP Preference Item, etc. This is only a browsing issues.
It’s not an “unsupported” way to hide shares, but it’s not necessarily effective in the long-term. The way to hide and prevent access to the links and files/folders is through permissions and ABE. This solution is like a share with $ being considered hidden: only as long as people don’t talk about it. :) Not to mention this method is easy for other admins to accidentally “break” it through ignorance or reading blog posts that tell them all the advantages of DFS running on a DC.
PS: Using a $ does work – at least on a Win2008 R2 DFS root server in a 2008 domain namespace:
But only until your users talk about it in the break room…
Other Random Goo
- The Cubs 2011 schedule is up and you can download the calendar file here. You know you wanna.
- And in a related story, Kerry Wood has come back with a one year deal! Did you watch him strike out 20 as a rookie in 1998? It was insane. The greatest 1-hitter of all time.
- IO9.com posted their spring sci-fi book wish list. Which means that I now have eight new books in my Amazon wish list. >_<
- As a side note, does anyone like the new format of the Gawker Media blogs? I cannot get used to them and had to switch back to the classic view. The intarwebs seem to be on my side in this. I find myself visiting less often too, which is a real shame – hopefully for them this isn’t another scenario like Digg.com, redesigning itself into oblivion.
- Netflix finally gets some serious competition – Amazon Prime now includes free TV and Movie streaming. Free as in $79 a year. Still, very competitive pricing and you know they will rock the selection.
- I get really mad watching the news as it seems to be staffed primarily by plastic heads reading copy written by people that should be arrested for inciting to riot. So this Cracked article on 5 BS modern myths is helpful to reduce your blood pressure. As always, it is not safe for work and very sweary.
- But while you’re there anyway (come on, I know you), check out the kick buttitude of Abraham Lincoln.
- Finally: why are the Finnish so awesomely insane at everything?
And by everything, I mean only this and rally sport.
Have a nice weekend folks.
- Ned “simple and readable” Pyle