Thursday, September 10, 2009
script to recreate sysvolsysvol
********************************************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
On Error Resume Next
WScript.Echo "Stopping the File Replication Service"
Set objWMINameSpace = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/CIMV2")
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
Set WSHShell = CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/default:StdRegProv")
Set objMethod = objRegistry.Methods_("ENUMKEY")
Set objInParam = objMethod.inParameters.SpawnInstance_()
objInParam.hDefKey = HKEY_LOCAL_MACHINE
objInParam.sSubKeyName = "SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets"
Set objOutParam = objRegistry.ExecMethod_("ENUMKEY", objInParam)
Set objSubKeys = objOutParam.Properties_("sNames")
For i = 0 To UBound(objSubKeys)
intTomb = 1
strSetName = ""
intTomb = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned")
strSetName = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Name")
If intTomb = 0 AND strSetName = "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Then
DelADobj(objSubKeys.Value(i))
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
if LCase(srvcInstance.state) = "stopped" Then Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Exit For
wscript.sleep (k * 100)
Next
For j = 1 to 60
If WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned") = 1 Then Exit For
wscript.sleep (j * 500)
Next
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
End If
Next
Set ADInfo = CreateObject("AdSystemInfo")
strDNSDomain = ADInfo.DomainDNSName
strSysvol = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol")
strSysvol = Left(strSysvol, Len(strSysvol)-7)
strSysvolRoot = strSysvol & "\domain"
strSysvolStage = strSysvol & "\staging\domain"
intPrimary = 1
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Command", "Create", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Name", strDNSDomain, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Type", "Domain", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Primary", intPrimary, "REG_DWORD"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Root", strSysvolRoot, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Stage", strSysvolStage, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\SysVol Information is Committed", 1, "REG_DWORD"
wscript.echo "Starting FRS service"
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
wscript.echo "Script has completed"
Sub DelADobj(strGUID)
If Err.Number <> 0 Then Err.Clear
Set objADRepSet = GetObject("LDAP://LOCALHOST/")
If Err.Number <> 0 Then
WScript.Echo "Could not bind to GUID=" & Left(strGUID,23) & "-" & Right(strGUID, 12)
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
Set objADRepSet = GetObject("LDAP://LOCALHOST/" & objADRepSet.distinguishedName)
If Err.Number <> 0 Then
WScript.Echo "Could not bind to nTFRSMember object with DN= " & objADRepSet.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
If objADRepSet.fRSMemberReferenceBL <> "" Then
Set objADSubscriber = GetObject("LDAP://LOCALHOST/" & objADRepSet.fRSMemberReferenceBL)
If Err.Number = 0 Then
objADSubscriber.DeleteObject(0)
Else
WScript.Echo "Could not bind to nTFRSSubscriber object with DN= " & objADSubscriber.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting nTFRSSubscriber object from AD"
Err.Clear
End If
Else
WScript.Echo "No member reference to nTFRSSubscriber object"
End If
If Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSSubscriber object with error: " & Err.Number
Err.Clear
End If
objADRepSet.DeleteObject(0)
IF Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSMember object with error: " & Err.Number
Err.Clear
End If
End Sub
********************************************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
On Error Resume Next
WScript.Echo "Stopping the File Replication Service"
Set objWMINameSpace = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/CIMV2")
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
Set WSHShell = CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/default:StdRegProv")
Set objMethod = objRegistry.Methods_("ENUMKEY")
Set objInParam = objMethod.inParameters.SpawnInstance_()
objInParam.hDefKey = HKEY_LOCAL_MACHINE
objInParam.sSubKeyName = "SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets"
Set objOutParam = objRegistry.ExecMethod_("ENUMKEY", objInParam)
Set objSubKeys = objOutParam.Properties_("sNames")
For i = 0 To UBound(objSubKeys)
intTomb = 1
strSetName = ""
intTomb = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned")
strSetName = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Name")
If intTomb = 0 AND strSetName = "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Then
DelADobj(objSubKeys.Value(i))
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
if LCase(srvcInstance.state) = "stopped" Then Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Exit For
wscript.sleep (k * 100)
Next
For j = 1 to 60
If WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned") = 1 Then Exit For
wscript.sleep (j * 500)
Next
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
End If
Next
Set ADInfo = CreateObject("AdSystemInfo")
strDNSDomain = ADInfo.DomainDNSName
strSysvol = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol")
strSysvol = Left(strSysvol, Len(strSysvol)-7)
strSysvolRoot = strSysvol & "\domain"
strSysvolStage = strSysvol & "\staging\domain"
intPrimary = 1
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Command", "Create", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Name", strDNSDomain, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Type", "Domain", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Primary", intPrimary, "REG_DWORD"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Root", strSysvolRoot, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Stage", strSysvolStage, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\SysVol Information is Committed", 1, "REG_DWORD"
wscript.echo "Starting FRS service"
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
wscript.echo "Script has completed"
Sub DelADobj(strGUID)
If Err.Number <> 0 Then Err.Clear
Set objADRepSet = GetObject("LDAP://LOCALHOST/
If Err.Number <> 0 Then
WScript.Echo "Could not bind to GUID=" & Left(strGUID,23) & "-" & Right(strGUID, 12)
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
Set objADRepSet = GetObject("LDAP://LOCALHOST/" & objADRepSet.distinguishedName)
If Err.Number <> 0 Then
WScript.Echo "Could not bind to nTFRSMember object with DN= " & objADRepSet.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
If objADRepSet.fRSMemberReferenceBL <> "" Then
Set objADSubscriber = GetObject("LDAP://LOCALHOST/" & objADRepSet.fRSMemberReferenceBL)
If Err.Number = 0 Then
objADSubscriber.DeleteObject(0)
Else
WScript.Echo "Could not bind to nTFRSSubscriber object with DN= " & objADSubscriber.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting nTFRSSubscriber object from AD"
Err.Clear
End If
Else
WScript.Echo "No member reference to nTFRSSubscriber object"
End If
If Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSSubscriber object with error: " & Err.Number
Err.Clear
End If
objADRepSet.DeleteObject(0)
IF Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSMember object with error: " & Err.Number
Err.Clear
End If
End Sub
********************************************************************************
Wednesday, June 3, 2009
IAS event ID :2 (A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider)
Client connection to network using 802.1 Implementation fails with event ID 2 (IAS) (authentication EAP-Type = Smart Card or other certificate )
We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.
************************************************************
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
Description:
User host/xxxx.example.com was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address = 10.1.25.78
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
*******************************************************************
Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.
I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB http://support.microsoft.com/kb/295663/
We followed method 2 in the KB
Method 2: Import a certificate by using Certutil.exe
________________________________________________________
Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en)
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:
o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)
2. At a command prompt, type the following command, and then press ENTER:
certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
We got certificates for following stores
CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher
Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following
*********************************************************************
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
Description:
User host/xxx.example.com was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address = 10.1.25.78
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
*********************************************************************************
Issue resolved !!!!!
We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.
************************************************************
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
Description:
User host/xxxx.example.com was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address = 10.1.25.78
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
*******************************************************************
Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.
I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB http://support.microsoft.com/kb/295663/
We followed method 2 in the KB
Method 2: Import a certificate by using Certutil.exe
________________________________________________________
Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en)
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:
o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)
2. At a command prompt, type the following command, and then press ENTER:
certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
We got certificates for following stores
CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher
Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following
*********************************************************************
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
Description:
User host/xxx.example.com was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address = 10.1.25.78
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
*********************************************************************************
Issue resolved !!!!!
Thursday, October 2, 2008
Password policy in 2003 / 2000 AD infrastucture.
Password policy
******************
when password policy is deployed.
->it applies to all users in the domain regardless of OU/group/site.
->Excluding some users by placing them in an OU and by enabling "BLOCK INHERITANCE" on that OU will not work in case of password polcies.
->If "passord never expires" option is checked for a user in (user account properties>account tab>), password policy wont run the thread against this user account.hence these users passwords never expire.
->when we deploy the password policy in the domain, a thread is ran when a user logs on to the domain to check the value of a user attribute named "Lastpwdset" in AD
The value of this attribute is the date when this user changed the password for last time.
->For example,a password policy with settings for "Maximum password age"= 90 days is deployed today.
->user logs in to the domain next day.
->it queries the "lastpwdset" attibute of the user.
->if the value of attribute is a date 90 days before the current date, ->user gets a prompt to change the password.
->user updates the password and the value of "Lastpwdset" attribute changes to current date.
->If the "password never expires" is checked, tis thread is never ran on that users untill administrator unchecks it.
->By default the "passwod never expires" is checked for administrator and other important accounts automatically.
Thanks & Regards
******************
when password policy is deployed.
->it applies to all users in the domain regardless of OU/group/site.
->Excluding some users by placing them in an OU and by enabling "BLOCK INHERITANCE" on that OU will not work in case of password polcies.
->If "passord never expires" option is checked for a user in (user account properties>account tab>), password policy wont run the thread against this user account.hence these users passwords never expire.
->when we deploy the password policy in the domain, a thread is ran when a user logs on to the domain to check the value of a user attribute named "Lastpwdset" in AD
The value of this attribute is the date when this user changed the password for last time.
->For example,a password policy with settings for "Maximum password age"= 90 days is deployed today.
->user logs in to the domain next day.
->it queries the "lastpwdset" attibute of the user.
->if the value of attribute is a date 90 days before the current date, ->user gets a prompt to change the password.
->user updates the password and the value of "Lastpwdset" attribute changes to current date.
->If the "password never expires" is checked, tis thread is never ran on that users untill administrator unchecks it.
->By default the "passwod never expires" is checked for administrator and other important accounts automatically.
Thanks & Regards
Tuesday, September 23, 2008
Event ID:1202 Security policies were propagated with warning. 0x4b8
We have 50-60 client machines, all XP sp2
All the client machines, including 2 members server logs event ID 1202 Secli warning along with Event ID:1085 & Event ID:1030
*************************************************
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 9/22/2008
Time: 12:39:44 PM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/22/2008
Time: 12:39:44 PM
User: N/A
Computer:
Description:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 9/22/2008
Time: 11:40:31 AM
User: Administrator
Computer:
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
Troubleshooting Steps
*********************
In the XP client machine, we enabled winlogon logging.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
On the Edit menu, click Add Value, and then add the following registry value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2
We ran gpupdate /force
Check the winlogon.log in C:\windows\security\logs
From the winlogon.log we found the following
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Avance.
Configuration of Registry Keys was completed with one or more errors.
1.Hence the security (permissions) application on registry key is failing on the key HKLM\MACHINE\SOFTWARE\Avance
2. We took a MPS report and analyzed the Appliedsectempl.txt and found these registry settings come from Default domain policy.
3. we went to the domain controller and found the default domain policy >computer configuration >windows settings>security>registry has lot of manually configured registry keys in the policy.
They were assigned with certain security permissions.
4. However in the client machines, they are not able to apply on certain registry keys.
5. Now we need to find why it fails on certain registry
1.we went to the xp clients registry.
2.by default all keys should have following security permissions.
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
3.but for the key which was failing in win logon log doesn’t have these permissions
4. they security permission for the key is just “EVERYONE” with Read permissions for the key machine\software\Avance.
5.we added SYSTEM and gave FULL CONTROL
6. as soon as we hit apply, all other default permissions were populated automatically !!!
We did gpupdate /force on the xp machine and analyzed the winlogon.log
Now it passes for machine\software\Avance..
However fails for a different registry key
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance. ------------------------------------ it passed here now
Configure machine\software\C07ft5Y.
Configure machine\software\Clients.
Configure machine\software\ColumbiaSoft.
Configure machine\software\Compaq.
Configure machine\software\Corel.
Configure machine\software\Crystal Decisions.
Configure machine\software\ej-technologies.
Configure machine\software\EPSON.
Configure machine\software\FLEXlm License Manager.
Configure machine\software\Forte.
Configure machine\software\Gemplus.
Configure machine\software\GNU.
Configure machine\software\Google.
Configure machine\software\Hewlett-Packard.
Configure machine\software\HP.
Configure machine\software\IGC.
Configure machine\software\InstallShield.
Configure machine\software\Intel.
Configure machine\software\Intel Corporation.
Configure machine\software\Intuit.
Configure machine\software\JavaSoft.
Configure machine\software\Lake.
Configure machine\software\Licenses.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Licenses. .---------------------------------------- however this time it failed for this key.
Configuration of Registry Keys was completed with one or more errors
1. We added SYSTEM with FC on the registry key machine\software\Licenses.
2. And did a gpupdate /force
3. In winlogon now if fails for some other key.
This may keep on failing for many keys right after fixing the permissions on each key.
It gave SECLI 1704 after fixing 6 such registry key permissions.
But when we check on a different machine, winlogon may talk about a completely different registry key.
It’s a pain to ckeck all winlogon logs from different machines and then correct registry
We have a good workaround
**********************************
1.Goto registry editor of a client machine.
2. locate HKLM\Software >right click>permissions>
3.check whether we have the following default permissions
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
4.If yes locate HKLM\Software >right click>permissions> advanced and check the box which reads
“Replace all permissions on child objects”
It may fail to set the permission on some subkeys.
Just press ok- you may avoid it
Then do a gpupdate /force
YOU GET A SECLI 1704 !!!!
Thanks
Jerry
All the client machines, including 2 members server logs event ID 1202 Secli warning along with Event ID:1085 & Event ID:1030
*************************************************
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 9/22/2008
Time: 12:39:44 PM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/22/2008
Time: 12:39:44 PM
User: N/A
Computer:
Description:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 9/22/2008
Time: 11:40:31 AM
User: Administrator
Computer:
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
Troubleshooting Steps
*********************
In the XP client machine, we enabled winlogon logging.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
On the Edit menu, click Add Value, and then add the following registry value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2
We ran gpupdate /force
Check the winlogon.log in C:\windows\security\logs
From the winlogon.log we found the following
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Avance.
Configuration of Registry Keys was completed with one or more errors.
1.Hence the security (permissions) application on registry key is failing on the key HKLM\MACHINE\SOFTWARE\Avance
2. We took a MPS report and analyzed the Appliedsectempl.txt and found these registry settings come from Default domain policy.
3. we went to the domain controller and found the default domain policy >computer configuration >windows settings>security>registry has lot of manually configured registry keys in the policy.
They were assigned with certain security permissions.
4. However in the client machines, they are not able to apply on certain registry keys.
5. Now we need to find why it fails on certain registry
1.we went to the xp clients registry.
2.by default all keys should have following security permissions.
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
3.but for the key which was failing in win logon log doesn’t have these permissions
4. they security permission for the key is just “EVERYONE” with Read permissions for the key machine\software\Avance.
5.we added SYSTEM and gave FULL CONTROL
6. as soon as we hit apply, all other default permissions were populated automatically !!!
We did gpupdate /force on the xp machine and analyzed the winlogon.log
Now it passes for machine\software\Avance..
However fails for a different registry key
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance. ------------------------------------ it passed here now
Configure machine\software\C07ft5Y.
Configure machine\software\Clients.
Configure machine\software\ColumbiaSoft.
Configure machine\software\Compaq.
Configure machine\software\Corel.
Configure machine\software\Crystal Decisions.
Configure machine\software\ej-technologies.
Configure machine\software\EPSON.
Configure machine\software\FLEXlm License Manager.
Configure machine\software\Forte.
Configure machine\software\Gemplus.
Configure machine\software\GNU.
Configure machine\software\Google.
Configure machine\software\Hewlett-Packard.
Configure machine\software\HP.
Configure machine\software\IGC.
Configure machine\software\InstallShield.
Configure machine\software\Intel.
Configure machine\software\Intel Corporation.
Configure machine\software\Intuit.
Configure machine\software\JavaSoft.
Configure machine\software\Lake.
Configure machine\software\Licenses.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Licenses. .---------------------------------------- however this time it failed for this key.
Configuration of Registry Keys was completed with one or more errors
1. We added SYSTEM with FC on the registry key machine\software\Licenses.
2. And did a gpupdate /force
3. In winlogon now if fails for some other key.
This may keep on failing for many keys right after fixing the permissions on each key.
It gave SECLI 1704 after fixing 6 such registry key permissions.
But when we check on a different machine, winlogon may talk about a completely different registry key.
It’s a pain to ckeck all winlogon logs from different machines and then correct registry
We have a good workaround
**********************************
1.Goto registry editor of a client machine.
2. locate HKLM\Software >right click>permissions>
3.check whether we have the following default permissions
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
4.If yes locate HKLM\Software >right click>permissions> advanced and check the box which reads
“Replace all permissions on child objects”
It may fail to set the permission on some subkeys.
Just press ok- you may avoid it
Then do a gpupdate /force
YOU GET A SECLI 1704 !!!!
Thanks
Jerry
Friday, September 19, 2008
Cannot join a Machine to Single Labeled Domain
We get an error while trying to join a machine to Single labeled domain.
error: "The domain controller for the domain cannot be contacted.Ensure that the domain name is typed corerctly"
Microsoft doesnt recommend Single labeled domain (single-labeled DNS zones.Client computers and domain controllers may require additional configuration (registry changes) to resolve DNS queries in single-label DNS zones.
rference KB : 300684
resoultion:-Copy the below script to a text file and save with extension .vbs and run the script on client machine or make the registry changes (mentioned in script) manually on the client machine.
*************************************************
dim oShell
set oShell = Wscript.CreateObject("Wscript.Shell")
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowSingleLabelDnsDomain", 1, "REG_DWORD"
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLeveldomainZones", 1, "REG_DWORD"
Set oShell = Nothing
**************************************************
Try joining the machine now.
Thanks & Regards
Jerry
error: "The domain controller for the domain cannot be contacted.Ensure that the domain name is typed corerctly"
Microsoft doesnt recommend Single labeled domain (single-labeled DNS zones.Client computers and domain controllers may require additional configuration (registry changes) to resolve DNS queries in single-label DNS zones.
rference KB : 300684
resoultion:-Copy the below script to a text file and save with extension .vbs and run the script on client machine or make the registry changes (mentioned in script) manually on the client machine.
*************************************************
dim oShell
set oShell = Wscript.CreateObject("Wscript.Shell")
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowSingleLabelDnsDomain", 1, "REG_DWORD"
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLeveldomainZones", 1, "REG_DWORD"
Set oShell = Nothing
**************************************************
Try joining the machine now.
Thanks & Regards
Jerry
Shortcut Commands for AD Sanp-INs.
RUN/CMD shortcuts for AD management
ADFS.msc AD Federation Services
CERTMGR.msc Certificate Management –Current User
CERTSRV.msc Certification Authority
CERTTMPL.msc Certificate Templates
COMPMGMT.msc Computer Management
COMEXP.msc Component Services C:\windows\system32\com
DCOMCNFG.exe Component Services
DSA.msc ADUC (AD Users and Computers)
DFSGUI.msc DFS Management
DFSMGMT.msc DFS Management R2
DNSMGMT.msc DNS Management
DOMAIN.msc Domains and Trusts
DSSITE.msc Sites and Services
EVENTVWR.msc Event Viewer
GPEDIT.msc Local Policy
GPMC.msc Group Policy Management Console
PKIVIEW.msc PKI management
RSOP.msc Resultant set of Policy
SECPOL.msc Local Security Policy
SERVICES.msc Services
SCHMMGMT.msc Schema Management
TASKMGR.exe Task Manager
TSCC.msc TS Configuration
TSADMIN.exe TS Administrator
LICMGR.exe TS Licensing
The following are contained within the WINDOWS 2003 ADMINISTRATION TOOLS PACK
*Installed from the Windows Server 2003 CD
ADMGMT.msc AD Management –Domains, Sites, DNS and ADUC
PKMGMT.msc PKI Management – Authorities, Templates
IPADDRMGMT.msc WINS,DNS and DHCP in one console
2008 SERVER
SERVERMANAGER.msc Server Manager
NAPCLCFG.msc Network Access Protection Client Configuration
STOREXPL.msc Storage Manager
TSCONFIG.msc TS Configuration
WBADMIN.msc Windows Server Backup
WF.msc Windows Firewall + Advanced Security
RUN shortcuts for Windows OS management
NCPA.CPL Network Properties
APPWIZ.CPL Add remove programs
DEVMGMT.msc Device Manager
FSMGMT.msc File Share Management
SYSDM.CPL System Properties
FIREWALL.CPL Firewall applet
DESK.CPL Display Properties
CONTROL.exe Control Panel
MMSYS.CPL Sound Properties
SYSDM.CPL System Properties
ACCESS.CPL Accessibility Options
APPWIZ.CPL Add/Remove Programs
TIMEDATE.CPL Date/Time Properties
DESK.CPL Display Properties
FINDFAST.CPL FindFast
FONTS.CPL Fonts Folder
INETCPL.CPL Internet Properties
JOY.CPL Joystick Properties
MAIN.CPL Keyboard Properties
MLCFG32.CPL Microsoft Exchange
WGPOCPL.CPL Microsoft Mail Post Office
MAIN.CPL Mouse Properties
MMSYS.CPL Multimedia Properties
PASWORD.CPL Password Properties
MAIN.CPL PC Card
PRINTERS.CPL Printers Folder
INTL.CPL Regional Settings
STICPL.CPL Scanners and Cameras
Thanks & Regards
Jerry
ADFS.msc AD Federation Services
CERTMGR.msc Certificate Management –Current User
CERTSRV.msc Certification Authority
CERTTMPL.msc Certificate Templates
COMPMGMT.msc Computer Management
COMEXP.msc Component Services C:\windows\system32\com
DCOMCNFG.exe Component Services
DSA.msc ADUC (AD Users and Computers)
DFSGUI.msc DFS Management
DFSMGMT.msc DFS Management R2
DNSMGMT.msc DNS Management
DOMAIN.msc Domains and Trusts
DSSITE.msc Sites and Services
EVENTVWR.msc Event Viewer
GPEDIT.msc Local Policy
GPMC.msc Group Policy Management Console
PKIVIEW.msc PKI management
RSOP.msc Resultant set of Policy
SECPOL.msc Local Security Policy
SERVICES.msc Services
SCHMMGMT.msc Schema Management
TASKMGR.exe Task Manager
TSCC.msc TS Configuration
TSADMIN.exe TS Administrator
LICMGR.exe TS Licensing
The following are contained within the WINDOWS 2003 ADMINISTRATION TOOLS PACK
*Installed from the Windows Server 2003 CD
ADMGMT.msc AD Management –Domains, Sites, DNS and ADUC
PKMGMT.msc PKI Management – Authorities, Templates
IPADDRMGMT.msc WINS,DNS and DHCP in one console
2008 SERVER
SERVERMANAGER.msc Server Manager
NAPCLCFG.msc Network Access Protection Client Configuration
STOREXPL.msc Storage Manager
TSCONFIG.msc TS Configuration
WBADMIN.msc Windows Server Backup
WF.msc Windows Firewall + Advanced Security
RUN shortcuts for Windows OS management
NCPA.CPL Network Properties
APPWIZ.CPL Add remove programs
DEVMGMT.msc Device Manager
FSMGMT.msc File Share Management
SYSDM.CPL System Properties
FIREWALL.CPL Firewall applet
DESK.CPL Display Properties
CONTROL.exe Control Panel
MMSYS.CPL Sound Properties
SYSDM.CPL System Properties
ACCESS.CPL Accessibility Options
APPWIZ.CPL Add/Remove Programs
TIMEDATE.CPL Date/Time Properties
DESK.CPL Display Properties
FINDFAST.CPL FindFast
FONTS.CPL Fonts Folder
INETCPL.CPL Internet Properties
JOY.CPL Joystick Properties
MAIN.CPL Keyboard Properties
MLCFG32.CPL Microsoft Exchange
WGPOCPL.CPL Microsoft Mail Post Office
MAIN.CPL Mouse Properties
MMSYS.CPL Multimedia Properties
PASWORD.CPL Password Properties
MAIN.CPL PC Card
PRINTERS.CPL Printers Folder
INTL.CPL Regional Settings
STICPL.CPL Scanners and Cameras
Thanks & Regards
Jerry
Subscribe to:
Posts (Atom)