Ondrej Žilinec – IT Blog

Couple months ago we have created Active Directory domain for one of our customer. His AD was subdomain of existing AD domain hosted in Germany. Let’s call them following:

• DOMAIN.LOCAL <– Main AD in Germany
• SK.DOMAIN.LOCAL <– New created domain in Slovakia

To make administrators life easier in future, we have created DFS Shares in domain SK.DOMAIN.LOCAL. One of those DFS shares is called “Common”. So people in Slovakia were accessing DFS share \\\\SK.DOMAIN.LOCAL\\Common and share data. Under this DFS Namespace following share was hidden \\\\FSSERVER\\Common.

Everything worked just fine.

Problem

Problem appeared when users from Germany (from domain DOMAIN.LOCAL) wanted to access this share. There were following symptomps:

• Users from DOMAIN.LOCAL couldn’t access \\\\SK.DOMAIN.LOCAL\\Common
• Users from SK.DOMAIN.LOCAL could access \\\\SK.DOMAIN.LOCAL\\Common
• Users from DOMAIN.LOCAL could access \\\\SK.DOMAIN.LOCAL\SYSVOL and \\\\SK.DOMAIN.LOCAL\NETLOGON

There were no firewalls between two domains. All ports were accessible.

Solution

After couple tries (and using dfsutil) I figured out that client machine from DOMAIN.LOCAL get as DFS Refferal NetBIOS server name FSSERVER and it cannot translate FSSERVER to IP (FSSERVER is from SK.DOMAIN.LOCAL). Client machine from DOMAIN.LOCAL although can translate FQDN of FSSERVER.SK.DOMAIN.LOCAL. I tried to put FSSERVER IP record into client machine’s hosts file and everything started to work perfectly. So we have more solutions to solve issue:

• Synchronize NetBIOS names between two domain (weird)
• Add DNS Search suffixes to clients in domain (not nice solution and can slowdown DNS queries)
• Force DFS to propagate FQDN as refferals (winner)

I decided to force DFS to propagate FQDN as refferals. It’s made by change in registry keys for DFS service. More about it is at http://support.microsoft.com/kb/244380/en-us. One more important thing is that you need to remove and re-add refferal servers from DFS Namespaces. I used DFS console because I didn’t use DFS Replication. If you do use DFS Replication it’s recommended to do it using cmd line (dfscmd.exe).

That’s all folks,

More often I see people (IT admins) not understand differences between Local Service Accounts so I decided to write more about it:

SYSTEM

This account has full access to local computer. It can access network resources with rights (account) of the computer. This account has full access to domain it self when used on Domain Controller.

LOCAL SERVICE

This account has same right as local Users group. It goes to network as annonymous user (null session).

NETWORK SERVICE

It’s almost same as LOCAL SERVICE. Only difference is that it uses computer account to access network resources.

Today I was solving problem with open relay Exchange server. I came to server and it was full of SPAM e-mail messages. I needed to clean all this mess from Submission queue. I used following command:

Get-Message -Filter {FromAddress -eq “<>”} -Server MAILSERVER | Remove-Message

That’s all folks 🙂

I always was wondering if there is any way to determine all DNS records NetLogon service registers in DNS server. This record list is located at %systemroot%\\system32\\config\\netlogon.dns.

_ldap._tcp.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.cb30fef3-1c01-46c1-951a-5dec33f85833.domains._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
bcb148b0-c836-4847-bd55-3d3991821f76._msdcs.domain.local. 600 IN CNAME SERVER-DC1.domain.local.
_ldap._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_gc._tcp.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_gc._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.pdc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
domain.local. 600 IN A 10.0.0.22
gc._msdcs.domain.local. 600 IN A 10.0.0.22
ForestDnsZones.domain.local. 600 IN A 10.0.0.22
DomainDnsZones.domain.local. 600 IN A 10.0.0.22
_kerberos._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._udp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kpasswd._tcp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.
_kpasswd._udp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.

This list can be used to import all required DNS records into DNS servers that don’t support dynamic updates.

Dneska som sa nieco chcel pozriet nieco vo Vrutkach na google maps a zistil som, ze cele Vrutky su pod oblakmi 🙂

Vrutky v oblakoch

Dakujeme Google 🙂

I was just browsing Internet a looking for built-in utilities in Windows. I found one nice one getmac.exe which can get the list of MAC addresses on local or remote computer. It’s nice utility and it’s better to use it to find out MAC addresses, because looking into ipconfig /all verbose output is very time consuming (look in it when IPv6 is enabled). 🙂

Also ipconfig cannot be run on remote machine without using other utility (for example psexec).

More information here.

Just a quick image about differences between “old” Software Restricion Policy and “new” AppLocker:

Now it’s easy to describe and remember.

I had to solve interesting problem today at one of our customer. Here is a short preview of customer’s environment:

AD Topology

Customer has following 5 sites:

• Site1 – containing 1 DC
• Site2 – containing 1 DC (one has PDC FSMO role)
• Site3 – containing 2 DCs. Let’s call this central site.
• Site4 – containing 2 DCs. This site represents one datacenter (datacenter 1)
• Site5 – containing 2 DCs. This site represents one datacenter (datacenter 2)

All domain controllers are Global Catalogs. Replication was set manually. It’s configured to be in star topology with median in Site3. For each connection was defined newInter-Site Transport in AD Sites.

AD Topology

Replication works fine. Exchange servers are able to resolve all domain controler. I have checked this using DNS and also nltest.

Exchange Topology

There are four Exchange 2012 servers. Two are CAS/HUB servers put into CAS Array. CAS Servers and CAS Array IP addresses belong to Site4 IP Subnet. And two Mailbox server that are put into DAG. Both mailbox server and DAG IP addresses are in Site4. Problem is that one CAS/HUB and one Mailbox server are physically located in Site4 and one CAS/HUB and one Mailbox server are located physically in Site5. Between Site4 and Site5 are L2 networks for CAS/HUB and Mailbox server.

Exchange topology

Everything works fine. All IP subnets are assigned to Site4 which means all Exchange servers use primary Global Catalog functionality from domain controller from Site4. Idea from network/security guys was to allow Exchange servers to use Global Catalog just from domain controllers located in datacenters – Site4 and Site5. So firewalls don’t let Exchange server to use Global Catalog from other domain controller besides those located in Site4 and Site5.

Problem

Problem appeared when domain controllers in Site4 went down. Exchange servers didn’t want to start and mount databases.

When we looked into Events we could see event 2080 which stated that Exchange AD Topology service sees just four domain controllers:

• Two in-site domain controllers from same site IP subnet are in (Site4)
• Two out-of-site domain controllers. Controllers only from central site Site3

Exchange didn’t use those out-of-site domain controllers, because firewalls blocked it – regarding network/security guys recomendations. Question was why exchange servers didn’t see and use other domain controllers? It sees and uses only those four domain controllers (two in same AD site and two from central site).

After couple of minutes discusing with my coleague we find out that Exchange copies AD topology and it uses domain controllers in following way:

• Primary uses domain controllers in same site as Exchange services are located – in-site DC
• Secondary uses only domain controller which are directly replicating with domain controllers from primary site  – out-of-site DC

My colleague tried to convince me to believe it’s good idea and Exchange tries to protect you from some problems. But I don’t see any point of Exchange not contacting all domain controllers and contacing only domain controllers in the site and contacting domain controlers which replicate with domain controllers in site. I don’t see a poing of Exchange not trying to connect to Global Catalogs in Site1, Site2 and Site5. So this is the way Exchange looks for Global Catalog servers by design.

Proof of problem 🙂

I’ve done couple testing scenarios.

Exchange servers in Site4

• In-site DCs: DCs from Site4
• Out-of-site DCs: DCs only from Site3

Exchange servers in Site5

• In-site DCs: DCs from Site5
• Out-of-site DCs: DCs only from Site3

Exchange servers in Site1

• In-site DCs: DC from Site1
• Out-of-site DCs: DCs only from Site3

Exchange servers in Site3

• In-site DCs: DCs from Site3
• Out-of-site DCs: all DCs from all sites

This is really proof of problem with Exchange locating DCs.

Solution

To solve this issue we could make two things:

• Create new AD Site only for all Exchange IP Subnets and add two domain controllers into this new created AD Site. One DC would be located in physical location 1/datacenter 1 (with CAS1 and MBX1 servers) and other DC would be located in physical location 2/datacenter 2 (with CAS2 and MBX2 servers).

• Create new AD Inter-site Transport between Site4 and Site5.

We decided to create new AD Inter-site Transport.

I still don’t understand why Exchange doesn’t use all domain controllers in AD domain as I would think it would 🙁

Three days ago I installed Internet Explore 10.0 on my Windows 7 SP1. I downloaded it from here.

Internet Explorer 10

After couple seconds I found out only little changes. Design of buttons changes little bit. Also design of check boxes.

After couple minutes I found following new things:

Text box change

Now you can delete content of text box in one click. Clicking by X on the end of the box:

Delete text box

Password box change

On password box you can see what’s under stars:

Hidden password in box

Show password in box

Easy copy and paste

When you select text and pictures in IE 10.0, you can drag and drop it into some application (e.g. Word, Outlook, …). This is very neat and cool.

Faster

My personal feeling is that webpages are displayed much faster than before, but this can be just feeling 🙂