14.17.4 See Also RFC 1510 The Kerberos Network Authentication Service V5, and MS KB 232179 Kerberos Administration in Windows 2000 Recipe 14.18 Forcing Kerberos to Use TCP 14.18.1 Probl
Trang 1Run the following command to list your current tickets:
> klist tickets
Run the following command to purge your tickets:
> klist purge
14.17.3 Discussion
Active Directory uses Kerberos as its preferred network authentication system When you
authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services This type of ticket is known as a ticket-granting-ticket, or TGT Once you've obtained a TGT, the client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a service ticket that represents the client for the particular service
Kerberos is a fairly complicated system that cannot be done justice in a single paragraph If you want more information on tickets and how the Kerberos authentication system works, see
Kerberos:TheDefinitive Guide (O'Reilly)
14.17.4 See Also
RFC 1510 (The Kerberos Network Authentication Service V5), and MS KB 232179 (Kerberos Administration in Windows 2000)
Recipe 14.18 Forcing Kerberos to Use TCP
14.18.1 Problem
Clients are experiencing authentication problems and you've determined it is due to UDP
fragmentation of Kerberos traffic You want to force Kerberos traffic to go over TCP instead
14.18.2 Solution
14.18.2.1 Using a graphical user interface
1 Run regedit.exe from the command line or Start Run
2 In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet
Control Lsa Kerberos Parameters
3 Right-click on Parameters and select New DWORD value Enter MaxPacketSize for the value name
4 In the right pane, double-click on MaxPacketSize and enter 1
5 Click OK
Trang 214.18.2.2 Using a command-line interface
> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
/v[RETURN]
"MaxPacketSize" /t REG_DWORD /d 1
14.18.2.3 Using VBScript
' This code forces Kerberos to use TCP
' - SCRIPT CONFIGURATION -
strComputer = "<ComputerName>" ' e.g rallen-w2k3
' - END CONFIGURATION -
const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
set objReg = GetObject("winmgmts:\\" & strComputer & _
"\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1
WScript.Echo "Kerberos forced to use TCP for " & strComputer
14.18.3 Discussion
If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic One way to help identify if there is a problem with Kerberos is to have the users run the following command:
> netdiag /test:kerberos
Another source of information is the System event log on the clients Various Kerberos-related events are logged there if problems with authentication occur
For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP)
Recipe 14.19 Modifying Kerberos Settings
14.19.1 Problem
You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime
14.19.2 Solution
14.19.2.1 Using a graphical user interface
1 Open the Domain Security Policy snap-in
2 In the left pane, expand Account Policies Kerberos Policy
3 In the right pane, double-click on the setting you want to modify
4 Enter the new value and click OK
Trang 314.19.3 Discussion
There are several Kerberos-related settings you can customize In most environments, the default
settings are sufficient, but the ones you can modify are listed in Table 14-1
Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly
Table 14-1 Kerberos policy settings
Maximum tolerance for computer clock synchronization 5 minutes
14.19.4 See Also
MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179
(Kerberos Administration in Windows 2000)
Trang 4Chapter 15 Logging, Monitoring, and
Quotas
Introduction
Recipe 15.1 Enabling Extended dcpromo Logging
Recipe 15.2 Enabling Diagnostics Logging
Recipe 15.3 Enabling NetLogon Logging
Recipe 15.4 Enabling GPO Client Logging
Recipe 15.5 Enabling Kerberos Logging
Recipe 15.6 Enabling DNS Server Debug Logging
Recipe 15.7 Viewing DNS Server Performance Statistics
Recipe 15.8 Enabling Inefficient and Expensive LDAP Query Logging
Recipe 15.9 Using the STATS Control to View LDAP Query Statistics
Recipe 15.10 Using Perfmon to Monitor AD
Recipe 15.11 Using Perfmon Trace Logs to Monitor AD
Recipe 15.12 Enabling Auditing of Directory Access
Recipe 15.13 Creating a Quota
Recipe 15.14 Finding the Quotas Assigned to a Security Principal
Recipe 15.15 Changing How Tombstone Objects Count Against Quota Usage
Recipe 15.16 Setting the Default Quota for All Security Principals in a Partition
Recipe 15.17 Finding the Quota Usage for a Security Principal
Trang 5This chapter deals with tracking the activity and usage of various Active Directory components
Whenever you need to troubleshoot a problem, often the first place you look is log files With
Active Directory, there are several different log files, and each have different ways to increase or
decrease the verbosity of information that is logged Viewing log messages can be useful, but
you may also want to look at performance metrics to determine if the system is being
over-utilized I'll review a couple of ways you can view performance metrics and monitor Active
Directory performance For more extensive monitoring, I suggest looking at NetPro's
(http://www.netpro.com/) Active Directory monitoring tools or Microsoft Operations Manager
(http://microsoft.com/mom/)
I'll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor
and limit the number of objects a security principal (user, group, or computer) can create in a
partition This feature, introduced in Windows Server 2003, closes a hole that existed in
Windows 2000 where users that had access to create objects in Active Directory could create as
many as they wanted These users could even cause a denial of service by creating objects until
the disk filled on the domain controllers This kind of attack is not likely to happen in most
environments, but the possibility should still be considered
The Anatomy of a Quota Object Container
Quota objects are stored in the NTDS Quotascontainer in all Windows Server 2003-based naming
contexts and application partitions except the schema-naming context (quotas cannot be
associated with the schema-naming context) By default, this container is hidden from view
within tools, such as Active Directory Users and Computers, but can be seen by selecting View
Advanced Features from the menu The quota object container has an objectClass of
msDS-QuotaContainer, and contains several attributes that define default quota behavior Table 15-1
lists some of the important attributes of msDS-QuotaContainer objects
Table 15-1 Attributes of msDS-QuotaContainer objects
Attribute Description
cn RDN of quota container objects By default, this is equal to NTDS
Quotas
msDS-DefaultQuota
The default quota applied to all security principals that do not have another quota specification applied See Recipe 15.16 for more details
msDS-QuotaEffective
A constructed attribute that contains the effective quota of the security principal that is viewing the attribute See Recipe 15.17 for more details
msDS-QuotaUsed A constructed attribute that contains the quota usage of the security
Trang 6Table 15-1 Attributes of msDS-QuotaContainer objects
Attribute Description
principal that is viewing the attribute See Recipe 15.17 for more details
msDS-TombstoneQuotaFactor
Percentage that tombstone objects count against a quota The default is 100, which means a tombstone object has equal weighting
to a normal object See Recipe 15.15 for more details
msDS-TopQuotaUsage
Multivalued attribute that contains information about the security principals with the top quota usage See Recipe 15.17 for more details
The Anatomy of a Quota Object
Quota objects have an objectClass of msDS-QuotaControl, which defines three attributes that
relate to quotas Table 15-2 contains these attributes and provides a description for each
Table 15-2 Attributes of msDS-QuotaControl objects
Attribute Description
msDS-QuotaAmount
Number of objects that can be created by the security principals that the quota applies to See Recipe 15.13 for more information
msDS-QuotaTrustee
SID of the security principal that the quota applies to This can be a user, group, or computer SID See Recipe 15.13 for more information
Recipe 15.1 Enabling Extended dcpromo Logging
15.1.1 Problem
You want to enable extended dcpromo logging This can be useful if you are experiencing
problems during the promotion or demotion process and the dcpromo log files are not providing
enough information to indicate the problem
15.1.2 Solution
These solutions are slightly different on Windows 2000 See the Discussion section for more
information To enable the maximum amount of logging, use 16711683 (FF0003 in hexadecimal)
as the flag value For a complete description of the possible bit values, see MS KB 221254
Trang 715.1.2.1 Using a graphical user interface
1 Run regedit.exe from the command line or Start Run
2 In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft
Windows CurrentVersion AdminDebug dcpromoui
3 If the LogFlags value does not exist, right-click on dcpromoui in the left pane and select New DWORD Value For the name, enter LogFlags
4 In the right pane, double-click on the LogFlags value and enter the flag value you want to set
5 Click OK
15.1.2.2 Using a command-line interface
With the following command, <FlagValue> needs to the decimal version (not hexidecimal) of the flag value:
> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
/v[RETURN]
"LogFlags" /t REG_DWORD /d <FlagValue>
15.1.2.3 Using VBScript
' This code sets the dcpromoui logging flag (for Windows Server 2003 only) ' - SCRIPT CONFIGURATION -
strDC = "<DomainControllerName>" ' e.g dc01
intFlag = <FlagValue> ' Flag value in decimal, e.g 16711683
' - END CONFIGURATION -
const HKLM = &H80000002
strDcpromoReg =
"Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strDcpromoReg, "LogFlags", intFlag
WScript.Echo "Dcpromoui flag set to " & intFlag
15.1.3 Discussion
As described in Recipe 3.5, the dcpromo wizard creates a couple of log files in
%SystemRoot%\debug when it is executed, which can be useful in troubleshooting promotion or demotion problems Typically, the default amount of logging that is done in the dcpromoui.log
file is sufficient to identify most problems, but you can increase it as described in the Solution section
The location of the log flags registry value changed from Windows 2000 to Windows Server
2003 In Windows 2000, the value is located here:
HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
In Windows Server 2003, the value is located here (which was used in the Solutions section):
Trang 8HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags
15.1.4 See Also
Recipe 3.5 for more on troubleshooting dcpromo problems, and MS KB 221254 (Registry Settings for Event Detail in the Dcpromoui.log File)
Recipe 15.2 Enabling Diagnostics Logging
15.2.1 Problem
You want to enable diagnostics event logging because the current level of logging is not
providing enough information to help pinpoint the problem you are troubleshooting
15.2.2 Solution
15.2.2.1 Using a graphical user interface
1 Run regedit.exe from the command line or Start Run
2 In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet
Services NTDS Diagnostics
3 In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0-5) based on how much you want logged
4 Click OK
15.2.2.2 Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v[RETURN]
"<LoggingSetting>" /t REG_DWORD /d <0-5>
15.2.2.3 Using VBScript
' This code sets the specified diagnostics logging level
' - SCRIPT CONFIGURATION -
strDC = "<DomainControllerName>" ' e.g dc01
strLogSetting = "<LoggingSetting>" ' e.g 1 Knowledge Consistency Checker intFlag = <FlagValue> ' Flag value in decimal, e.g 5
' - END CONFIGURATION -
const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogFlags", intFlag
WScript.Echo "Diagnostics logging for " & strLogSetting _
& " set to " & intFlag
15.2.3 Discussion
A useful way to troubleshoot specific problems you are encountering with Active Directory is to increase the diagnostics logging level Diagnostics logging can be enabled by component For
Trang 9example, if you determine the Knowledge Consistency Checker (KCC) is not completing every
15 minutes, you can enable diagnostics logging for the "1 Knowledge Consistency Checker" setting
These settings are stored under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics By default, all settings are set
to 0, which disables diagnostic logging, but you can increase it by setting it to a number from 1 through 5 As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging It is a good practice to ease your way up to 5 because some
diagnostics logging settings can generate a bunch of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller
Here is the complete list of diagnostics logging settings for Windows Server 2003 Note that settings 20-24 are not available on Windows 2000-based domain controllers
1 Knowledge Consistency Checker
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging
20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema
15.2.4 See Also
MS KB 220940 (How to Enable Diagnostic Event Logging for Active Directory Services)
Recipe 15.3 Enabling NetLogon Logging
15.3.1 Problem
You want to enable NetLogon logging to help with troubleshooting client account logon, lockout,
or domain controller location issues
Trang 1015.3.2 Solution
15.3.2.1 Using a command-line interface
To enable Netlogon logging, use the following command:
> nltest /dbflag:0x2080ffff
To disable Netlogon logging, use the following command:
> nltest /dbflag:0x0
15.3.3 Discussion
The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting
client logon and related issues When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration
information, account lockout information, and even Kerberos failures
The NetLogon logging level is stored in the following registry value:
HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag
If you set that registry value manually, instead of using nltest, you'll need to restart the
NetLogon service for it to take effect
One of the issues with the netlogon.log file is that it can quickly grow to several megabytes,
which makes it difficult to peruse A new tool available for Windows XP and Windows Server
2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain
type of log entries The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web site (assuming the tools haven't moved):
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en
15.3.4 See Also
MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681)