461 Run the following command to list your current tickets: > klist tickets Run the following command to purge your tickets: > klist purge 14.17.3 Discussion Active Directory uses Kerberos as its preferred network authentication system. When you authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets. These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services. This type of ticket is known as a ticket-granting-ticket, or TGT. Once you've obtained a TGT, the client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a service ticket that represents the client for the particular service. Kerberos is a fairly complicated system that cannot be done justice in a single paragraph. If you want more information on tickets and how the Kerberos authentication system works, see Kerberos:TheDefinitive Guide (O'Reilly). 14.17.4 See Also RFC 1510 (The Kerberos Network Authentication Service V5), and MS KB 232179 (Kerberos Administration in Windows 2000) Recipe 14.18 Forcing Kerberos to Use TCP 14.18.1 Problem Clients are experiencing authentication problems and you've determined it is due to UDP fragmentation of Kerberos traffic. You want to force Kerberos traffic to go over TCP instead. 14.18.2 Solution 14.18.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters. 3. Right-click on Parameters and select New DWORD value. Enter MaxPacketSize for the value name. 4. In the right pane, double-click on MaxPacketSize and enter 1. 5. Click OK. 462 14.18.2.2 Using a command-line interface > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v[RETURN] "MaxPacketSize" /t REG_DWORD /d 1 14.18.2.3 Using VBScript ' This code forces Kerberos to use TCP ' SCRIPT CONFIGURATION strComputer = "<ComputerName>" ' e.g. rallen-w2k3 ' END CONFIGURATION const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strComputer & _ "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1 WScript.Echo "Kerberos forced to use TCP for " & strComputer 14.18.3 Discussion If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic. One way to help identify if there is a problem with Kerberos is to have the users run the following command: > netdiag /test:kerberos Another source of information is the System event log on the clients. Various Kerberos-related events are logged there if problems with authentication occur. For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP). Recipe 14.19 Modifying Kerberos Settings 14.19.1 Problem You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime. 14.19.2 Solution 14.19.2.1 Using a graphical user interface 1. Open the Domain Security Policy snap-in. 2. In the left pane, expand Account Policies Kerberos Policy. 3. In the right pane, double-click on the setting you want to modify. 4. Enter the new value and click OK. 463 14.19.3 Discussion There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1 . Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly. Table 14-1. Kerberos policy settings Setting Default value Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes 14.19.4 See Also MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000) 464 Chapter 15. Logging, Monitoring, and Quotas Introduction Recipe 15.1. Enabling Extended dcpromo Logging Recipe 15.2. Enabling Diagnostics Logging Recipe 15.3. Enabling NetLogon Logging Recipe 15.4. Enabling GPO Client Logging Recipe 15.5. Enabling Kerberos Logging Recipe 15.6. Enabling DNS Server Debug Logging Recipe 15.7. Viewing DNS Server Performance Statistics Recipe 15.8. Enabling Inefficient and Expensive LDAP Query Logging Recipe 15.9. Using the STATS Control to View LDAP Query Statistics Recipe 15.10. Using Perfmon to Monitor AD Recipe 15.11. Using Perfmon Trace Logs to Monitor AD Recipe 15.12. Enabling Auditing of Directory Access Recipe 15.13. Creating a Quota Recipe 15.14. Finding the Quotas Assigned to a Security Principal Recipe 15.15. Changing How Tombstone Objects Count Against Quota Usage Recipe 15.16. Setting the Default Quota for All Security Principals in a Partition Recipe 15.17. Finding the Quota Usage for a Security Principal 465 Introduction This chapter deals with tracking the activity and usage of various Active Directory components. Whenever you need to troubleshoot a problem, often the first place you look is log files. With Active Directory, there are several different log files, and each have different ways to increase or decrease the verbosity of information that is logged. Viewing log messages can be useful, but you may also want to look at performance metrics to determine if the system is being over- utilized. I'll review a couple of ways you can view performance metrics and monitor Active Directory performance. For more extensive monitoring, I suggest looking at NetPro's (http://www.netpro.com/ ) Active Directory monitoring tools or Microsoft Operations Manager (http://microsoft.com/mom/ ). I'll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor and limit the number of objects a security principal (user, group, or computer) can create in a partition. This feature, introduced in Windows Server 2003, closes a hole that existed in Windows 2000 where users that had access to create objects in Active Directory could create as many as they wanted. These users could even cause a denial of service by creating objects until the disk filled on the domain controllers. This kind of attack is not likely to happen in most environments, but the possibility should still be considered. The Anatomy of a Quota Object Container Quota objects are stored in the NTDS Quotascontainer in all Windows Server 2003-based naming contexts and application partitions except the schema-naming context (quotas cannot be associated with the schema-naming context). By default, this container is hidden from view within tools, such as Active Directory Users and Computers, but can be seen by selecting View Advanced Features from the menu. The quota object container has an objectClass of msDS- QuotaContainer , and contains several attributes that define default quota behavior. Table 15-1 lists some of the important attributes of msDS-QuotaContainer objects. Table 15-1. Attributes of msDS-QuotaContainer objects Attribute Description cn RDN of quota container objects. By default, this is equal to NTDS Quotas . msDS-DefaultQuota The default quota applied to all security principals that do not have another quota specification applied. See Recipe 15.16 for more details. msDS-QuotaEffective A constructed attribute that contains the effective quota of the security principal that is viewing the attribute. See Recipe 15.17 for more details. msDS-QuotaUsed A constructed attribute that contains the quota usage of the security 466 Table 15-1. Attributes of msDS-QuotaContainer objects Attribute Description principal that is viewing the attribute. See Recipe 15.17 for more details. msDS- TombstoneQuotaFactor Percentage that tombstone objects count against a quota. The default is 100, which means a tombstone object has equal weighting to a normal object. See Recipe 15.15 for more details. msDS-TopQuotaUsage Multivalued attribute that contains information about the security principals with the top quota usage. See Recipe 15.17 for more details. The Anatomy of a Quota Object Quota objects have an objectClass of msDS-QuotaControl, which defines three attributes that relate to quotas. Table 15-2 contains these attributes and provides a description for each. Table 15-2. Attributes of msDS-QuotaControl objects Attribute Description cn RDN of the quota object. msDS- QuotaAmount Number of objects that can be created by the security principals that the quota applies to. See Recipe 15.13 for more information. msDS- QuotaTrustee SID of the security principal that the quota applies to. This can be a user, group, or computer SID. See Recipe 15.13 for more information. Recipe 15.1 Enabling Extended dcpromo Logging 15.1.1 Problem You want to enable extended dcpromo logging. This can be useful if you are experiencing problems during the promotion or demotion process and the dcpromo log files are not providing enough information to indicate the problem. 15.1.2 Solution These solutions are slightly different on Windows 2000. See the Discussion section for more information. To enable the maximum amount of logging, use 16711683 (FF0003 in hexadecimal) as the flag value. For a complete description of the possible bit values, see MS KB 221254. 467 15.1.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion AdminDebug dcpromoui. 3. If the LogFlags value does not exist, right-click on dcpromoui in the left pane and select New DWORD Value. For the name, enter LogFlags. 4. In the right pane, double-click on the LogFlags value and enter the flag value you want to set. 5. Click OK. 15.1.2.2 Using a command-line interface With the following command, <FlagValue> needs to the decimal version (not hexidecimal) of the flag value: > reg add HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui /v[RETURN] "LogFlags" /t REG_DWORD /d <FlagValue> 15.1.2.3 Using VBScript ' This code sets the dcpromoui logging flag (for Windows Server 2003 only) ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 intFlag = <FlagValue> ' Flag value in decimal, e.g. 16711683 ' END CONFIGURATION const HKLM = &H80000002 strDcpromoReg = "Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strDcpromoReg, "LogFlags", intFlag WScript.Echo "Dcpromoui flag set to " & intFlag 15.1.3 Discussion As described in Recipe 3.5, the dcpromo wizard creates a couple of log files in %SystemRoot%\debug when it is executed, which can be useful in troubleshooting promotion or demotion problems. Typically, the default amount of logging that is done in the dcpromoui.log file is sufficient to identify most problems, but you can increase it as described in the Solution section. The location of the log flags registry value changed from Windows 2000 to Windows Server 2003. In Windows 2000, the value is located here: HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui In Windows Server 2003, the value is located here (which was used in the Solutions section): 468 HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags 15.1.4 See Also Recipe 3.5 for more on troubleshooting dcpromo problems, and MS KB 221254 (Registry Settings for Event Detail in the Dcpromoui.log File) Recipe 15.2 Enabling Diagnostics Logging 15.2.1 Problem You want to enable diagnostics event logging because the current level of logging is not providing enough information to help pinpoint the problem you are troubleshooting. 15.2.2 Solution 15.2.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Services NTDS Diagnostics. 3. In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0-5) based on how much you want logged. 4. Click OK. 15.2.2.2 Using a command-line interface > reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v[RETURN] "<LoggingSetting>" /t REG_DWORD /d <0-5> 15.2.2.3 Using VBScript ' This code sets the specified diagnostics logging level ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 strLogSetting = "<LoggingSetting>" ' e.g. 1 Knowledge Consistency Checker intFlag = <FlagValue> ' Flag value in decimal, e.g. 5 ' END CONFIGURATION const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogFlags", intFlag WScript.Echo "Diagnostics logging for " & strLogSetting _ & " set to " & intFlag 15.2.3 Discussion A useful way to troubleshoot specific problems you are encountering with Active Directory is to increase the diagnostics logging level. Diagnostics logging can be enabled by component. For 469 example, if you determine the Knowledge Consistency Checker (KCC) is not completing every 15 minutes, you can enable diagnostics logging for the "1 Knowledge Consistency Checker" setting. These settings are stored under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. By default, all settings are set to 0, which disables diagnostic logging, but you can increase it by setting it to a number from 1 through 5. As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging. It is a good practice to ease your way up to 5 because some diagnostics logging settings can generate a bunch of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller. Here is the complete list of diagnostics logging settings for Windows Server 2003. Note that settings 20-24 are not available on Windows 2000-based domain controllers. 1 Knowledge Consistency Checker 2 Security Events 3 ExDS Interface Events 4 MAPI Interface Events 5 Replication Events 6 Garbage Collection 7 Internal Configuration 8 Directory Access 9 Internal Processing 10 Performance Counters 11 Initialization/Termination 12 Service Control 13 Name Resolution 14 Backup 15 Field Engineering 16 LDAP Interface Events 17 Setup 18 Global Catalog 19 Inter-site Messaging 20 Group Caching 21 Linked-Value Replication 22 DS RPC Client 23 DS RPC Server 24 DS Schema 15.2.4 See Also MS KB 220940 (How to Enable Diagnostic Event Logging for Active Directory Services) Recipe 15.3 Enabling NetLogon Logging 15.3.1 Problem You want to enable NetLogon logging to help with troubleshooting client account logon, lockout, or domain controller location issues. 470 15.3.2 Solution 15.3.2.1 Using a command-line interface To enable Netlogon logging, use the following command: > nltest /dbflag:0x2080ffff To disable Netlogon logging, use the following command: > nltest /dbflag:0x0 15.3.3 Discussion The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting client logon and related issues. When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration information, account lockout information, and even Kerberos failures. The NetLogon logging level is stored in the following registry value: HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag If you set that registry value manually, instead of using nltest, you'll need to restart the NetLogon service for it to take effect. One of the issues with the netlogon.log file is that it can quickly grow to several megabytes, which makes it difficult to peruse. A new tool available for Windows XP and Windows Server 2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain type of log entries. The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web site (assuming the tools haven't moved): http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629- b999adde0b9e&DisplayLang=en 15.3.4 See Also MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681) . you can view performance metrics and monitor Active Directory performance. For more extensive monitoring, I suggest looking at NetPro's (http://www.netpro.com/ ) Active Directory monitoring. value changed from Windows 2000 to Windows Server 2003. In Windows 2000, the value is located here: HKLMSoftwareMicrosoft Windows CurrentVersionAdminDebugdcpromoui In Windows Server 2003, the. partition. This feature, introduced in Windows Server 2003, closes a hole that existed in Windows 2000 where users that had access to create objects in Active Directory could create as many as