1. Trang chủ
  2. » Công Nghệ Thông Tin

Active Directory Cookbook for windows server 2003- P46 potx

10 358 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 39,49 KB

Nội dung

14.17.4 See Also RFC 1510 The Kerberos Network Authentication Service V5, and MS KB 232179 Kerberos Administration in Windows 2000 Recipe 14.18 Forcing Kerberos to Use TCP 14.18.1 Probl

Trang 1

Run the following command to list your current tickets:

> klist tickets

Run the following command to purge your tickets:

> klist purge

14.17.3 Discussion

Active Directory uses Kerberos as its preferred network authentication system When you

authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services This type of ticket is known as a ticket-granting-ticket, or TGT Once you've obtained a TGT, the client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a service ticket that represents the client for the particular service

Kerberos is a fairly complicated system that cannot be done justice in a single paragraph If you want more information on tickets and how the Kerberos authentication system works, see

Kerberos:TheDefinitive Guide (O'Reilly)

14.17.4 See Also

RFC 1510 (The Kerberos Network Authentication Service V5), and MS KB 232179 (Kerberos Administration in Windows 2000)

Recipe 14.18 Forcing Kerberos to Use TCP

14.18.1 Problem

Clients are experiencing authentication problems and you've determined it is due to UDP

fragmentation of Kerberos traffic You want to force Kerberos traffic to go over TCP instead

14.18.2 Solution

14.18.2.1 Using a graphical user interface

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet

Control Lsa Kerberos Parameters

3 Right-click on Parameters and select New DWORD value Enter MaxPacketSize for the value name

4 In the right pane, double-click on MaxPacketSize and enter 1

5 Click OK

Trang 2

14.18.2.2 Using a command-line interface

> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

/v[RETURN]

"MaxPacketSize" /t REG_DWORD /d 1

14.18.2.3 Using VBScript

' This code forces Kerberos to use TCP

' - SCRIPT CONFIGURATION -

strComputer = "<ComputerName>" ' e.g rallen-w2k3

' - END CONFIGURATION -

const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

set objReg = GetObject("winmgmts:\\" & strComputer & _

"\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1

WScript.Echo "Kerberos forced to use TCP for " & strComputer

14.18.3 Discussion

If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic One way to help identify if there is a problem with Kerberos is to have the users run the following command:

> netdiag /test:kerberos

Another source of information is the System event log on the clients Various Kerberos-related events are logged there if problems with authentication occur

For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP)

Recipe 14.19 Modifying Kerberos Settings

14.19.1 Problem

You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime

14.19.2 Solution

14.19.2.1 Using a graphical user interface

1 Open the Domain Security Policy snap-in

2 In the left pane, expand Account Policies Kerberos Policy

3 In the right pane, double-click on the setting you want to modify

4 Enter the new value and click OK

Trang 3

14.19.3 Discussion

There are several Kerberos-related settings you can customize In most environments, the default

settings are sufficient, but the ones you can modify are listed in Table 14-1

Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly

Table 14-1 Kerberos policy settings

Maximum tolerance for computer clock synchronization 5 minutes

14.19.4 See Also

MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179

(Kerberos Administration in Windows 2000)

Trang 4

Chapter 15 Logging, Monitoring, and

Quotas

Introduction

Recipe 15.1 Enabling Extended dcpromo Logging

Recipe 15.2 Enabling Diagnostics Logging

Recipe 15.3 Enabling NetLogon Logging

Recipe 15.4 Enabling GPO Client Logging

Recipe 15.5 Enabling Kerberos Logging

Recipe 15.6 Enabling DNS Server Debug Logging

Recipe 15.7 Viewing DNS Server Performance Statistics

Recipe 15.8 Enabling Inefficient and Expensive LDAP Query Logging

Recipe 15.9 Using the STATS Control to View LDAP Query Statistics

Recipe 15.10 Using Perfmon to Monitor AD

Recipe 15.11 Using Perfmon Trace Logs to Monitor AD

Recipe 15.12 Enabling Auditing of Directory Access

Recipe 15.13 Creating a Quota

Recipe 15.14 Finding the Quotas Assigned to a Security Principal

Recipe 15.15 Changing How Tombstone Objects Count Against Quota Usage

Recipe 15.16 Setting the Default Quota for All Security Principals in a Partition

Recipe 15.17 Finding the Quota Usage for a Security Principal

Trang 5

This chapter deals with tracking the activity and usage of various Active Directory components

Whenever you need to troubleshoot a problem, often the first place you look is log files With

Active Directory, there are several different log files, and each have different ways to increase or

decrease the verbosity of information that is logged Viewing log messages can be useful, but

you may also want to look at performance metrics to determine if the system is being

over-utilized I'll review a couple of ways you can view performance metrics and monitor Active

Directory performance For more extensive monitoring, I suggest looking at NetPro's

(http://www.netpro.com/) Active Directory monitoring tools or Microsoft Operations Manager

(http://microsoft.com/mom/)

I'll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor

and limit the number of objects a security principal (user, group, or computer) can create in a

partition This feature, introduced in Windows Server 2003, closes a hole that existed in

Windows 2000 where users that had access to create objects in Active Directory could create as

many as they wanted These users could even cause a denial of service by creating objects until

the disk filled on the domain controllers This kind of attack is not likely to happen in most

environments, but the possibility should still be considered

The Anatomy of a Quota Object Container

Quota objects are stored in the NTDS Quotascontainer in all Windows Server 2003-based naming

contexts and application partitions except the schema-naming context (quotas cannot be

associated with the schema-naming context) By default, this container is hidden from view

within tools, such as Active Directory Users and Computers, but can be seen by selecting View

Advanced Features from the menu The quota object container has an objectClass of

msDS-QuotaContainer, and contains several attributes that define default quota behavior Table 15-1

lists some of the important attributes of msDS-QuotaContainer objects

Table 15-1 Attributes of msDS-QuotaContainer objects

Attribute Description

cn RDN of quota container objects By default, this is equal to NTDS

Quotas

msDS-DefaultQuota

The default quota applied to all security principals that do not have another quota specification applied See Recipe 15.16 for more details

msDS-QuotaEffective

A constructed attribute that contains the effective quota of the security principal that is viewing the attribute See Recipe 15.17 for more details

msDS-QuotaUsed A constructed attribute that contains the quota usage of the security

Trang 6

Table 15-1 Attributes of msDS-QuotaContainer objects

Attribute Description

principal that is viewing the attribute See Recipe 15.17 for more details

msDS-TombstoneQuotaFactor

Percentage that tombstone objects count against a quota The default is 100, which means a tombstone object has equal weighting

to a normal object See Recipe 15.15 for more details

msDS-TopQuotaUsage

Multivalued attribute that contains information about the security principals with the top quota usage See Recipe 15.17 for more details

The Anatomy of a Quota Object

Quota objects have an objectClass of msDS-QuotaControl, which defines three attributes that

relate to quotas Table 15-2 contains these attributes and provides a description for each

Table 15-2 Attributes of msDS-QuotaControl objects

Attribute Description

msDS-QuotaAmount

Number of objects that can be created by the security principals that the quota applies to See Recipe 15.13 for more information

msDS-QuotaTrustee

SID of the security principal that the quota applies to This can be a user, group, or computer SID See Recipe 15.13 for more information

Recipe 15.1 Enabling Extended dcpromo Logging

15.1.1 Problem

You want to enable extended dcpromo logging This can be useful if you are experiencing

problems during the promotion or demotion process and the dcpromo log files are not providing

enough information to indicate the problem

15.1.2 Solution

These solutions are slightly different on Windows 2000 See the Discussion section for more

information To enable the maximum amount of logging, use 16711683 (FF0003 in hexadecimal)

as the flag value For a complete description of the possible bit values, see MS KB 221254

Trang 7

15.1.2.1 Using a graphical user interface

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft

Windows CurrentVersion AdminDebug dcpromoui

3 If the LogFlags value does not exist, right-click on dcpromoui in the left pane and select New DWORD Value For the name, enter LogFlags

4 In the right pane, double-click on the LogFlags value and enter the flag value you want to set

5 Click OK

15.1.2.2 Using a command-line interface

With the following command, <FlagValue> needs to the decimal version (not hexidecimal) of the flag value:

> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui

/v[RETURN]

"LogFlags" /t REG_DWORD /d <FlagValue>

15.1.2.3 Using VBScript

' This code sets the dcpromoui logging flag (for Windows Server 2003 only) ' - SCRIPT CONFIGURATION -

strDC = "<DomainControllerName>" ' e.g dc01

intFlag = <FlagValue> ' Flag value in decimal, e.g 16711683

' - END CONFIGURATION -

const HKLM = &H80000002

strDcpromoReg =

"Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strDcpromoReg, "LogFlags", intFlag

WScript.Echo "Dcpromoui flag set to " & intFlag

15.1.3 Discussion

As described in Recipe 3.5, the dcpromo wizard creates a couple of log files in

%SystemRoot%\debug when it is executed, which can be useful in troubleshooting promotion or demotion problems Typically, the default amount of logging that is done in the dcpromoui.log

file is sufficient to identify most problems, but you can increase it as described in the Solution section

The location of the log flags registry value changed from Windows 2000 to Windows Server

2003 In Windows 2000, the value is located here:

HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui

In Windows Server 2003, the value is located here (which was used in the Solutions section):

Trang 8

HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags

15.1.4 See Also

Recipe 3.5 for more on troubleshooting dcpromo problems, and MS KB 221254 (Registry Settings for Event Detail in the Dcpromoui.log File)

Recipe 15.2 Enabling Diagnostics Logging

15.2.1 Problem

You want to enable diagnostics event logging because the current level of logging is not

providing enough information to help pinpoint the problem you are troubleshooting

15.2.2 Solution

15.2.2.1 Using a graphical user interface

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet

Services NTDS Diagnostics

3 In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0-5) based on how much you want logged

4 Click OK

15.2.2.2 Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v[RETURN]

"<LoggingSetting>" /t REG_DWORD /d <0-5>

15.2.2.3 Using VBScript

' This code sets the specified diagnostics logging level

' - SCRIPT CONFIGURATION -

strDC = "<DomainControllerName>" ' e.g dc01

strLogSetting = "<LoggingSetting>" ' e.g 1 Knowledge Consistency Checker intFlag = <FlagValue> ' Flag value in decimal, e.g 5

' - END CONFIGURATION -

const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogFlags", intFlag

WScript.Echo "Diagnostics logging for " & strLogSetting _

& " set to " & intFlag

15.2.3 Discussion

A useful way to troubleshoot specific problems you are encountering with Active Directory is to increase the diagnostics logging level Diagnostics logging can be enabled by component For

Trang 9

example, if you determine the Knowledge Consistency Checker (KCC) is not completing every

15 minutes, you can enable diagnostics logging for the "1 Knowledge Consistency Checker" setting

These settings are stored under

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics By default, all settings are set

to 0, which disables diagnostic logging, but you can increase it by setting it to a number from 1 through 5 As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging It is a good practice to ease your way up to 5 because some

diagnostics logging settings can generate a bunch of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller

Here is the complete list of diagnostics logging settings for Windows Server 2003 Note that settings 20-24 are not available on Windows 2000-based domain controllers

1 Knowledge Consistency Checker

2 Security Events

3 ExDS Interface Events

4 MAPI Interface Events

5 Replication Events

6 Garbage Collection

7 Internal Configuration

8 Directory Access

9 Internal Processing

10 Performance Counters

11 Initialization/Termination

12 Service Control

13 Name Resolution

14 Backup

15 Field Engineering

16 LDAP Interface Events

17 Setup

18 Global Catalog

19 Inter-site Messaging

20 Group Caching

21 Linked-Value Replication

22 DS RPC Client

23 DS RPC Server

24 DS Schema

15.2.4 See Also

MS KB 220940 (How to Enable Diagnostic Event Logging for Active Directory Services)

Recipe 15.3 Enabling NetLogon Logging

15.3.1 Problem

You want to enable NetLogon logging to help with troubleshooting client account logon, lockout,

or domain controller location issues

Trang 10

15.3.2 Solution

15.3.2.1 Using a command-line interface

To enable Netlogon logging, use the following command:

> nltest /dbflag:0x2080ffff

To disable Netlogon logging, use the following command:

> nltest /dbflag:0x0

15.3.3 Discussion

The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting

client logon and related issues When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration

information, account lockout information, and even Kerberos failures

The NetLogon logging level is stored in the following registry value:

HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

If you set that registry value manually, instead of using nltest, you'll need to restart the

NetLogon service for it to take effect

One of the issues with the netlogon.log file is that it can quickly grow to several megabytes,

which makes it difficult to peruse A new tool available for Windows XP and Windows Server

2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain

type of log entries The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web site (assuming the tools haven't moved):

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

15.3.4 See Also

MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681)

Ngày đăng: 05/07/2014, 08:20

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN

w