Archive

Archive for January, 2011

Fun with Exchange 2000 in a legacy domain

January 26, 2011 Leave a comment

I had an issue where multiple users were unable to access Outlook.  They were receiving a password prompt upon launching the application.  I needed to find out which Global Catalog server the Exchange server was binding to, which you can do with the trusty old netstat command piped to findstr (which just isn’t a patch on grep, sorry Microsoft):

C:\>netstat -a | findstr ":3268"  
TCP    exch-srv01:1170          DC13.your.domain.com:3268  CLOSE_WAIT 
TCP    exch-srv01:1171          DC13.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1174          DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1175          DC05.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1186          DC05.your.domain.com:3268  CLOSE_WAIT  
TCP    exch-srv01:1187          DC05.your.domain.com:3268  CLOSE_WAIT  
TCP    exch-srv01:1189          DC05.your.domain.com:3268  CLOSE_WAIT  
TCP    exch-srv01:1221          DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1223          DC05.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1237          DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1238          DC05.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1429          DC05.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1431          DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1910          DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:1911          DC05.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:5452          DC04.your.domain.com:3268  CLOSE_WAIT  
TCP    exch-srv01:10412         DC04.your.domain.com:3268  ESTABLISHED  
TCP    exch-srv01:10414         DC05.your.domain.com:3268  ESTABLISHED

C:\>

The output of the netstat command was a little worrying as the Exchange server was only set to bind to DC04 & DC05 because DC13 was to be decommissioned as it was very sick.

The resolution was easy enough; you just need to uncheck Automatically discover servers and remove all but one GC in the Directory Access tab of the Exchange servers properties dialog in the System manager to force it to bind to a specific DC.  Once it works add the other GC(s) back in and enable automatically discover again.

NB: This is an excellent troubleshooting method if you’re having authentication problems with Exchange &  don’t know which DC is causing the problem; just connect to each one in turn until you find the culprit.

Bind to specific GC

Now comes the fun of removing the meta-data for DC13 as it wasn’t cleanly removed (DCPROMO failed to de-promote).  :-/

Too Many Passwords? NPS/RADIUS on Windows Server 2008

January 24, 2011 Leave a comment

I had a requirement to add Network Policy Services to allow Active Directory Authentication on Cisco devices:

Network Policy Server Setup for AD:

  • Create AD global security group in domain.
  • Install NPS components from the Roles console in Windows Server 2008.
  • Install Network Policy Server.
  • Install Routing and Remote Access Service.
    • Install Remote Access Service component.
    • Install Routing component.
  • Launch NPS Console.
  • Add Remote Access Clients (Radius Clients and Servers > Radius Clients > New):
    • Friendly Name:  Router1
    • IP Address:  192.168.1.254
    • Shared Secret:  CiscoRocks
    • Advanced > Vendor:  Cisco
    • Added remote access policy(Policies > Network Policies > New):
      • Name:  CiscoAuth
      • Access Permission:  Granted
      • Conditions: Add > Windows Groups > cisco.admin
      • Constraints: Authentication > Unencrypted Authentication PAP, SPAP
      • Idle Timeout:  10 minutes
      • Settings:
        • Service-Type = Login
        • Framed-Protocol = PPP

RADIUS Setup for Cisco Device:

  • Configure local user.
  • Configure SSH.
  • Configure Loopback
  • aaa new-model
  • radius-server host 192.168.1.10 auth-port 1645 acct-port 1646 key CiscoRocks
  • aaa authentication login AUTH group radius group ADRADIUS local
  • ip radius source-interface Loopback0
  • aaa group server radius ADRADIUS
  • server 192.168.1.10
  • line vty 0 4
  • login authentication AUTH
  • Allow 1723 & GRE in any ACLs between hosts.

Debug Commands:

debug aaa authentication
debug radius authentication
term mon

Windows: service management with sc.exe

January 23, 2011 Leave a comment

In a previous post, I listed the net start and net stop commands for managing services.  The main drawback to these is that while they are on every Windows System, they only work on local services.

I’m all for utilities that reduce the amount of time it takes to get work done more efficiently (That’s one of the reasons I’m so fond of the CLI) and to that end, this post is about the Service Control (sc) utility that allows one to query & control services on remote servers, thus avoiding the need to RDP onto multiple servers and manage local services.

If you want to know which services are currently running on a remote server; DC1.your.domain.com for example, running the following command will output a long list of services and their status:

C:\>sc \\DC1.your.domain.com query

If you want more information on a specific service, such as a Windows DNS Server sc makes it easy to gather the required data.  To start with you can get the services display name:

C:\>sc \\DC1.your.domain.com GetDisplayName dns
[SC] GetServiceDisplayName SUCCESS  Name = DNS Server

You can also get the services description like so:

C:\>sc \\DC1.your.domain.com qdescription dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME: dns        
    DESCRIPTION              : Enables DNS clients to resolve DNS names by
answering DNS queries and dynamic DNS update requests. If this service is
stopped, DNS updates will not occur. If this service is disabled, any
services that explicitly depend on it will fail to start.

You can quickly list the service configuration too:

C:\>sc \\DC1.your.domain.com qc dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME       : dns        
TYPE               : 10  
WIN32_OWN_PROCESS        
START_TYPE         : 2   AUTO_START        
ERROR_CONTROL      : 1   NORMAL        
BINARY_PATH_NAME   : C:\WINDOWS\System32\dns.exe        
LOAD_ORDER_GROUP   :        
TAG                : 0        
DISPLAY_NAME       : DNS Server        
DEPENDENCIES       : Tcpip                          
                   : Afd                          
                   : RpcSs        
SERVICE_START_NAME : LocalSystem

NB: If you want extended information you can use the queryex parameter.

Then you can check the status of the service:

C:\>sc \\DC1.your.domain.com query dns 
SERVICE_NAME: dns        
TYPE               : 10  
WIN32_OWN_PROCESS        
STATE              : 4  RUNNING                                
                        (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)        
WIN32_EXIT_CODE    : 0  (0x0)        
SERVICE_EXIT_CODE  : 0  (0x0)        
CHECKPOINT         : 0x0        
WAIT_HINT          : 0x0

Finally once you’ve gathered all the information you need, you can stop & start the service if you need to:

C:\>sc \\DC1.your.domain.com stop dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 3  STOP_PENDING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x1        
    WAIT_HINT          : 0x5265c00
C:\>sc \\DC1.your.domain.com query dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 1  STOPPED        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0
C:\>sc \\DC1.your.domain.com start dns
SERVICE_NAME: dns        
    TYPE               : 10  
    WIN32_OWN_PROCESS        
    STATE              : 2  START_PENDING                                
                            (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x7d0        
    PID                : 608        
    FLAGS              :
C:\>sc \\DC1.your.domain.com query dns
SERVICE_NAME: dns        
    TYPE               : 10  
    WIN32_OWN_PROCESS        
    STATE              : 4  RUNNING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0

A list of sc parameters is as follows:

C:\>sc
DESCRIPTION:        
    SC is a command line program used for communicating with the        
    NT Service Controller and services.
USAGE:        
    sc <server> [command] [service name] <option1> <option2>...         

    The option <server> has the form "\\ServerName"        
    Further help on commands can be obtained by typing: "sc [command]"        
    Commands:          
        query-----------Queries the status for a service, or                          
        enumerates the status for types of services.          
        queryex---------Queries the extended status for a service, or                          
                        enumerates the status for types of services.          
        start-----------Starts a service.          
        pause-----------Sends a PAUSE control request to a service.          
        interrogate-----Sends an INTERROGATE control request to a service.          
        continue--------Sends a CONTINUE control request to a service.          
        stop------------Sends a STOP request to a service.          
        config----------Changes the configuration of a service (persistant).          
        description-----Changes the description of a service.          
        failure---------Changes the actions taken by a service upon failure.          
        sidtype---------Changes the service SID type of a service.          
        qc--------------Queries the configuration information for a service.          
        qdescription----Queries the description for a service.          
        qfailure--------Queries the actions taken by a service upon failure.          
        qsidtype--------Queries the service SID type of a service.          
        delete----------Deletes a service (from the registry).          
        create----------Creates a service. (adds it to the registry).          
        control---------Sends a control to a service.          
        sdshow----------Displays a service's security descriptor.          
        sdset-----------Sets a service's security descriptor.          
        showsid---------Displays the service SID string corresponding to an
                        arbitrary name.          
        GetDisplayName--Gets the DisplayName for a service.          
        GetKeyName------Gets the ServiceKeyName for a service.          
        EnumDepend------Enumerates Service Dependencies.         

    The following commands don't require a service name:        
    sc <server> <command> <option>          
        boot------------(ok | bad) Indicates whether the last boot should                          
        be saved as the last-known-good boot configuration          
        Lock------------Locks the Service Database          
        QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:        
    sc start MyService 
Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]: n

No inter-VLAN comms? A classic example of KISS

January 22, 2011 Leave a comment

So, here’s the problem (exhibit below):

  • You have 2 VLANs terminated on a firewall with discrete subnets (VLAN100 & VLAN200).
  • Both VLANs are configured identically.
  • VLAN100 has subnet 192.168.192.192/28.
  • VLAN200 has subnet 192.168.192.208/28
  • The VLANs lead to two separate virtual servers on the same physical host (vServer1 & vServer2).
  • VLAN100 has full IP connectivity to other VLANs and to the Internet.
  • The virtual server on VLAN200 can PING the default gateway on the Firewall.
  • The firewall can PING the virtual server on VLAN200.
  • The virtual server on VLAN200 can’t reach any other IP connected host or interface including the virtual server on the same physical host.

What’s the solution?

VLAN Configuration

Drum roll please…

The default gateway on vServer2 had been set to the network address of: 192.168.192.208 instead of the actual next hop of 192.168.192.209.

Moral of the story: Always verify the obvious, in spite of assurances from Windows Admins and Keep It Simple Stupid!

Can’t believe I wasted 30 minutes trawling through configs for this! Grumble, grumble…

VBScript for Active Directory SID to Name Resolution

January 21, 2011 Leave a comment

I had a requirement to query a SID from another domain after SID to name resolution failed:

Set objDomain = GetObject("LDAP://dc=corporate,dc=contoso,dc=com")
strComputer = "DC1"
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer _
(strComputer, "root\cimv2", "CORPORATE\%USERNAME%", "%PASSWORD%")
objSWbemServices.Security_.ImpersonationLevel = 3

Set objAccount = objSWbemServices.Get _
("Win32_SID.SID='S-1-2-34-567891234-5678912345-678912345-67890'")
Wscript.Echo objAccount.AccountName

Set objDomain = Nothing
Set objSWbemLocator = Nothing
Set objSWbemServices = Nothing
Set objAccount = Nothing

If you want to query the user name for it’s associated SID, just replace:

("Win32_SID.SID='S-1-2-34-567891234-5678912345-678912345-67890'")
Wscript.Echo objAccount.AccountName

with:

("Win32_UserAccount.Name='%USERNAME%',Domain='CORPORATE'")
Wscript.Echo objAccount.SID

VBScript to Bulk Update UPNs in Active Directory

January 20, 2011 Leave a comment

I had a requirement to harvest all the users in a domain into an Excel spreadsheet then update the ones with the wrong UPN after some faceless entity added the wrong UPN to a number of user accounts:

sDomain="testlab"

Set oADconn = CreateObject("NameTranslate")
oADconn.Init 3, ""

Set oExcel= WScript.CreateObject("excel.application")
With oExcel
 .Visible = True
 .Workbooks.Add
 .Range("A1:C1").Select
 .Selection.Font.Bold = True
 .Cells(1,1).Value = "Display Name"
 .Cells(1,2).Value = "sAMAccountName"
 .Cells(1,3).Value = "UPN Suffix"
 .ActiveSheet.range("A2").Activate
End With

Set objDomainUsers = GetObject("WinNT://" & sDomain & ",domain")
objDomainUsers.Filter = Array("User")
On Error Resume Next
For Each oUserAcct In objDomainUsers
 oADconn.Set 3, sDomain & "\" & oUserAcct.Name
 sUserDN = oADconn.Get(1)
 Set oUser = GetObject("LDAP://" & sUserDN)
 sname=oUser.sAMAccountname
 supn=oUser.userprincipalname
 x=instr(supn,"@")
 supnsuffix=mid(supn,x+1)
 oExcel.activecell.Value=oUser.displayname
 oExcel.activecell.offset(0,1).Activate
 oExcel.activecell.Value=oUser.sAMAccountName
 oExcel.activecell.offset(0,1).Activate
 oExcel.activecell.Value=supn
 oExcel.activecell.offset(0,1).Activate
 oExcel.activecell.offset(1,-3).Activate
 if supnsuffix="testlab.priv" then
 oUser.userprincipalname=sname & "@corporate.test.int"
 oUser.SetInfo
 end if
Next
oExcel.Application.Quit

Cross Forest User Lookup LDAP Query Script

January 19, 2011 Leave a comment

I had a requirement to query users over an external trust between two AD forests, so here it is:

Const ADS_SCOPE_SUBTREE = 2
Set rootDSE = GetObject("LDAP://rootDSE")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT * FROM 'LDAP://corporate.contoso.com/" _
"dc=corporate,dc=contoso,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = objType.distinguishedName
wscript.echo strDistinguishedName
objRecordSet.MoveNext
Loop

Does exactly what it says on the tin.