Archive for January, 2011

Fun with Exchange 2000 in a legacy domain

January 26, 2011 Leave a comment

I had an issue where multiple users were unable to access Outlook.  They were receiving a password prompt upon launching the application.  I needed to find out which Global Catalog server the Exchange server was binding to, which you can do with the trusty old netstat command piped to findstr (which just isn’t a patch on grep, sorry Microsoft):

C:\>netstat -a | findstr ":3268"  
TCP    exch-srv01:1170  CLOSE_WAIT 
TCP    exch-srv01:1171  ESTABLISHED  
TCP    exch-srv01:1174  ESTABLISHED  
TCP    exch-srv01:1175  ESTABLISHED  
TCP    exch-srv01:1186  CLOSE_WAIT  
TCP    exch-srv01:1187  CLOSE_WAIT  
TCP    exch-srv01:1189  CLOSE_WAIT  
TCP    exch-srv01:1221  ESTABLISHED  
TCP    exch-srv01:1223  ESTABLISHED  
TCP    exch-srv01:1237  ESTABLISHED  
TCP    exch-srv01:1238  ESTABLISHED  
TCP    exch-srv01:1429  ESTABLISHED  
TCP    exch-srv01:1431  ESTABLISHED  
TCP    exch-srv01:1910  ESTABLISHED  
TCP    exch-srv01:1911  ESTABLISHED  
TCP    exch-srv01:5452  CLOSE_WAIT  
TCP    exch-srv01:10412  ESTABLISHED  
TCP    exch-srv01:10414  ESTABLISHED


The output of the netstat command was a little worrying as the Exchange server was only set to bind to DC04 & DC05 because DC13 was to be decommissioned as it was very sick.

The resolution was easy enough; you just need to uncheck Automatically discover servers and remove all but one GC in the Directory Access tab of the Exchange servers properties dialog in the System manager to force it to bind to a specific DC.  Once it works add the other GC(s) back in and enable automatically discover again.

NB: This is an excellent troubleshooting method if you’re having authentication problems with Exchange &  don’t know which DC is causing the problem; just connect to each one in turn until you find the culprit.

Bind to specific GC

Now comes the fun of removing the meta-data for DC13 as it wasn’t cleanly removed (DCPROMO failed to de-promote).  :-/

Too Many Passwords? NPS/RADIUS on Windows Server 2008

January 24, 2011 Leave a comment

I had a requirement to add Network Policy Services to allow Active Directory Authentication on Cisco devices:

Network Policy Server Setup for AD:

  • Create AD global security group in domain.
  • Install NPS components from the Roles console in Windows Server 2008.
  • Install Network Policy Server.
  • Install Routing and Remote Access Service.
    • Install Remote Access Service component.
    • Install Routing component.
  • Launch NPS Console.
  • Add Remote Access Clients (Radius Clients and Servers > Radius Clients > New):
    • Friendly Name:  Router1
    • IP Address:
    • Shared Secret:  CiscoRocks
    • Advanced > Vendor:  Cisco
    • Added remote access policy(Policies > Network Policies > New):
      • Name:  CiscoAuth
      • Access Permission:  Granted
      • Conditions: Add > Windows Groups > cisco.admin
      • Constraints: Authentication > Unencrypted Authentication PAP, SPAP
      • Idle Timeout:  10 minutes
      • Settings:
        • Service-Type = Login
        • Framed-Protocol = PPP

RADIUS Setup for Cisco Device:

  • Configure local user.
  • Configure SSH.
  • Configure Loopback
  • aaa new-model
  • radius-server host auth-port 1645 acct-port 1646 key CiscoRocks
  • aaa authentication login AUTH group radius group ADRADIUS local
  • ip radius source-interface Loopback0
  • aaa group server radius ADRADIUS
  • server
  • line vty 0 4
  • login authentication AUTH
  • Allow 1723 & GRE in any ACLs between hosts.

Debug Commands:

debug aaa authentication
debug radius authentication
term mon

Windows: service management with sc.exe

January 23, 2011 Leave a comment

In a previous post, I listed the net start and net stop commands for managing services.  The main drawback to these is that while they are on every Windows System, they only work on local services.

I’m all for utilities that reduce the amount of time it takes to get work done more efficiently (That’s one of the reasons I’m so fond of the CLI) and to that end, this post is about the Service Control (sc) utility that allows one to query & control services on remote servers, thus avoiding the need to RDP onto multiple servers and manage local services.

If you want to know which services are currently running on a remote server; for example, running the following command will output a long list of services and their status:

C:\>sc \\ query

If you want more information on a specific service, such as a Windows DNS Server sc makes it easy to gather the required data.  To start with you can get the services display name:

C:\>sc \\ GetDisplayName dns
[SC] GetServiceDisplayName SUCCESS  Name = DNS Server

You can also get the services description like so:

C:\>sc \\ qdescription dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME: dns        
    DESCRIPTION              : Enables DNS clients to resolve DNS names by
answering DNS queries and dynamic DNS update requests. If this service is
stopped, DNS updates will not occur. If this service is disabled, any
services that explicitly depend on it will fail to start.

You can quickly list the service configuration too:

C:\>sc \\ qc dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME       : dns        
TYPE               : 10  
START_TYPE         : 2   AUTO_START        
ERROR_CONTROL      : 1   NORMAL        
BINARY_PATH_NAME   : C:\WINDOWS\System32\dns.exe        
LOAD_ORDER_GROUP   :        
TAG                : 0        
DISPLAY_NAME       : DNS Server        
DEPENDENCIES       : Tcpip                          
                   : Afd                          
                   : RpcSs        

NB: If you want extended information you can use the queryex parameter.

Then you can check the status of the service:

C:\>sc \\ query dns 
SERVICE_NAME: dns        
TYPE               : 10  
STATE              : 4  RUNNING                                
WIN32_EXIT_CODE    : 0  (0x0)        
SERVICE_EXIT_CODE  : 0  (0x0)        
CHECKPOINT         : 0x0        
WAIT_HINT          : 0x0

Finally once you’ve gathered all the information you need, you can stop & start the service if you need to:

C:\>sc \\ stop dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 3  STOP_PENDING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x1        
    WAIT_HINT          : 0x5265c00
C:\>sc \\ query dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 1  STOPPED        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0
C:\>sc \\ start dns
SERVICE_NAME: dns        
    TYPE               : 10  
    STATE              : 2  START_PENDING                                
                            (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x7d0        
    PID                : 608        
    FLAGS              :
C:\>sc \\ query dns
SERVICE_NAME: dns        
    TYPE               : 10  
    STATE              : 4  RUNNING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0

A list of sc parameters is as follows:

    SC is a command line program used for communicating with the        
    NT Service Controller and services.
    sc <server> [command] [service name] <option1> <option2>...         

    The option <server> has the form "\\ServerName"        
    Further help on commands can be obtained by typing: "sc [command]"        
        query-----------Queries the status for a service, or                          
        enumerates the status for types of services.          
        queryex---------Queries the extended status for a service, or                          
                        enumerates the status for types of services.          
        start-----------Starts a service.          
        pause-----------Sends a PAUSE control request to a service.          
        interrogate-----Sends an INTERROGATE control request to a service.          
        continue--------Sends a CONTINUE control request to a service.          
        stop------------Sends a STOP request to a service.          
        config----------Changes the configuration of a service (persistant).          
        description-----Changes the description of a service.          
        failure---------Changes the actions taken by a service upon failure.          
        sidtype---------Changes the service SID type of a service.          
        qc--------------Queries the configuration information for a service.          
        qdescription----Queries the description for a service.          
        qfailure--------Queries the actions taken by a service upon failure.          
        qsidtype--------Queries the service SID type of a service.          
        delete----------Deletes a service (from the registry).          
        create----------Creates a service. (adds it to the registry).          
        control---------Sends a control to a service.          
        sdshow----------Displays a service's security descriptor.          
        sdset-----------Sets a service's security descriptor.          
        showsid---------Displays the service SID string corresponding to an
                        arbitrary name.          
        GetDisplayName--Gets the DisplayName for a service.          
        GetKeyName------Gets the ServiceKeyName for a service.          
        EnumDepend------Enumerates Service Dependencies.         

    The following commands don't require a service name:        
    sc <server> <command> <option>          
        boot------------(ok | bad) Indicates whether the last boot should                          
        be saved as the last-known-good boot configuration          
        Lock------------Locks the Service Database          
        QueryLock-------Queries the LockStatus for the SCManager Database
    sc start MyService 
Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]: n

No inter-VLAN comms? A classic example of KISS

January 22, 2011 Leave a comment

So, here’s the problem (exhibit below):

  • You have 2 VLANs terminated on a firewall with discrete subnets (VLAN100 & VLAN200).
  • Both VLANs are configured identically.
  • VLAN100 has subnet
  • VLAN200 has subnet
  • The VLANs lead to two separate virtual servers on the same physical host (vServer1 & vServer2).
  • VLAN100 has full IP connectivity to other VLANs and to the Internet.
  • The virtual server on VLAN200 can PING the default gateway on the Firewall.
  • The firewall can PING the virtual server on VLAN200.
  • The virtual server on VLAN200 can’t reach any other IP connected host or interface including the virtual server on the same physical host.

What’s the solution?

VLAN Configuration

Drum roll please…

The default gateway on vServer2 had been set to the network address of: instead of the actual next hop of

Moral of the story: Always verify the obvious, in spite of assurances from Windows Admins and Keep It Simple Stupid!

Can’t believe I wasted 30 minutes trawling through configs for this! Grumble, grumble…

VBScript for Active Directory SID to Name Resolution

January 21, 2011 Leave a comment

I had a requirement to query a SID from another domain after SID to name resolution failed:

Set objDomain = GetObject("LDAP://dc=corporate,dc=contoso,dc=com")
strComputer = "DC1"
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer _
(strComputer, "root\cimv2", "CORPORATE\%USERNAME%", "%PASSWORD%")
objSWbemServices.Security_.ImpersonationLevel = 3

Set objAccount = objSWbemServices.Get _
Wscript.Echo objAccount.AccountName

Set objDomain = Nothing
Set objSWbemLocator = Nothing
Set objSWbemServices = Nothing
Set objAccount = Nothing

If you want to query the user name for it’s associated SID, just replace:

Wscript.Echo objAccount.AccountName


Wscript.Echo objAccount.SID

VBScript to Bulk Update UPNs in Active Directory

January 20, 2011 Leave a comment

I had a requirement to harvest all the users in a domain into an Excel spreadsheet then update the ones with the wrong UPN after some faceless entity added the wrong UPN to a number of user accounts:


Set oADconn = CreateObject("NameTranslate")
oADconn.Init 3, ""

Set oExcel= WScript.CreateObject("excel.application")
With oExcel
 .Visible = True
 .Selection.Font.Bold = True
 .Cells(1,1).Value = "Display Name"
 .Cells(1,2).Value = "sAMAccountName"
 .Cells(1,3).Value = "UPN Suffix"
End With

Set objDomainUsers = GetObject("WinNT://" & sDomain & ",domain")
objDomainUsers.Filter = Array("User")
On Error Resume Next
For Each oUserAcct In objDomainUsers
 oADconn.Set 3, sDomain & "\" & oUserAcct.Name
 sUserDN = oADconn.Get(1)
 Set oUser = GetObject("LDAP://" & sUserDN)
 if supnsuffix="testlab.priv" then
 oUser.userprincipalname=sname & ""
 end if

Cross Forest User Lookup LDAP Query Script

January 19, 2011 Leave a comment

I had a requirement to query users over an external trust between two AD forests, so here it is:

Set rootDSE = GetObject("LDAP://rootDSE")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT * FROM 'LDAP://" _
"dc=corporate,dc=contoso,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = objType.distinguishedName
wscript.echo strDistinguishedName

Does exactly what it says on the tin.