How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type replmon
What is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
Why not make all DCs in a large forest as GCs?
There can be replication traffic issues. Also, if there is a single domain forest, there is no reason for multiple GCs, if there is a multiple domain forest, a single GC, and infrastructure master (on separate servers) for each domain will do.
What are the Support Tools? Why do I need them?
You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
LDP is the tool in the Windows Server 2003 toolkit , use full in migration of database from open ldap to Microsoft platform
LDP is the leak detection pump. It is located along the frame on the left side, just in front of the canister.
What is REPLMON?
Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs and replication issues for each NC
Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
What are application partitions? When do I use them
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest
How do you create a new application partition
When you create an application directory partition, you are creating the first instance of this partition. You can create an application directory partition by using the create nc option in the domain management menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description.
To create or delete an application directory partition
Open Command Prompt.
Type: ntdsutil
At the ntdsutil command prompt, type: domain management
4. At the domain management command prompt, do one of the following:
· To create an application directory partition, type: create ncApplicationDirectoryPartitionDomainCo...
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).
What is LDAP?
LDAP is an Internet standard protocol used by applications to access information in a directory. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).
Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
Alright, I know what might have caused this. But how do I fix it?
In IIS 6.0, its possible use sub-authentication to manage passwords for anonymous accounts and to do so, your configuration must meet the following requirements:
For applications for which you grant anonymous access, the worker process must run as LocalSystem.
The sub-authentication component, Iissuba.dll, must be registered.
The AnonymousPasswordSync metabase property must be enabled (set to true).
Which I hope most of us will never want to do, Why? we all know and I don’t think I need to answer that, but still due to potential security risk. So, now what is the alternative? Alternative or preferred solution is to manually synchronize the username/password of the anonymous user principle in IIS with that of the real user principle. So let’s see how we can do to get it fixed:
1. First place to start troubleshooting this issue is Security Logs in Event Viewer, and what are we looking for failure logs
2. Failure Event Log will tell us as to why the authentication for Anonymous user principle (IUSR) is failing, it may list reasons as follows:
Logon Failure: Reason: User not allowed to logon at this computer
Logon Failure: Reason: Account locked
Logon Failure: Reason: User not allowed to logon at this computer
Logon Failure: Reason: The user has not been granted the requested logon type at this machine
Logon Failure: Reason: Account logon time restriction violation
2. So now we know what exactly has caused it, hence it’s real easy to fix the same:
Fixing: Bad username or Unknown password
1. Finding Locations/Node where anonymoususerpass value is listed:
a. Open command prompt (Click Start > Run > Type : cmd) b. Navigate to the C:\inetpub\adminscripts directory. c. Enter the following command:cscript adsutil.vbs find anonymoususerpass d. Press Enter: This will return a listing of all the nodes where the anonymoususerpass appears in the metabase. Ideally it should display only the W3SVC node/location (it may also appear in the MSFTPSVC node if you are running FTP).
If it displays locations “under” W3SVC (i.e. W3SVC/1/root or so) then we should delete these entries,
Output Example Non-ideal output : Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. *Property anonymoususerpass found at: W3SVC W3SVC/1/ROOT W3SVC/5/ROOT
2. Removing additional anonymoususerpass value if listed. To delete additional entries use the following syntax:
cscript adsutil.vbs delete “node/location”/anonymoususerpass For Example : If the response is as mentioned above * following commands are to be executed. cscript adsutil.vbs delete W3SVC/1/root/anonymoususerpass cscript adsutil.vbs delete W3SVC/5/root/anonymoususerpass
Output Example: Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. deleted property "anonymoususerpass"
Once it is ensured that the password is set only for a single location, next step is to “sync” the password with the one in the SAM database or AD database.
3. Retrieving password for Anonymous user principle (IUSR) stored in IIS metabase:
a. In Notepad, open Adsutil.vbs located in c:\Inetpub\adminscripts. b. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next. c. Change "IsSecureProperty = True" to "IsSecureProperty = False". d. Save the changes to Adsutil.vbs, and then close Notepad. e. Open command prompt (Click Start > Run > Type : cmd) f. Navigate to the C:\inetpub\adminscripts directory. (Type CD c:\Inetpub\adminscripts and press enter) h. Enter the following command:cscript adsutil.vbs get W3SVC/anonymoususerpass .
Output Example: Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. deleted property "anonymoususerpass"
4. Changing the IUSR passwords to the one retrieved in above steps using Active Directory Users and Computers or Computer Management.
Fixing: Account locked
This video demonstrates how to unlock a locked windows user account and how to configure the lockout policies. Credit: Robert Walden Copyright: Robert Walden
Fixing: User not allowed to logon at this computer
Using the Active Directory Users and Computers Snap-in
Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, click the container that contains the user account that you want.
In the right pane, right-click the user account, and then click Properties.
Click the Account tab, and then click Log On to.
Provide the appropriate Computer names.
Fixing: The user has not been granted the requested logon type at this machine
Verify permissions as per the following KB from Microsoft.
Only caveat to this is that this article didn’t ask you to look into the following parties and doesn’t say that User principle referred should not be part of the following policies;
Deny Logon as a Batch Job
Deny Logon Locally
Deny Access to this computer from Network
So please be careful and check the same.
Fixing: Account logon time restriction violation
Method 1: Using the Active Directory Users and Computers Snap-in
Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, click the container that contains the user account that you want.
In the right pane, right-click the user account, and then click Properties.
Click the Account tab, and then click Logon Hours.
Click All to select all available times, and then click Logon Permitted.
Method 2: Using the Net User Command-line Statement
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Type net user username /time:logon_times (where username is the name of the user account, and where logon_times are the days and times that you want to allow access to the domain), and then press ENTER.
Use the following information to help you use the /time switch:
Days can be spelled out (for example, Monday) or abbreviated (for example, M,T,W,Th,F,Sa,Su).
Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation (13:00).
A value of blank means that the user can never log on.
A value of all means that a user can always log on.
Use a hyphen (-) to mark a range of days or times. For example, to create a range from Monday through Friday, type either M-F, or monday-friday. To create a range of time from 8:00 P.M. to 5:00 P.M., type 8:00am-5:00pm, 8am-5pm, or 8:00-17:00.
Separate the day and time items with commas (for example, monday,8am-5pm).
Separate day and time units with semicolons (for example, monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
I feel at some point of time each and every administrator who had managed and IIS has definitely encountered this error. It’s not the first time some one is trying to talk about this error, nor that the resolution for the same is not available, It’s there but I feel that this information is scattered in different places so this blog is an attempt to present the whole information in one place. Enough of talking let’s begin working.
First and Foremost: What is Anonymous Authentication in IIS 6.0?
As per Microsoft “Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.”
A common misconception by users “If I enabled anonymous access in IIS, everything should work and I should never see Access Denied”
As David Wong has written “As for enabling anonymous authentication in IIS - this merely tells IIS to automatically log in with a pre-configured user identity to execute the request, regardless of authentication attempted. There is no special Windows account that magically passes access checks and has access to everything. In fact, the user identity used for anonymous access can be the target of allow/deny ACLs, just like any other Windows user, so it is still possible to see "Access Denied" when you have anonymous authentication enabled.”
So, the most common cause for HTTP 401.1 in case of Anonymous Authentication is configured anonymous user credentials stored in the IIS metabase configuration file has different password stored than the user principle's credentials in reality (i.e. mismatched password). This happens because by default, the sub-authentication component, Iissuba.dll, is not enabled in IIS 6.0. In earlier versions, Iissuba.dll allowed IIS to manage passwords on anonymous accounts, which created a potential security risk.
Besides above there are some other reasons that I am aware of is is as follows:
Anonymous user principle in IIS doesn’t have login rights to the system.
Anonymous user principle in IIS is configured to deny access to the system during specific hours.
Anonymous user principle in IIS is locked.
Security Event Logs are full.
Looking for a solution to above, please look at my blog Troubleshooting: “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials” when website is configured to use Anonymous Authentication in IIS 6.0 with default IUSR account.”
