How to delegate basic server administration to Junior Admins

 

Here is a complete list of articles for delegating controls to admins:

 

You can delegate permissions to junior Admins using MMC Taskpads.

How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/?kbid=314978

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

HOW TO: Create and Edit a Taskpad View in a Saved MMC Console in Windows 2000
http://support.microsoft.com/?kbid=321143

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873

Administrative Tool Menu Is Sensitive to User’s Permissions
http://support.microsoft.com/?kbid=214739

In a Server 2003 domain, you can ignore the part about editing dssec.dat:

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

A must read for Domain Administrators:

Design Considerations for Delegation of Administration in Active Directory

*Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units*
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

Using scripts you can set delegation on properties if you want:

Part 1
http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

Part 2
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx

You can find security attributes for each object in Chapter -6 of *Inside Active Directory-Second Edition*
Here it is: An online version of this book.

http://www.readol.net/books/computer/Windows/Inside.Active.Directory.A.System.Administrators.Guide.Second.Edition/0321228480/ch04lev1sec3.html

Inter-Site Topology Generator Invalid

Scenario:

ISTG has invalid on all Domain Controller on the network after you demote a DC and trasfer roles and then rebuild it.

If demoted Domain Controller is the first DC in site – If yes then this DC holds the role – ISTG Server.

Initially the first server in the site becomes the ISTG owner and this this role is communicated by normal AD replication.

Moreover, this role is not changed automatically. Server holding ISTG role notifies other domain controllers about its presence by writing the *InterSiteTopologyGenerator* attribute in Configuration Naming Context at a specified interval.

Another fact is that another DC as an ISTG server doesn’t take over unless it knows that DC hold ISTG server has failed.

To correct this issue:

You can edit the following registry value to modify this behaviour:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Value Name: KCC site generator renewal interval (minutes)
Value Data: Number of minutes between updates to Active Directory

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: KCC site generator fail-over (minutes)
Value Data: Time that must elapse before a new ISTG is selected, in minutes.

When it is safe to remove DNS Server (Active Directory Integrated)

 

Not necessarily all points only No. 2 applies to Primary Server.

I have posted basic guidelines for removing DNS server from the network.

Here is a list of points for your review:

You can safely remove any DNS server running in your network BUT you should not if the following conditions are true:

1. If this DNS server is authoritative for a Active Directory domain or DNS Domain Zone.

If you remove any DNS server that is authoritative for any domain zone configured in your network. It will remove the SRV records from zone and connectivity to domain controllers through DNS server.

2. If this is the primary DNS Server and you have configured rest of DNS servers on other DCs to work as secondary DNS Servers then you should not remove this DNS server. Doing so will cause replication failures. Secondary servers will be inoperable.

3. If any domain is delegated under this DNS server.

4. If this DNS server contains the SOA records for other authoritative DNS Server for zone.

5. Your clients are configured to use this DNS server. Removing this DNS server from operation will cause problems,

clients won’t be able to log on to network or find domain controllers.

The above are the basic guidelines to consider while removing a DNS server from your network.

Windows 2000/2003/XP computers may not load raoming profiles from a trusted domain.

You may face this issue. Sometimes member computers running Windows XP/2000/2003 may not load roaming profile from a trusted domain.

They should be able to log as long as the following conditions are true:

1. DNS settings are incorrect as suggested on some of your client computers.

2. Workstation service is not running on client computer.

3. Server service is not running on server.

4. Roaming Profile Share is not shared on server.

5. Permissions are not shared properly.

6. All Users and Default Users folders in Documents and Settings are missing if this is the first time user is logging on to this computer.

7. IPC$ share is missing on Client computer or Server.

 

You can find the exact cause by enabling the User Profile Debugging:

Enable User Profile Logging. You will know the problem.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Moving FSMO roles, DNS and DHCP from one Domain Controller to another Domain Controller machine.

Sometimes you may need to move your DNS, DHCP and AD to another machine. You can follow the steps outlined below to make this happen:

Scenario: You want to move everything on DC3.

If your DNS zone is AD-Integrated:

1. On DC3 install DNS > make it AD-Intergrated > wait for Active Directory replication or force replication from AD sites snap-in so that all DNS records and SRVs are replicated to this DNS server (DC3).

2. Next transfer FSMO Roles.

The reason why you need to transfer FSMO roles in second step is: All AD Tools, clients and Windows built-in Services that rely on FQDN will always query authoritative DNS server for this zone (domain_name.com) to find FSMO roles or domain controllers.

3. Finally install DHCP on DC3 > and follow the article given below to transfer DHCP database. DHCP is not an issue with DNS+ADS.

Make sure you follow the basic guidelines on DC3 for DNS Setup:

1. On DC3 for DNS server: Make sure DNS server is pointing to server IP address in TCP/IP Property so that it can register its SRV and A records.

2. Client machines must use this IP address (As a Primary DNS server) to locate domain controllers and receive Group Policy settings.

3. Configure Forwarders on DNS server to forward DNS query requests to other DNS servers such as ISP DNS Server or any other DNS server in your domain or forest. Do not put ISP DNS Server in TCP/IP Property. You need to delete root zone (“.”) to configure forwarders.

4. Make sure Dynamic or Secure Dynamic update is enabled on authoritative Zone.

5. Make sure SOA record in DNS zone is pointing to correct DNS server IP Address.

6. Issue Ipconfig /registerdns from command prompt to register A records of server in zone.

7. If there are two LAN cards make sure Internal NIC of the server is listed first in Binding Order.

Moving DHCP Database:

How to move DHCP database from one server to another:
http://support.microsoft.com/default.aspx?scid=kb;en-us;130642

Trust Relationship between Domain and Member

When you log on to domain you may receive the following error:

 The trust relationship between this workstation and the primary domain failed.

This may happen because of the following reasons:

1. Machine account for the member computer wasn’t updated with PDC within 30 days or maximumpasswordage registry entry was set too low and that time PDC wasn’t available.

2. Member computer account is not known by domain and has lost its GUID.

This is absloutely a Netlogon Secure channel issue.

To recover from this:

1. Start Windows 2000 Server.

2. Let the login screen come up. (Do not try to get in). TCP/IP stack is loaded properly here.

3. Next use *Netdom* utility (remotely) to reset computer account for this workstation. You can do so from a member computer or PDC itself.

Or

You can run this command remotely on a computer that interacts with desktop using PSEXEC from www.sysinternals.com

Netdom utility is part of Support Tools.

Sometimes you may get above error if Netlogon service is stopped for no reason. You can start this service using MMC console from a member computer.

Copy Group Policy Settings.

 

Scenario:

You need more than one Group Policy Objects and few settings are similar and few are not but the amount of configuration is time consuming. You can avail this by copying the Group Policy settings from SYSVOL folder to destination GPO.

You will see policy contents of GPO created in SYSVOL folder in Policies sub-folder and then copy them to the newly created GPO.

This is how you do it:

A. First note down the GUID of Old GPO you want to copy:

1. Open ADUC
2. Right click on OU > Property
3. Switch to Group Policy tab
4. Click GPO > Property > note down the GUID of this GPO.

B. Next create the new GPO and find out the GUID in the same manner.

C. Follow the steps outlined below to copy contents of old GPO to new GPO you created in step B.

1. Finally goto SYSVOL\domain_name.com\policies\GUID of old GPO
2. Copy the contents of this GPO.
3. Next goto SYSVOL\domain_name.com\policies\GUID of new GPO
4. Paste the contents here or overwrite.

D. Finally make whatever changes you want to make to the copied policy.

Active Directory Naming information for domain couldn’t be found

 

Sometimes when you open one of the Active Directory tools you get error message “Naming information couldn’t be contacted“:

Active Directory Users and Computers

Active Directory Trusts and Domains

Active Directory Sites and Services

Domain Security Policy

Domain Controller Security Policy

Schema Admin

This happens because of the following reasons:

1. SRV records for Active directory domains are not registered in DNS Domain Zone.

2. DNS Server couldn’t be contacted for some reason.

3. AA Host records for Domain Controller is missing in DNS Zone.

4. Netlogon service on Domain Controller has been stopped.

5. Domain Controller is pointing to a wrong DNS Server.

6. Domain Controller is pointing to a DNS Server which is far away from DC.

7. DNS Server can’t be contacted because of network congessions.

8. Heavy use of Domain Controller when DNS Client sends a request to DNS Server to find out domain information.  For example: If an application is running which is using a service account that is sending DNS Query to DNS Server frequently.

Your DNS zone should look like below for SRV Records:

DNS
   |–ServerName
   |—–Forward Lookup Zones
   |———-domain_name.local
   |             |   _sites
   |             |     |    |
   |             |     |   Default-First-Site-Name
   |             |     |         |
   |             |     |       _tcp————— _ldap [SRV]: 0:100:389: server_name.domain_name.com.
   |             |     |                                  _gc [SRV]: 0:100:3268: server_name.domain_name.com
   |             |     |                                  _kerberos [SRV]: 0:100:88: server_name.domain_name.com
   |             |     |      
   |             |    _tcp———————- _ldap [SRV]: 0:100:389: server_name.domain_name.com.
   |             |     |                                 _gc [SRV]: 0:100:3268: server_name.domain_name.com
   |             |     |                                 _kerberos [SRV]: 0:100:88: server_name.domain_name.com
   |             |     |                                 _kpasswd [SRV]: 0:100:464: server_name.domain_name.com
   |             |     |        
   |             |    _udp——————–  _kpasswd [SRV]: 0:100:464: server_name.domain_name.com.
   |             |     |                                _kerberos [SRV]: 0:100:88: server_name.domain_name.com.

You must have the above SRVs registerd in DNS zone so that AD Tools can get the list of domain controllers available in domain by executing DcGetDcName API call.

These are the basic guidelines for DNS and TCP/IP Configuration on a server:

1. On DC or DNS server: Make sure DNS server is pointing to server IP address.

2. Make sure Dynamic or Secure Dynamic update is enabled on authoritative Zone.

3. Make sure SOA record in DNS zone is pointing to correct DNS server IP Address.

4. Issue Ipconfig /registerdns from command prompt to register A records of server in zone.

7. If there are two LAN cards make sure Internal NIC of the server is listed first in Binding Order.

Securing your network using Microsoft Windows DHCP

 

This article explains how you can secure a network running DHCP Service.

Microsoft has developed or added some security to DHCP Server by means of CLASS ID. You can use Class ID to secure a network for client who is part of the network or laptop users who recieve their IP Address from this DHCP Server on the network.

In DHCP Server you can configure the Class ID. When you configure Class ID you need to use the Same ID on all client machines so any DHCP Packet sent by the client can be understood by the DHCP server of that class. You set Class ID on client machines using *Ipconfig /setclassid* command.

Prevent computers gaining IP Address from DHCP Server if they are not authorized

A computer is authorized to obtain an IP Address on network only when it is configured with DHCP Class ID where you have implemented MS DHCP Server. This Class ID mechanism can be understood by MS DHCP Servers only.

We have secured our DHCP Network using *MS Class Options* (You can find this mechanism only in MS DHCP Implementation).

 
Client machines can’t get IP Address from any DHCP server available on the network  *IF* you have configured Class ID on client machines using *Ipconfig /setclassid* command. A DHCP packet will be dropped by DHCP server if *same Class ID* scope is not found on the network or MS DHCP server.

This is what happen when you implement Class ID on your network:

1. A computer plugs in your network.

2. DHCP client service starts and shouts on network to get an IP address (I assume this is a new computer and configured with Class ID).

3. DHCP Server goes throught its database or scopes check to see if it belongs to any Class ID scope, a simple scope or superscope if request is coming from different network id:

        a. If DHCP packet from client machine contains Class ID information, DHCP  
           Server goes through the Class ID Scopes. If it doesn’t find same class ID in
           its database, the DHCP packet is dropped off. Exit Loop. Next, if DHCP server
           finds the Class ID Scope, it leases out the IP address to client machine and
           Exit Loop.

        b. DHCP server goes to next condiation available that is *DHCP Scope for
           same subnet*. HERE DHCP server can lease out IP address from any scope
           if you haven’t configured client machine with Class ID. This is where DHCP
           Security is failing
. If DHCP server finds no other scope, DHCP packet is
           dropped off. Exit Loop.

        c. Next available condition is to check in *DHCP Superscope for same or other
            subnet* or if client doesn’t belong to same subnet. B condition applies  in this case.

3. After checking above conditions, DHCP Server finally decides to drop off packets therefore client obtains IP Address using APIPA (169.254.x.x). This makes client out of network or it can’t participate in network.

Restrict IPs to known MAC addresses (both static or DHCP) when the unauthorized machine has physical access to a NAM on the network.

 

1. Create a class on your network

2. Define a scope for these MAC systems only.

3. Create a unqiue Class ID for this scope.

4. Configure client machines using *Ipconfig /setclassid*. Set the Class ID which you have configured at DHCP Server.

Now when a DHCP server receive a packet from a client machine configuerd for the same Class ID, it will go through it’s scopes to check whether they belong to any Scope Class you have configured at DHCP server.
If DHCP Server finds Class Scope with same Class ID then this will lease IP address *ONLY* from this class regardless of the subnet clinet machines belong to. Condition No. A applies in this scenario.

NOTE:

1. This way you can secure your DHCP Server.

2. This only applies when client machines has configured to obtain IP address automatically from a DHCP Server. If client machine has configured with Static IP address then you can’t. You need to disable DHCP client service on client machine or unregister a DLL from their system or set permissions on registry on client machine so they can’t save informations.

3. You shouldn’t have any other Scope configured in your DHCP server without Class ID. If you do so DHCP server can lease out IP addresses from this scope if client request is coming without Class ID information or DHCP Packet from a client doesn’t contain Class ID. Either you can use scopes or Class ID but you can’t use both to implement this securtiy stuff. Check option A.B.C. described earliear in this article.

More here:  –
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/111527dc-1e28-4c25-ba20-67daeffa5d1b.mspx

DHCP Security: –

The following articles only address how you secure or detect rouge DHCP servers running in a network. It’s worth reading.

Part 1
http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
Part 2: –
http://www.windowsecurity.com/articles/DHCP-Security-Part2.html

If your DHCP clients are all Windows 2000 or newer, then this will work pretty well for you.  If you have non-Windows 2000 or newer clients that need to use DHCP, this won’t work.

Class ID won’t work for:

Windows 9x/NT clients
PXE boot clients/other boot clients (Altiris Bootworks)
Non-Windows clients (Linux and Mac are most common)

Driver issue – Server not booting in Normal Mode

 

If you face any issue with Windows driver or third party driver, you can replace Safe Mode registry with Normal Mode to get things working properly. If you can boot into Safe Mode and then there are some chances to restore your computer using the Safe Mode registry data because pre-defined drivers and services in registry key for these modes are not changed when you install any application.

This is how you do it:

  1. Go to Safe Mode.
  1. Start Registry editor > navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

  1. Save/Export this key to SafeBoot.reg file
  1. Next navigate to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

  1. Save/Export this to Services.reg.
  1. Now edit SafeBoot.reg in notepad or wordpad (make sure you disable word wrapping) > next

Find all the entries with:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

and replace all with the following:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

  1. After replacing all entries save SafeBoot.reg file and double click on it.
  1. Now restart your computer in Normal Mode. It should boot.