Wednesday, January 14, 2009
Better than reading RFC 1510 page 84, I found this web page.
I then decided to reformat and post here for my own easy reference.
Failure code(Decimal, then Hex) | Kerberos RFC description | Notes on common failure codes
1 0x1 Client's entry in database has expired
2 0x2 Server's entry in database has expired
3 0x3 Requested protocol version # not supported
4 0x4 Client's key encrypted in old master key
5 0x5 Server's key encrypted in old master key
6 0x6 Client not found in Kerberos database - Bad user name, or new computer/user account has not replicated to DC yet
7 0x7 Server not found in Kerberos database - New computer account has not replicated yet or computer is pre-w2k
8 0x8 Multiple principal entries in database
9 0x9 The client or server has a null key administrator should reset the password on the account
10 0xA Ticket not eligible for postdating
11 0xB Requested start time is later than end time
12 0xC KDC policy rejects request - Workstation/logon time restriction
13 0xD KDC cannot accommodate requested option
14 0xE KDC has no support for encryption type
15 0xF KDC has no support for checksum type
16 0x10 KDC has no support for padata type
17 0x11 KDC has no support for transited type
18 0x12 Clients credentials have been revoked - Account disabled, expired, or locked out.
19 0x13 Credentials for server have been revoked
20 0x14 TGT has been revoked
21 0x15 Client not yet valid - try again later
22 0x16 Server not yet valid - try again later
23 0x17 Password has expired The user’s password has expired.
24 0x18 Pre-authentication information was invalid - Usually means bad password
25 0x19 Additional pre-authentication required*
31 0x1F Integrity check on decrypted field failed
32 0x20 Ticket expired Frequently logged by computer accounts
33 0x21 Ticket not yet valid
33 0x21 Ticket not yet valid
34 0x22 Request is a replay
35 0x23 The ticket isn't for us
36 0x24 Ticket and authenticator don't match
37 0x25 Clock skew too great - Workstation’s clock too far out of sync with the DC’s
38 0x26 Incorrect net address IP address change?
39 0x27 Protocol version mismatch
40 0x28 Invalid msg type
41 0x29 Message stream modified
42 0x2A Message out of order
44 0x2C Specified version of key is not available
45 0x2D Service key not available
46 0x2E Mutual authentication failed may be a memory allocation failure
47 0x2F Incorrect message direction
48 0x30 Alternative authentication method required*
49 0x31 Incorrect sequence number in message
50 0x32 Inappropriate type of checksum in message
60 0x3C Generic error (description in e-text)
61 0x3D Field is too long for this implementation
Thursday, January 08, 2009
So I'm doing a report about our AD infrustructure and some specific servers. The report needs to show which subnets are being covered by a specific site. Easy eh? Just open up ADSS and go to the site you need the information about and simply copy the subnets.
Hah! Why would Microsoft make it that easy? Well, they wouldn't. Sorry, no copy, no pastey.
So here is a script that will list all the subnets for a site in CIDR format. I like it. You will too.
Just enter the name of the site as you see it in ADSS as an argument. No need to enter the distinguished name or any other kind of mumbo jumbo.
Oh, make sure you run this with cscript, not wscript.
varSiteName = lcase(WScript.Arguments(0)) 'list the regular name that you see in ADSS, not the DN
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomainCNC = objRootDSE.get("configurationNamingContext")'working with the configuration container
set objSites = getObject("LDAP://CN=sites," & strDomainCNC)'grabbing all sites
For Each i In objSites'for each site
If lcase(i.cn) = varSiteName Then 'if the name is the same as the argument
For Each x In i.siteObjectBL 'then list all the subnets (siteObjectBL is a list of the DN of all the subnets for that site.
aryx = Split(x,",CN=") 'clean up
WScript.Echo Mid(aryx(0),4) 'more cleanup
Next
End If
Next
Tuesday, December 02, 2008
I've seen a few scripts out there on bulk-enabling ACS for just one group of servers in SCOM (OpsMgr 2007.) but nothing seemed to work.
So, I decided to learn powershell so that I could write a better script to do this. Here is what I came up with. About a third of the script is comments that should help you understand
exactly what the script is doing. That way you can have a bit of confidence when running it. Also, if you read the script and the comments a few time hopefully things will start to click
in your mind and you will start to get a better understanding of powershell and SCOM.
To use the script type the script name followed by the FQDN of the RMS the FQDN of the ACS collector, and the display name of the group you want to affect.
Example: acsGroupEnable.ps1 RMS1.yourdomain.int ACS1.yourdomain.int 'your group name' -yes single quotes. Maybe double quotes work too, but I'm too scared to try. ;-)
Here's the script:
param ($rmsServerName,$collectorServerName,$groupName)
#To list all groups by displayName connect to root of management server
#via powershell and run: get-childitem | format-list -property displayname
#Connect to RMS using FQDN
#add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client" #Use this if you aren't on the SCOM Powershell Console.
set-location "OperationsManagerMonitoring::"
new-managementGroupConnection -ConnectionString:$rmsServerName;
set-location $rmsServerName
#Create Health Service Class Instance for later use.
$healthServiceClass = get-monitoringclass -name:Microsoft.SystemCenter.HealthService
#Create a task that enables ACS when invoked
$enableAcsTask = get-task -path \ | where {$_.Name -eq 'Microsoft.SystemCenter.EnableAuditCollectionService'}
#Create override for ACS
$overrides = new-object Hashtable
$overrides.Add("CollectorServer",$collectorServerName)
#Use credentials only if you need to. Otherwise leave commented out.
#$credentials = Get-Credential #use this if you are not logged in with correct OpsMgr account.
#get all computer objects from the group you want to affect and put them into a collection
$colServers = Get-ChildItem (get-childItem | where {$_.displayName -eq $groupName}).PathName;
#for each computer in the collection, connect to that computer's health service object
foreach($varServer in $colServers)
{
$healthServices = $varServer.GetRelatedMonitoringObjects($healthServiceClass)
foreach($hs in $healthServices) #for each server in that class (Only the one server you have connected to.)
{
if ($hs.isAvailable -eq $true) #if the server is currently talking to OpsMgr
{
"Enabling Audit Collection for " + $hs.DisplayName;
#Enable ACS on the computer
Start-Task -task:$enableAcsTask -TargetMonitoringObject:$hs -overrides:$overrides #-credential:$credentials #uncomment the credentials if you need to use alternate credentials.
}
else
{
"Skipping: " + $hs.DisplayName + ". This computer is disconnected from OpsMgr."
}
}
}
Monday, November 24, 2008
Beating a dead horse won’t get you much.
But beating a dead (Blue screened) server will sometimes get it to boot up again.
I know sometimes we get frustrated with our jobs. I know that we also have to deal with funky hardware.
Here are some steps that have been developed over my career to deal with both issues. These steps are time tested.
These steps are called Computer Punching Repair (CPR.)
It’s kind of like regular CPR, but for servers.
Here is what you do:
1. Pull server mostly out of rack.
2. Position yourself above the server.
3. Raise your fist.
4. Beat the Holy crud out of the thing, releasing all that built up frustration… Sigh…
5. Press the power button and see if it boots up.
6. Repeat steps 3 through 5 until you feel better or the server boots up.
I hope some of you can make use of these steps.
Friday, October 31, 2008
Did you know there is a tool called dsquery????? DID YOU???
OH MY GOSH!!! This is the best tool EVER! (for AD queries.)
Why didn't I know about this tool before? This tool can do all SORTS of stuff! And you can combine it with some other tools like DSMOD, etc...
It can also do ldap queries, althought the out put, using the -o option, is limited to just a four things. Basically it is for getting back account names, not certain attributes, so vbscript will still be useful in that case.
I just looked this up and it is part of the "Directory Service Command-line Tools" suite. Here is a list of the tools:
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
Also, here is a primer from MS:
http://support.microsoft.com/kb/322684
Wednesday, October 29, 2008
Those of you out there with relatively large domains can understand what a pain it is to search through AD Sites and Services to find which site a domain controller belongs to.
Being that I am very impatient I decided enough was enough and figured out how to use a tool called nltest. It can do all sorts of things, but for now check this out:
nltest /server:<servername> /dsgetsite
Not only can you run this against a DC, you can run it against any computer in your domain to find which site it belongs to.
Wanna know the Schema version of your Active Directory?
One simple way is to logon to a domain controller and go to HKLM\System\CurrentControlSet\Services\NTDS\Parameters and look at the data portion for
the "System Schema Version" entry which sometimes, in some situations of which I'm not aware of but I've heard on the street, it's called the "Schema Version" entry.
Then check it against the following:
13 = 2000
30 = 2003
31 = 2003 R2
44 = 2008
?? = 2008 R2
Is there a pattern that I'm just not seeing?
--UPDATE--
You can look in ADSIEdit too. Just look at the objectVersion in the properties of CN=Schema,CN=Configuration,DC=your,DC=domain,DC=com.
Friday, October 17, 2008
This was a fun one. I was asked to find all user accounts in a specific OU that were created on or after August 1st 2008.
Sweet, except that I don't know how to convert the createTimeStamp attribute to a number to compare it to 08/01/2008, which I would also have to convert to a number.
You see, the createTimeStamp attribute on every user account looks something like this: 08/01/2008 8:22:48 AM .
My quick and dirty solution was simply to split the attribute into two elements of an array. See the little space between the date and the time? Bingo!
So now I have just the date. Now what? Split THAT on the slash "/" in another array, and now I have an array where the first element is the month, the second element is the day, and the third element is the year.
From there I just compared numbers. Sometimes quick and dirty works great.
Here's the script:
ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 500
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRootDSE = getObject("LDAP://rootDSE")
strDomainNCDN = objRootDSE.GET("DefaultNamingContext")
set objDomain = GetObject("LDAP://" & strDomainNCDN)
strOU = "" 'Place the OU you want to search into here, include a comma at the end, or just leave blank to search all of AD.
objCommand.CommandText = "<LDAP://" & strOU & strDomainNCDN & ">(&(objectClass=user)(objectCategory=person));name,createTimeStamp;subtree"
Set objRecordSet = objCommand.Execute
If objRecordset.RecordCount = 0 Then
WScript.Echo "Username cannot be found."
Else
While Not objRecordset.EOF
varCreateTimeStamp = objRecordset.Fields(1)
aryCreateTimeStamp = Split(varCreateTimeStamp," ")
varCreateDate = aryCreateTimeStamp(0)
aryCreateDate = Split(varCreateDate,"/")
If aryCreateDate(2) = 2008 And aryCreateDate(0) > 7 then
WScript.Echo objRecordset.Fields(0) & " Date Created: " & varCreateDate
objRecordSet.MoveNext
Else
objrecordset.MoveNext
End if
Wend
End if
Monday, February 25, 2008
Here is a list that matches some of the operatingSystemVersion attributes with their meaning. I like checking against operatingSystemVersion better than operatingSystem. I like numbers better I guess.
5.0 (2195) 'Windows 2000 Professional
5.1 (2600) 'Windows XP Professional
6.0 (6000) 'Windows Vista
5.0 (2195) 'Windows 2000 Server
5.2 (3790) 'Windows Server 2003