Why this happens:
The Kerberos client depends on a “salt” from the KDC in order to create the AES keys on the client side. These AES keys are used to hash the password that the user enters on the client, and protect it in transit over the wire so that it can’t be intercepted and decrypted. The “salt” refers to information that is fed into the algorithm used to generate the keys, so that the KDC is able to verify the password hash and issue tickets to the user.
When a Windows 2012 R2 DC is promoted in an environment where Windows 2003 DCs are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 DCs do not support AES and Windows Server 2012 R2 DCs don’t support DES for salting.
You might be wondering why these encryption types matter. As computer hardware gets more powerful, older encryption methods become easier and easier to break. Thus, we are constantly incorporating newer, more powerful encryption into Windows and Kerberos in order to help protect your user passwords (and your data and your network).
Jul 24 2014
Authentication Problems in an Environment with Windows Server 2003 and Windows Server 2012 R2 Domain Controllers
Jul 23 2014
PowerShell: Get all Active Directory Sites based on Domain
Get all Active Directory Sites based on Domain.
$DomainADSites | select name | ft -auto
Jul 21 2014
Microsoft DirectAccess
Microsoft DirectAcess has made great strides in Windows Server 2012.
Key Points:
- First available with Windows Server 2008 R2.
- Built-in client support for Windows 7 and newer.
- Provides always-connected connection to corporate network (connects before the user logs on).
- Leverages IPV6 and 6to4 tunneling (additional configuration required when using Windows Server 2008 R2 as the DirectAccess server).
- Windows Server 2012 simplifies the deployment process.
- Client authentication can leverage Kerberos or certificates. PKI is not required when the DirectAccess server is running Windows Server 2012.
- DirectAccess clients can be managed regardless of where they are as long as they have network connectivity (outside of the corporate network, internet connectivity is required).
- DirectAccess connections are IPSec encrypted.
- The DirectAccess server and clients must be domain-joined.
- The Windows Firewall needs to be enabled on the server and clients.
- DirectAccess is not VPN.
- “When you use Windows 7 clients with DirectAccess in Server 2012 or Server 2008 R2, you need to install a separate DirectAccess Connectivity Assistant (DCA), which gives a system tray icon that shows the DirectAccess connection state.”
Great article describing DirectAccess as well as 2008R2 and 2012 differences and improvements:
http://windowsitpro.com/windows-server-2012/directaccess-windows-server-2012
Jul 16 2014
PowerShell: Determine PowerShell Version
$PSVersionTable.PSVersion
If the variable doesn’t exist, then the system is running version 1.0.
Jul 11 2014
Real-Time World Hack Map
This is an incredible map of the world that shows real-time network attacks. The animation makes it look like something out of the movie, “WarGames.”
Most impressive.
http://map.ipviking.com/?_ga=
Jul 02 2014
PowerShell: Get the Dates When the Active Directory Schema Was Updated
The Microsoft Scripting Guys blog has a great article on determining when schema updates were performed along with some information about the schema changes – at least enough to see if it was an Exchange update.
###########################
# Get Schema Update Dates #
###########################
# Code from: http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/05/how-to-find-active-directory-schema-update-history-by-using-powershell.aspx
write-output "Reading all schema data... " `r
import-module activedirectory
$schema = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) `
-SearchScope OneLevel -Filter * -Property objectClass, name, whenChanged,`
whenCreated | Select-Object objectClass, name, whenCreated, whenChanged, `
@{name="event";expression={($_.whenCreated).Date.ToShortDateString()}} | `
Sort-Object whenCreated
#"`nDetails of schema objects changed by date:"
#$schema | Format-Table objectClass, name, whenCreated, whenChanged `
#-GroupBy event -AutoSize
write-output "`nCount of schema objects changed by date:" `r
Write-output "This displays the approximate date each each schema update was performed." `r
$schema | Group-Object event | Format-Table Count,Name,Group –AutoSize
Jul 01 2014
LSASS Crashing, CNF Objects May Be the Cause
What Happens and How Do I Know if I’m Affected?
When CNF mangled NTDS settings objects are created, the Lsass.exe process may crash and unexpectedly reboot one or more domain controllers. So there is a pretty good chance you’ll know about it. You may not know the root cause of the crash. More specifically though you’ll see the following events in the Application Log which you can look for.
Log Name: Application
Source: Application Error
Date: DateTime
Event ID: 1000
Task Category: Application Crashing Events
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description:
Faulting application name: lsass.exe, version: 6.1.7601.17725, time stamp: 0x4ec483fc
Faulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: 0x51fb164a
Exception code: 0xc0000374
Fault offset: 0x00000000000c4102
Faulting process id: 0x1f4
Faulting application start time: 0x01ceb94c671de3dd
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 80a2cd04-2540-11e3-99e2-441ea1d316a4
Faulting package full name: %14
Faulting package-relative application ID: %15And
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: DateTime
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255. The machine must now be restarted.
Read more of the blog post:
Jun 26 2014
PowerShell: Get Active Directory Instantiation Date
The Scripting Guys blog posted a very useful script on how to determine when the Active Directory Forest was stood up.
#############################
# Get AD Instantiation Date #
#############################
# Code from: http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/05/how-to-find-active-directory-schema-update-history-by-using-powershell.aspx
write-output "Checking Active Directory Creation Date... " `r
write-output "Displaying AD partition creation information " `r
Import-Module ActiveDirectory
Get-ADObject -SearchBase (Get-ADForest).PartitionsContainer `
-LDAPFilter "(&(objectClass=crossRef)(systemFlags=3))" `
-Property dnsRoot,nETBIOSName,whenCreated | Sort-Object whenCreated | Format-Table dnsRoot,nETBIOSName,whenCreated -AutoSize
Jun 24 2014
PowerShell: Using a HashTable to Identify Active Directory Schema & Exchange Version
It’s easy to get the Active Directory schema version as well as the installed Exchange (schema) version by using the Active Directory PowerShell cmdlet, Get-ADObject. This script leverages a built-out HashTable to perform a lookup against the version numbers.
###################################
# Create Schema Version Hashtable # 20140606-14
###################################
Write-Verbose "Create Schema Version HashTable `r "
$SchemaVersionTable =
@{
"13" = "Windows 2000 Active Directory Schema" ;
"30" = "Windows 2003 Active Directory Schema";
"31" = "Windows 2003 R2 Active Directory Schema" ;
"44" = "Windows 2008 Active Directory Schema" ;
"47" = "Windows 2008 R2 Active Directory Schema" ;
"51" = "Windows Server 8 BETA Active Directory Schema" ;
"56" = "Windows 2012 Active Directory Schema" ;
"69" = "Windows 2012 R2 Active Directory Schema " ;
"4397" = "Exchange 2000 RTM Schema" ;
"4406" = "Exchange 2000 SP3 Schema" ;
"6870" = "Exchange 2003 RTM Schema" ;
"6936" = "Exchange 2003 SP3 Schema" ;
"10637" = "Exchange 2007 RTM Schema" ;
"11116" = "Exchange 2007 RTM Schema" ;
"14622" = "Exchange 2007 SP2 & Exchange 2010 RTM Schema" ;
"14625" = "Exchange 2007 SP3" ;
"14726" = "Exchange 2010 SP1 Schema" ;
"14732" = "Exchange 2010 SP2 Schema" ;
"14734" = "Exchange 2010 SP3 Schema" ;
"15137" = "Exchange 2013 RTM Schema" ;
"15254" = "Exchange 2013 CU1 Schema" ;
"15281" = "Exchange 2013 CU2 Schema" ;
"15283" = "Exchange 2013 CU3 Schema" ;
"15292" = "Exchange 2013 SP1 Schema" ;
"15300" = "Exchange 2013 CU5 Schema"
}
################################
# Get AD Schema Version Number # 20111029-14
################################
Import-Module ActiveDirectory
Write-Output “Checking Schema version on the PDC Emulator ($ADDomainPDCEmulator) `r ”
$ADSchemaConfigurationDistinguishedName = (Get-ADRootDSE).schemaNamingContext
$ADSchemaVersion = (Get-ADObject $ADSchemaConfigurationDistinguishedName -Property objectVersion).objectVersion
$ADSchemaVersionName = $SchemaVersionTable.Get_Item(“$ADSchemaVersion”)
Write-Output “The current AD Schema Version is $ADSchemaVersion which is $ADSchemaVersionName `r ”
######################################
# Get Exchange Schema Version Number #
######################################
Write-Output “Checking Exchange Schema version `r ”
$ExchangeSchemaConfigurationDistinguishedName = ‘cn=ms-exch-schema-version-pt,’ + $ADSchemaConfigurationDistinguishedName
$ExchangeSchemaVersion = (Get-ADObject $ExchangeSchemaConfigurationDistinguishedName -Property rangeUpper).rangeUpper
$ExchangeSchemaVersionName = $SchemaVersionTable.Get_Item(“$ExchangeSchemaVersion”)
Write-Output “The current Exchange Schema Version is $ExchangeSchemaVersion which is $ExchangeSchemaVersionName `r “
Recent Comments