Posts/worklog

Event data mining with PowerShell

Posted on by Geoff / 2 Comments

On Server 2008 and 2008 R2, if your Domain Controllers aren’t configured to require LDAP signing and disallow simple LDAP binds in plaintext, Active Directory Domain Services logs a warning event on startup, and summary events every 24 hours.

A couple weeks ago, I followed the recommendation to enable logging of unsigned and plaintext LDAP authentication requests. Setting the LDAP Interface Events value to 2 generates a Directory Services event 2889 for each connection.

Now I want to do some analysis of the collected events. The event structure puts the important details, namely the client name and IP address, in the big description text field. It looks like this:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11/3/2010 11:46:38 AM
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC01.campus.ad.uvm.edu
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
132.198.124.202:53298
Identity the client attempted to authenticate as:
CAMPUS\myhost0256BB4$

Previously, I’ve exported the logs to CSV format, then used Excel and some text-mangling functions to pull out the important details. But I noted that the two important values were nicely separated in the XML representation of the event:

Event Xml: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
  <System> 
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" /> 
    <EventID Qualifiers="16384">2889</EventID>
    <Version>0</Version> 
    <Level>4</Level> 
    <Task>16</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8080000000000000</Keywords> 
    <TimeCreated SystemTime="2010-11-03T15:46:38.219250600Z" /> 
    <EventRecordID>122013</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="512" ThreadID="3396" /> 
    <Channel>Directory Service</Channel> 
    <Computer>CDC01.campus.ad.uvm.edu</Computer> 
    <Security UserID="S-1-5-7" /> 
  </System> 
  <EventData> 
    <Data>132.198.124.202:53298</Data> 
    <Data>CAMPUS\myhost0256BB4$</Data> 
  </EventData> 
</Event>

Continue reading →

Posts

Compiling OpenSSL for Win x64

Posted on by Geoff / 1 Comment

I’m upgrading the components of the user provisioning system I built. Previously, I used ActiveState Perl and the UWinnipeg PPM repository to get the Net::LDAPS stack working.

This time, though, I decided I wanted to use the native architecture of my Server 2008 R2 systems. I am using the Perl64 install from ActiveState, but I have to build my own SSL libraries (and maybe roll up PPMs for the needed perl mods).

I just compiled OpenSSL for x64 (amd64), mostly following the instructions in the INSTALL.W64 and INSTALL.W32 documents. I’m blogging the step for my future reference:

  1. Open a VS x64 Win64 Command Prompt and navigate to the source directory
  2. perl Configure VC-WIN64A –prefix=c:\local\openssl
  3. ms\do_win64a.bat
  4. nmake -f ms\ntdll.mak
  5. nmake -f ms\ntdll.mak test (all tests passed)
  6. nmake -f ms\ntdll.mak install

Running the openssl command succeeds:

C:\local\openssl\bin>openssl version 
  
OpenSSL 1.0.0a 1 Jun 2010
Posts

Network Policy Service error – eventid 4402

Posted on by Geoff / 0 Comment

I’ve been working on deploying a load-balanced Remote Desktop Gateway service. I deployed the first farm member, then cloned it to create a second member. The second member was throwing Error events, which has the description "There is no domain controller available for domain CAMPUS."

Now, I know that the domain controllers are up and available. I remembered having fixed this at some point with the Terminal Services Gateway box I set up originally.

Google pointed be to a technet blog entry describing the solution(s).

nps-error-fix

When I selected Register server in Active Directory, I received an error because the account I was using didn’t have rights to modify the the AD objects. And that explains why this system as having the problem: when I joined the cloned system to the domain, I was not using a domain admin account.

I logged back in as a domain admin and reran the registration step. Done, and blogged for my future reference.

Posts

Server 2008 R2 DNS client issues

Posted on by Geoff / 0 Comment

We use BIND for our DNS, and allow certain systems to perform dynamic DNS registration. This arrangement has worked well for years. When I started deploying Server 2008 R2, I noticed that they weren’t registering PTR records.

At the same time, I noticed a bunch of errors that seemed to indicate that Dynamic DNS wasn’t working at all. It turns out this is a false error, due to the differently formatted, but still correct, success message returned by the BIND DNS. (see KB977158 for details)

After spending lots of time doing packet captures (thanks for your help, Sam!), I opened an issue with Microsoft. After collecting a few traces to analyze, they determined that the same differently formatted success message was responsible.

I installed the KB977158 hotfix, and now my Server 2008 R2 hosts are successfully registering their PTR records.

Posts

PowerShell – find a free IP

Posted on by Geoff / 0 Comment

Since we don’t use DHCP in our server subnets, I frequently have to locate free IP addresses when deploying a server. I remembered reading a TechNet Magazine article by Don Jones that used the PowerShell PROCESS block and the Win32_PingStatus WMI class in a sample script.

I took that and rewrote the function a little:

function Ping-Address {
  PROCESS {
    $ping = 'unreachable'
    $formatstring = "{0,-15}  {1,-12} {2}"
    $queryString  = "SELECT * FROM Win32_PingStatus"
    $queryString += " WHERE Address = '$_' AND"
    $queryString += " ResolveAddressNames = $true"
    $results = Get-WmiObject -query $queryString
    
    foreach ($result in $results) {
      if ($results.StatusCode -eq 0) {
        $ping = 'ping!'
      }
    }
    $formatstring -f $_,$ping,$results.ProtocolAddressResolved
   }
}

I can then use this function like so:

PS Z:\> (14..20) | %{ '132.198.59.'+ $_.ToString()} | Ping-Address
132.198.59.14    ping!        132.198.59.14
132.198.59.15    ping!        132.198.59.15
132.198.59.16    ping!        xxxxxxx.campus.ad.uvm.edu
132.198.59.17    ping!        xxxxxxx.uvm.edu
132.198.59.18    unreachable
132.198.59.19    ping!        xxxx.uvm.edu
132.198.59.20    unreachable

I’ve already used it a bunch of times. I think I will probably grow this into a real script, taking the IP address range info as parameters. Another day.

Posts

2008 R2 DCDIAG errors with NIC teaming

Posted on by Geoff / 1 Comment

I’m in the process of deploying a couple new Server 2008 R2 domain controllers. I’m using two IBM blades, each having a pair of Broadcom NICs that I configured in fault-tolerance teams.

In trying to verify the configuration of one of the DCs, I used the command:

dcdiag /test:dns

The output surprised me:

Starting test: Connectivity 
    Message 0x621 not found. 
    Got error while checking LDAP and RPC connectivity. Please check your firewall settings. 
    ......................... CDC01 failed test Connectivity

I ran the command from a Server 2008 Sp2 (not R2) host:

dcdiag /s:cdc01 /test:dns

The test passed without error. Strange. I verified firewall and DNS. Then turned to the hivemind. This post shows similar behavior. This post on the TechNet forums identified the NIC Team as a probable source, and a contributor referenced a hotfix KB978387 for a bug in dcdiag on Server 2008 R2 on systems with NIC Teams.

Installed and now the test passes:

Starting test: Connectivity
   ......................... CDC01 passed test Connectivity

I spent much of my day working on this, and on tracking the connections to AD by clients using unsigned SASL binds or LDAP simple binds without an encrypted connection.

Posts

Capture Windows VM memory dump in ESX

Posted on by Geoff / 0 Comment

I’m working with Microsoft to identify a problem I’m seeing with LSASS, possibly related to the VSS snapshot created by our backup software. At this point, I need to be able to capture the memory state on the system, even if I can’t log into the box.

There are several ways to trigger a crash in order to collect a memory dump, but this system is a guest running in VMWare VSphere (ESX4). I asked VMWare support, and they pointed me to KB article 1009187, Generating a Windows core dump from an ESX virtual machine.

I configured my test system guest to crash and collect a memory dump on an NMI event, then used the vmdumper command to send the NMI to the guest.

It worked like a champ:

vm-crash-nmi

I verified the integrity of the dump file with dumpchk. It looks good. I’m setting the same thing up on my production guest.

Posts

NERCOMP WordPress University 2010

Posted on by Geoff / 0 Comment

Yesterday, I attended the NERCOMP WordPress University SIG, a showcase of what some folks are doing with WordPress.

wpuni2010

First session: Jay Colier, Web Communications Manager, Bates College

http://next.batesweb.net/

Described reworking Bates College’s web presence to identify and streamline paths that guide people through different stages of connection to the institution. Traditionally, each stage (e.g., applicant, student, alumnus, etc.) was a separate silo. Lots of good, high-level analysis. WordPress allowed Jay to implement a redesigned site with minimal resources, but a robust result. Easy content development for contributing departments.

Continue reading →

Posts

Microsoft Courier

Posted on by Geoff / 0 Comment

Engadget has posted a video and review of the new Microsoft Courier interface demo. The device appears to comprise two screens, hinged in the middle like a book. The example user interactions are quite impressive.

I find this form-factor more compelling that the iPad and other current slate-style tablet devices. Although the engadget review suggest that the device may be targeted at creative workers, I can see something with this flexibility working really well for students, too.