Client Interactions

Active Directory Troubleshooting Client Interactions

Client Applications • Kerberos and NTLM authentication • Secure Channel • password changes, NTLM pass-through, Kerberos PAC validation • Group Policy client • DFS client • Certificate Autoenrollment client

Client Applications • NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) • group membership, Dial-In tab • RD Host (Terminal Server) • Remote Control tab etc., Licensing servers • DHCP Server • authorization • IIS • account and group membership for SSL certificate authentication • WDS • computer MAC addresses or GUIDs

Site Design Scenarios Branche Branche Branche Branche Branche Central Branche Branche Branche Branche

Site Design Scenarios Office Office Office

Site Design Scenarios Branche Branche Central Branche Branche Branche Branche

Network Interactions Racap(DC Location) SRV: Any DC List Client 2000+ SRV: My Side DC DNS DNS LDAPUDP Get My Site Any DC2000+ My Site DC 2000+

Network Interactions Recap(2008/Vista+ DC Location) SRV: Any DC List Client Vista+ SRV: My Site DC DNS SRV: Close Site DNS LDAPUDP Get My Site Next Closest Site Close Site DC 2000+ Any DC2008+ My Site DC 2000+

Network Interactions (Network Logon) App Traffic Client 2000+ Server2000+ In-band TGS: Server NTLM Occasional PAC Validation Kerberos SMB D/COM TGT: User NTLMPass-through TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

Connection Properties • Bandwidth (Mbps) • forget about this • Latency (ms) • round-trip-time (RTT) • SMB, D/COM, SQL • Packet Loss (per sec., per Mb) • packet loss rate (PLR) • VPN such as PPTP, SSTP, IP-HTTPS

Timeouts • DNS • primary DNS = 1 sec. • secondary DNSs = 2 sec. • ... 1 2 2 4 8 ... • ARP • ... 600 ms 1000 ms • LDAP UDP Site Location • 600 ms • TCP • SYN = 21 sec. (3x retransmission) • PSH/ACK = 93 sec. (5x retransmission) • ... 3 6 12 24 48 ... • Kerberos (TCP, 3 attempts, KdcSendRetries) • 63 sec.

Basic DC location • Know the DNS name of the domain • Query general DNS DC SRV records • _ldap._tcp.dc._msdcs.idtt.local • Ping DC • Windows 2003- • LDAP UDP (ping) DC • to get the client’s site/close site

Site DC Location • Site unaware lookup • NSLOOKUP • SET Q=SRV • _ldap._tcp.dc._msdcs.idtt.local • Site specific lookup • NSLOOKUP • SET Q=SRV • _ldap._tcp.Paris._sites.dc._msdcs.idtt.local

Lab: Finding DCs Manually • Use NSLOOKUP to query for the generic DC list • NSLOOKUP • SET q=SRV • _ldap._tcp.dc._msdcs.idtt.local

Site Example – Single Site London 10.10.x.x DC1 DC2 DC3 DC5 DC4 Client

Site Example – Multihomed DC (DNS Bitmask Ordering OK) Paris 10.20.x.x London 10.10.x.x DC1 DC2 DC3 DC5 DC4 Client

Site Example – Multihomed DC (DNS Bitmask Ordering Error) Paris 10.20.x.x London 10.10.x.x Roma 10.30.x.x DC1 DC2 DC3 DC5 Client DC4

DNS Record Priority and Weight

Site Awareness Paris10.20.x.x DC4 Roma10.30.x.x DC6 London10.10.x.x DC1 DC2 DC3 Anonymous LDAP UDP where I am? Berlin10.50.x.x DC5 Client

General Operation • Use DNS to find generic DC list • Ping selected DC • Windows 2003- • Anonymous LDAP (UDP) to determine site • DC defines site from the request source IP address (NAT?) • Use DNS to find close DC in site • Ping or LDAP UDP to determine availability

DC Locator • NetLogon Service • nltest /sc_query:idtt • no network access • nltest /sc_verify:idtt • tries to authenticate with the DC • nltest /sc_reset:idtt • always performs new DNS lookup • nltest /dsgetsite • anonymous query against selected DC

Lab: Check NLTEST Usage • Try the NLTEST to query, verify and reset secure channel from Seven2 to its London DCs

Limit UDP Site Location to a Central Site? Paris10.20.x.x DC4 Roma10.30.x.x DC6 London10.10.x.x DC1 DC2 DC3 Anonymous LDAP UDP where I am? Berlin10.50.x.x DC5 Client

Limiting Generic DC List • Limit creation of generic DC DNS records • GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records • DC Locator DNS Records not Registered • Dc Kdc

Limiting Generic DC List (Wise?) Branche Branche Branche Branche Branche Central Branche Branche Branche Branche

Limiting Generic DC List (Wise?) Office Office Office

DFS Client (MUP) • Multiple UNC provider (MUP) driver • Determines its own DFS server referrals • obtains the list of DFS root servers from AD using the default DC from Netlogon • SYSVOL may be accessed from a different DC • DFSUTIL /PKTINFO • Windows Server 2003/Windows XP • DFSUTIL CACHE REFERRAL • Windows Server 2008/Windows Vista

DFS Context Menu

Site Example – Empty Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Berlin10.50.x.x DC4 DC5 Roma10.30.x.x DC6 Client Cyprus10.40.x.x DC7

Site Example – Empty Site DC4 DC3 Paris10.20.x.x DC1 London10.10.x.x DC5 DC1 DC2 DC3 Client DC2 Berlin10.50.x.x DC4 DC5 Roma10.30.x.x DC6 Cyprus10.40.x.x DC7

Site Example – Empty Site DC3 Paris10.20.x.x DC1 London10.10.x.x DC1 DC2 DC3 Client DC2 cost 50 cost 100 Berlin10.50.x.x Roma10.30.x.x DC4 DC5 DC6 Cyprus10.40.x.x DC7

Automatic Site Coverage • Each DC registers itself for its neighboring empty sites • HKLM\System\CurrentControlSet\Services\Netlogon • AutoSiteCoverage = DWORD = 1/0 • GPO: Sites Covered by the DC Locator DNS SRV Records

Active Directory Troubleshooting Misplaced OR Confused Clients

Site Example – Out of Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Client Berlin10.50.x.x Roma10.30.x.x 10.100.0.7 DC6 Cyprus10.40.x.x DC7

Super-netting or Sub-netting

Out-of-site Clients

Limiting Generic DC List Paris10.20.x.x London10.10.x.x DC1 DC2 DC3 Client Berlin10.50.x.x Roma10.30.x.x 10.100.0.7 Cyprus10.40.x.x

DC Stickiness • When one close selected, client sticks to it • even when moved into a different site • must reset secure channel • Force rediscovery interval GPO • Vista+ • hotfix for Windows XP • also registry value ForceRediscoveryInterval

Site Example – Until Restart/24 hours London10.10.x.x DC3 DC1 DC2 Client Client Client Client Client Client Client Client Client

Site Example – Moving Client Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Berlin10.50.x.x DC4 DC5 Roma10.30.x.x DC6 Cyprus10.40.x.x Client DC7 previously in Paris

Lab: Moving the Client • On Seven2 verify the current DC in use • NLTEST /sc_query:idtt • Move the client into Paris and update group policy • GPUPDATE • Verify the current DC in use again • the client should use the same DC still although in remote site (stick) • Reset the secure channel several times and determine the result • NLTEST /sc_reset:idtt

Active Directory Troubleshooting Client Failover

Site Example – Failed DC Paris10.20.x.x DC4 Roma10.30.x.x DC6 London10.10.x.x DC1 DC2 DC3 Cyprus10.40.x.x Berlin10.50.x.x DC7 DC5 Client

Lab: Client Failover • Move the client into Cyprus • Reset the secure channel and verify it has been connected to DC5 • Unplug DC5 from network • Update group policy • GPUPDATE • Verify the resulting DC in use • NLTEST /sc_query:idtt

Non-close Site DC • Close site • client’s site • next closest site if enabled • If there is not DC available in the close site, rediscovery every 15 minutes • HKLM\System\CurrentControlSet\Services\Netlogon\Parameters • CloseSiteTimeout = REG_DWORD = x seconds

Site Example – Next Close Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Berlin10.50.x.x Roma10.30.x.x DC6 Cyprus10.40.x.x DC7 Client

Site Example – Close Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 cost 50 Berlin10.50.x.x Client Roma10.30.x.x DC6 Cyprus10.40.x.x cost 100 DC7

Site Example – Close Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 cost 100 Berlin10.50.x.x Client Roma10.30.x.x DC6 Cyprus10.40.x.x cost 50 DC7

Client Interactions

Client Interactions

Presentation Transcript

Interactions

CLIENT

Client Interactions

CLIENT

INTERACTIONS

Interactions

Client

client

Client

Client

Client Grid Interactions (alpha )

Interactions

Client

Interactions

Interactions

Client

Client-server interactions in Mobile Applications

Client

Interactions

Interactions