Kerberos Error KDC_ERR_POLICY while trying to access a resource in the Trusted forest (Forest Trust)

Symptoms Forest1 = 2003dom.local Forest2 = 2008dom.local 2-way Forest Trust created between them, with forest level authentication. **User from Forest2 access a server in Trusted Forest1 i.e. \\2003-dc1.2003dom.local Here is what I see in the network capture on the source machine in Forest2 2008-dc1.2008dom.local 2003-dc1.2003dom.local KerberosV5:TGS Request Realm: 2003DOM.LOCAL Sname: cifs/2003-dc1.2003dom.local 2003-dc1.2003dom.local 2008-dc1.2008dom.local KerberosV5 KerberosV5:KRB_ERROR…


Tracing down user and computer account deletion in Active Directory

  In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand. The Account Management auditing needs to be enabled as follows: At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing: Computer configuration > Windows settings > Security settings > Local…

32

Netmon’s view of Kerberos communication, when accessing resources across domains in the same forest.

  Domain setup:       Both Child1 and Child2 are in the same forest with the same parent domain R2dom.local.   Administrator of the Child domain (CHILD1) login to a member server (CH1-Mem) in CHILD1 domain. After login in the user tries to access \\r2dom-ch2-Mem1 . R2dom-ch2-Mem1 is a member server in Child2 domain. –>…

2

Should IIS be installed on Domain Controller

  I have come across various scanarios where System Administrators have installed IIS on Domain Controllers. They do it to efffectively utilize that server hardware, to cut down cost by preventing a need for another server for IIS, some application that needs to be installed on the DC requires IIS etc.   Microsoft does NOT recommend IIS…

1

Error: "The parameter is incorrect" when connecting to a server using WMI.

  You test WMI connectivity remotely using WBEMTEST > Error: “The parameter is incorrect”   Analysis: Network trace during the issue shows that communication is happening with TCP Port 135 but after that secondary connection other DCOM/WMI interface not happening on other DYNAMIC RPC ports (above 1024).All ports between the client and the target server…

4

Troubleshooting the error "Not enough storage is available to complete this operation"

  I have come across a few issues where I have seen the above error. Below are two scenarios of the issue and the symptoms that I’ve noticed during that time.   ·         Domain Workstations going into a state where they are unable to access resources over the network. ·         Member Servers unable to access network resources…

12

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

  In this scenario when are troubleshooting AD replication between 2 DCs separated by a firewall.       In order to ensure that the important well-known ports required in a domain environment are open on the firewall between these DCs, use the PortqryUI tool.   PortqryUI http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&displaylang=en   Run this tool on both these DCs…

7

Windows 7 – Applocker

Windows AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 is an alternative to the Software Restriction Policies feature.   New with AppLocker ==================   ·         Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules…


Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

Preventing Unwanted/Accidental deletions   Windows 2003   Use Delegation to restrict the deletion activity, to only selected Admins. ·         Create group which contains users, who you want should NOT have the delete permission of set of objects in AD. ·         Deny those group permission to Delete and Delete Subtree permissions on specific organizational units (OUs)…

2