Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ

Consider the following scenario: A NAP solution with a remediation zone (aka noncompliant network) forincoming clients An RODC in the remediation zone subnet has been assigned to an AD sitecalled ‘RemediationSite’ The remediation subnet has been assigned to the RODC in the ‘RemediationSite’ site Firewall rules prevent the incoming clients in the RemediationSite site from talking to…

15

Troubleshooting RODC’s: Troubleshooting domain joins against RODC’s

So, the first question…do you need to deploy the RODC compatibility pack on your XP/2003 clients if you want to deploy RODC’s?  For domain joins (and password changes) against an RODC the answer is most definitely yes.   One of the most important changes implemented in the compack is how the client calls the DsGetDCName function…

14

Troubleshooting account lockout the PSS way

I‘ve been thinking for some time about pulling together the typical approaches we use when troubleshooting account lockout issues. So… here is the CSS/PSS approach to troubleshooting Account Lockouts. #1 – Look at the Account Lockout Threshold policy that is defined for the Domain. Applications commonly do several retries of logons if the first logon…

14

The Windows Filtering Platform has blocked a bind to a local port

You may notice event 5159 being logged on your Windows 2008 Server(s) indicating a connection has been blocked/dropped, etc.The Process ID will indicate which application was blocked (tasklist /SVC can be used to get details on running PID’s) and which protocol was involved. The actual enforcement of the firewall rules is done by WFP through…

10

Can’t find script engine "VBScript" for script after installing MS10-020

Summer is here and support volumes trickle down to a minimum as people jump into their SUV’s and drive off into the wild blue yonder.Having said that I encountered the following interesting issue:   We installed the fix from KB 981332 on a Windows 2008 R2 server and after that we’re not able to run any VBS script.   When…

10

Considerations for implementing Credential Roaming

Credential Roaming is the replacement or alternative to using Roaming Profiles (or RUP – Roaming User Profiles). The biggest drawback to using RUP has always been that the profile tends to grow bigger as time goes by (raise your hand if you’ve ever saved a file on your desktop). One of the primary reasons for…

9

What happens in a Journal Wrap?

FRS is a multi-master replication system that takes care of replicating the contents of Sysvol between all DC’s in the domain  (it can also replicate normal data but we’re primarily interested in Sysvol replication in the blog entry). With proper care and maintenance, Post-SP2 FRS on W2k3 is pretty stable and happily hums along as long…

8

QFE vs GDR/LDR hotfixes

  I sometimes get the following question from customers: I’ve located KB ABC which is an exact match for our problem, but the build number of the files in it are from an older version than hotfix XYZ which we already have installed on our systems.  Why isn’t my problem resolved by hotfix XYZ if it contains…

7

The magical 2 minute logon delay mystery

Some time ago I had an interesting escalation where the problem description was as following: I’m running a Citrix Metraframe Presentation Server farm with around 20 servers in it, after about 2 days my users start getting a logon delay of *exactly* 2 minutes.If I reboot the server everything returns back to normal but the…

7

Deconstructing the Smartcard Removal Policy Service

Windows Vista and Windows Server 2008 introduced a new service that is dedicated to monitoring the removal of smartcards on the system and handling of the event as defined by the Smartcard Removal Policy service (ScRemoveOption) that is configured for the system.  This service (ScPolicySvc) is hosted in one of the svchost.exe processes on the…

7