Join and Authentication Issues

Export (0) Print
Join and Authentication Issues

8 out of 15 rated this helpful - Rate this topic
If you cant !oin a co"puter to an Acti#e $irectory do"ain% or if a co"puter cant co""unicate &ith any other co"puter in
the net&or'% the situation "i(ht )e the result of !oin and authentication pro)le"s*
+his section discusses dia(nostic tools and (i#es exa"ples of possi)le authentication pro)le"s% alon( &ith su((ested
solutions* +he first step to&ard identifyin( and dia(nosin( Acti#e $irectory !oin and authentication pro)le"s is to re#ie&
ho& a ,indo&s -000.)ased co"puter !oins a do"ain% &hat per"issions are re/uired )y a user% and ho& a secure channel
is esta)lished*
Joinin( a 0o"puter to a $o"ain
+o re#ie&% &hen you !oin either a ,indo&s 1+ 2*0.)ased or a ,indo&s -000.)ased client to a do"ain% the follo&in(
occurs3
+he do"ain na"e is #alidated*
A do"ain controller in the do"ain is located throu(h a call to $s4et$c1a"e*
A session is esta)lished &ith the do"ain controller under the security context of the passed-in credentials that are
supplied in the Network Identification ta) under System Properties in Control Panel *
+he co"puter account is ena)led* If the fla(s are so specified (1E+5E+6P7A00+70REA+E)% the APIs create the
6nited 5tates (En(lish) 5i(n in
5earch +ech1et &ith 8in(
9o"e :i)rary ,i'i :earn 4allery $o&nloads 5upport ;oru"s 8lo(s
+ech1et :i)rary
+ech1et Archi#e
,indo&s -000 5er#er
,indo&s -000 5er#er
Resource <its
$istri)uted 5yste"s 4uide
$es'top 0onfi(uration =ana(e"ent
Acti#e $irectory
Acti#e $irectory $ia(nostics%
+rou)leshootin(% and Reco#ery
$ia(nosin( and +rou)leshootin(
Acti#e $irectory Pro)le"s
1et&or' 0onnecti#ity
Join and Authentication Issues
1a"e Resolution
$o"ain 0ontroller Issues
Access 0ontrol
Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx
1 of 22 3/18/2014 10:47 PM
co"puter account on the do"ain controller*
+he local pass&ord for this account is created in the :ocal 5ecurity Authority (:5A)*
+he local pri"ary do"ain infor"ation :5A policy is set to refer to the ne& do"ain* +his includes the do"ain na"e and the do"ain 5I$*
Note
;or a ,indo&s -000.)ased client only% the :5A policy consists of the do"ain na"e% do"ain 5I$% $15 do"ain na"e% $15 forest na"e% and do"ain 46I$*
+he na"e of the $15 na"e assi(ned to the local co"puter is updated*
+he local (roup "e")ership is chan(ed to add "e")ers of the $o"ain Ad"ins (roup to the :ocal Accounts Ad"inistrators (roup*
+he 1et :o(on trusted do"ain cache is initiali>ed to the trusted do"ains do"ain list*
;or ,indo&s -000.)ased clients only% the ,indo&s +i"e 5er#ice is ena)led and started*
+he 1et :o(on ser#ice is started*
+op ?f Pa(e
0han(es ?ccurrin( on $o"ain 0ontrollers in the $o"ain +hat the 0lient is Joinin(
,hen a client !oins a do"ain% the follo&in( chan(es occur on ,indo&s 1+ 2*0.)ased and ,indo&s -000.)ased do"ain controllers3
A co"puter o)!ect is created* +he na"e of this o)!ect is (enerated )y appendin( a dollar si(n (@) to the na"e (uppercase letters) of the client*
?n ,indo&s -000.)ased do"ain controllers only% the 1et :o(on ser#ice creates 5er#ice Principle 1a"es (5P1s) on the co"puter o)!ect*
+op ?f Pa(e
Identifyin( ,hether Aou 9a#e a Pro)le" Authenticatin(
Aou can identify &hether you ha#e a pro)le" authenticatin( (or !oinin() a co"puter to a do"ain )y #erifyin( that the local &or'station is &or'in(* $o this )y runnin( the
1etdia( tool* Read the output fro" the top% and loo' for the &ords BERR?RB or B;A+A:*B (=any failures are not rele#ant to the do"ain itselfC )ut you should follo& up on
the" )ecause they in#ol#e net&or' connecti#ity issues*) If you dont find these &ords in the output% continue as follo&s3
2 of 22 3/18/2014 10:47 PM
Run netdiag /v (#er)ose "ode)* $o you recei#e any specific error "essa(es or ;A+A: errorsD
If the ans&er to the precedin( /uestion is B1o%B run netdiag /debug * $o you recei#e any specific error "essa(es or ;A+A: errorsD
If 1etdia( displays an error or failure &ith the do"ain itself% chec' the E SystemRoot EFde)u(Fnetsetup*lo( file for !oin errors*
Note
If the local &or'station is functional% exa"ine the 1etsetup*lo( file that is located in the E SystemRoot EFde)u( folder* (+his is &here the !oin process is lo((ed*) Are any
specific error "essa(es lo((edD
+op ?f Pa(e
;or"at of 1etsetup*lo( ;ile
A typical line in 1etsetup*lo( is for"atted as follo&s3
G time-stamp H G function-name H3 G description of operation H3 G status code in hexadecimal code H*
An exa"ple is the follo&in(3
08/11 14:08:29 NetpJoinDomain: status of connecting to dc '\\DC9': 0x0
+he description of the !oin operation is usually self-explanatory* +he status code is 1E+ API75+A+65 or a ,inI- error code* A B0x0B code indicates successC any other code
indicates an error*
+op ?f Pa(e
5pecific Join Issues
Aou "i(ht encounter pro)le"s &hen you !oin your co"puter to a do"ain* E#en thou(h these pro)le"s are reported as !oin pro)le"s% so"e of the "ost fre/uently
reported ones are not related to the !oin process* :oo'in( at the 1etsetup*lo( is sufficient to /uic'ly spot such cases*
+he follo&in( are so"e of the "ost co""on errors that relate to !oin issues3
;ailure to find or to connect to a do"ain controller*
+ransient net&or' conditions or ha#in( specified an incorrect do"ain na"e*
;ailure to create a co"puter account*
3 of 22 3/18/2014 10:47 PM
+he error code sho&n in +a)le 10*J co"es under this cate(ory*
able !"#$ B %ailure to find a domain controller B &rror Code
'escription Actual &rror &rror Code
;ailure to find or connect to a do"ain controller* ERR?R 1? 5609 $?=AI1 1I55
+he follo&in( is an exa"ple of this error3
07/20 16:51:10 NetpDsGetDcName: trying to find DC in domain 'verylongdomain1', flags: 0x1020
07/20 16:51:11 NetpDsGetDcName: failed to find a DC having account 'A-USHAS2-80C$': 0x525
07/20 16:51:11 NetpDsGetDcName: failed to find a DC in the specified domain: 0x54b
07/20 16:51:11 NetpDoDomainJoin: status: 0x54b
+he !oin process usually tries to find a do"ain controller that already has a co"puter account for the co"puter that is currently )ein( !oined to the do"ain* If such a
do"ain controller is not found% it tries to find another do"ain controller* +he precedin( exa"ple sho&s that the !oin do"ain operation failed )ecause a do"ain controller
&as not located for the specified do"ain*
+o in#esti(ate further% run nltest /dsgetdc() domain-name * and exa"ine the output* If you still recei#e errors% either the do"ain really does not exist or there is a
transient net error that is pre#entin( do"ain controller disco#ery* 8y runnin( 1etdia(*exe and exa"inin( the output% you usually can deter"ine the cause* A B;ailure to
connect to a do"ain controllerB "essa(e usually "eans that transient net errors or insufficient credentials are the cause* +a)le 10*K sho&s so"e error codes that co"e
under this cate(ory*
able !"#+ B %ailure to connect to a domain controller B &rror Codes
'escription Actual &rror &rror Code
8ad credentials* ERR?R7:?4?17;AI:6RE 1I-J
+i"e s'e& that can cause failure of <er)eros authentication* ERR?R7+I=E75<E, 1IL8
;ailure to connect to a do"ain controller* ERR?R7A0E557$E1IE$ 5
4 of 22 3/18/2014 10:47 PM
1o do"ain controller found* ERR?R71?7:?4?175ERMER5 1I11
+he follo&in( is an exa"ple of this type of error code3
07/20 14:47:34 NetpDsGetDcName: trying to find DC in domain 'reskit', flags: 0x1020
07/20 14:47:50 NetpDsGetDcName: failed to find a DC having account 'TO_A$': 0x525
07/20 14:47:50 NetpDsGetDcName: found DC '\\reskit' in the specified domain
07/20 14:47:50 NetUseAdd to \\reskit\IPC$ returned 1326
07/20 14:47:50 NetpJoinDomain: status of connecting to dc '\\reskit: 0x52e
07/20 14:47:50 NetpDoDomainJoin: status: 0x52e
+he pre#ious exa"ple sho&s a failed atte"pt to find a do"ain controller ha#in( the account B+?7A@B* +his is not a fatal error )ecause the code then tries to find any
do"ain controller in the specified do"ain* After a do"ain controller is found% an atte"pt is "ade to connect to it )y usin( the credentials that are supplied* +his atte"pt
failed &ith error 0x5-e (ERR?R7:?4?17;AI:6RE)* +his indicates that the credentials that &ere supplied do not ha#e sufficient access ri(hts for connectin( to the do"ain
controller*
+o in#esti(ate the pro)le" of failin( to find a do"ain controller% run an e/ui#alent co""and fro" the co""and pro"pt to confir" the precedin( analysis*
net use ,,dcname,ipc- /u() domain\user * ) password *
Note
Aou need to perfor" the net use if you failed to connect to the do"ain controller* If you failed to find the do"ain controller% you should perfor" nltest /dsgetdc( to try to
locate the do"ain controller*
If this fails &ith the sa"e error% a 1et&or' =onitor sniffer trace of the !oin operation &ould )e helpful in dia(nosin( the failure*
If you recei#e the error B;ailure to create a co"puter account%B it usually "eans that either the account already exists or that there are insufficient access ri(hts a#aila)le to
the user &ho is tryin( to !oin* +a)le 10*8 sho&s the error codes that co"e under this cate(ory*
able !"#. B %ailure to create a computer account B &rror Codes
'escription Actual &rror
&rror
Code
5 of 22 3/18/2014 10:47 PM
0o"puter account usually exists already% and security on that account does not allo& you to !oin N
usually )ecause the co"puter &as !oined pre#iously )y usin( different co"puter account credentials*
ERR?R7A00E557$E1IE$ 5
+he user has !oined so "any co"puters that he has exceeded the default per user co"puter /uota
()y default% 10)*
ERR?R7$57=A09I1E7A00?61+7O6?+A7EP0EE$E$ 855K
+he specified user already exists* ERR?R765ER7EPI5+5 ---2
+he follo&in( exa"ple indicates an access denied error*
08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on '\\DC9' for 'A-ERINCO-TBCB$' failed: 0x5
+he follo&in( exa"ple indicates there is no error*
08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on '\\DC9' for 'A-ERINCO-TBCB$' failed: 0x8b0
08/11 14:08:30 NetpManageMachineAccountWithSid: status of attempting to set password on '\\DC9' for 'A-ERINCO-TBCB$': 0x0
+his is not an error )ecause the 1et6serAdd operation fails &ith 0x8)0 (1ERR76serExists)% &hich indicates that the co"puter account already exists on that do"ain
controller*
Note
;ailure usually occurs &hen the account already exists* Error 5 occurs if the user does not ha#e access on the account% in &hich case an atte"pt is "ade to set a ne&
pass&ord on the account that succeeds*
+o in#esti(ate further% you ha#e to ac/uire the security descriptor and #ie& the per"issions on the co"puter account o)!ect* Aou can use either the Acti#e $irectory 6ser
and 0o"puters ==0 console or the :dp tool*
;or "ore infor"ation a)out ho& to #ie& per"issions and access control entries on specific o)!ects &ith the Acti#e $irectory 6ser and 0o"puters console% see
,indo&s -000 5er#er 9elp* ;or "ore infor"ation a)out access control entries and security descriptors% see BAccess 0ontrolB in this )oo'*
+o in#esti(ate further% connect to the do"ain controller )y usin( the :dp tool* Ac/uire the security descriptor on the co"puter account and deter"ine &hether the user
tryin( to !oin has sufficient per"issions to (ain access to the co"puter account*
o use /dp to ac0uire the security descriptor
;ro" the Start "enu% clic' 1un % and then type the follo&in(3 1*
6 of 22 3/18/2014 10:47 PM
ldp
0onnect and )ind to a do"ain controller in the do"ain &hose security descriptor you are searchin( for*
+o connect% on the Connection "enu% clic' Connect % and then type a ser#er na"e*
+o )ind% on the Connection "enu% clic' 2ind % and then type an account na"e% pass&ord% and do"ain if you &ant to connect to a do"ain other than the
do"ain to &hich you are currently lo((ed on*
-*
?n the 2rowse "enu% point to Security % and clic' Security 'escriptor * I*
Pro#ide distin(uished na"e of the co"puter o)!ect &hose security descriptor you are loo'in( for* 2*
9ere is a sa"ple output3
Revision: 1
Sbz1: 0
Control: (0x8c04)
SE_DACL_PRESENT
SE_DACL_AUTO_INHERITED
SE_SACL_AUTO_INHERITED
SE_SELF_RELATIVE
Owner:
S-1-0x000005--0x20-0x220
BUILTIN\Administrators
Group:
S-1-0x000005--0x20-0x220
7 of 22 3/18/2014 10:47 PM
BUILTIN\Administrators
Dacl:
Revision: 4
Sbz1: 0
Size: 972
No of Aces: 24
Sbz2: 0
Ace[0]:
Type: (0)
ACCESS_ALLOWED_ACE_TYPE
AceSize: 0x24
AceFlags: (0x0)
Mask: 0x000f01ff
Sid:
S-1-0x000005--0x15-0x3bdcf4dc-0x64495118-0x500cebdb-0x200
DDS\Domain Admins
Ace[1]:
Type: (5)
ACCESS_ALLOWED_OBJECT_ACE_TYPE
8 of 22 3/18/2014 10:47 PM
AceSize: 0x28
AceFlags: (0x0)
Mask: 0x00000010
Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Type:
(in HEX)(59ba2f42-79a2-11d0-90-20-00-c0-4f-c2-d3-cf)
GUID_PS_GENERAL_INFO
Sid:
S-1-0x000005--0xb
NT AUTHORITY\Authenticated Users
;or "ore infor"ation a)out interpretin( "as'% A0E types and fla(s% see the =icrosoft Platfor" 5$< lin' on the ,e) Resources pa(e at http3QQ&indo&s*"icrosoft*co"
Q&indo&s-000Qres'itQ&e)resources * ;ollo& the lin's to ntsa"*h*
+he follo&in( exa"ple sho&s a successful atte"pt to !oin a co"puter to a do"ain in the 1etsetup*lo( file3
1E+5E+6P*lo( file
0KQI0 1I3583I5 1etp$o$o"ainJoin
0KQI0 1I3583I5 1etp=achineMalid+oJoin3 65ER1
0KQI0 1I3583I5 1etp4et:saPri"ary$o"ain3 status3 0x0
0KQI0 1I3583I5 1etp=achineMalid+oJoin3 status3 0x0
0KQI0 1I3583I5 1etpJoin$o"ain
9 of 22 3/18/2014 10:47 PM
0KQI0 1I3583I5 =achine3 65ER1
0KQI0 1I3583I5 $o"ain3 RE5<I+
0KQI0 1I3583I5 =achineAccount?63 (16::)
0KQI0 1I3583I5 Account3 RE5<I+Fres'it
0KQI0 1I3583I5 ?ptions3 0x20001
0KQI0 1I3583I5 ?5 Mersion3 5*0
0KQI0 1I3583I5 8uild nu")er3 -08L
0KQI0 1I3583I5 1etp0hec'$o"ain1a"eIsMalid R Exists S for RE5<I+ returned 0x0
0KQI0 1I3583I5 1etpMalidate1a"e3 na"e RE5<I+ is #alid for type I
0KQI0 1I3583I5 1etp$s4et$c1a"e3 tryin( to find $0 in do"ain RE5<I+% fla(s3 0x10-0
"+/3" !3(4.(4" Netp's5et'cName( failed to find a 'C having account 67S&1!-6( "8494
0KQI0 1I358350 1etp$s4et$c1a"e3 found $0 FFRE5<I+-$0-08 in the specified do"ain
0KQI0 1I358351 1etpJoin$o"ain3 status of connectin( to dc FFRE5<I+-$0-083 0x0
0KQI0 1I358351 1etp4et:saPri"ary$o"ain3 status3 0x0
0KQI0 1I358351 1etp:sa?pen5ecret3 status3 0xc00000I2
0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( "achine pass&ord3 0x0
0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( netlo(on cache3 0x0
0KQI0 1I35835- 1etp4et:saPri"ary$o"ain3 status3 0x0
0KQI0 1I35835- 1etp5et:saPri"ary$o"ain3 for RE5<I+ status3 0x0
0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( :5A pri* do"ain3 0x0
0KQI0 1I35835I 1etpJoin$o"ain3 status of "ana(in( local (roups3 0x0
10 of 22 3/18/2014 10:47 PM
0KQI0 1I358352 1etpJoin$o"ain3 status of startin( 1etlo(on3 0x0
0KQI0 -0358355 1etpJoin$o"ain3 status of settin( 0o"puter1a"ePhysical$ns$o"ain res'it*res'it*co"3 0x0
0KQI0 -0358355 1etp$s5et5P13 5ettin( $ns9ost1a"e 65ER1*res'it*res'it*co" on 01T65ER1%01T0o"puters%$0Tres'it%$0T"icrosoft%$0Tco"
0KQI0 -0358355 1etp$s5et5P13 5ettin( 5P1 9?5+Q65ER1*res'it*res'it*co" on 01T65ER1%01T0o"puters%$0Tres'it%$0T"icrosoft%$0Tco"
0KQI0 -0358355 1etpJoin$o"ain3 status of disconnectin( fro" FFRE5<I+-$0-083 0x0
0KQI0 -0358355 1etp$o$o"ainJoin3 status3 0x0
+op ?f Pa(e
Per"issions on 0o"puter Account ?)!ects
+his section descri)es the security on do"ain co"puter accounts )efore and after an up(rade to ,indo&s -000 5er#er* +his infor"ation can )e used in trou)leshootin(
per"issions on co"puter account o)!ects in Acti#e $irectory and in deter"inin( &hich user created the co"puter account )efore the up(rade*
+he $iscretionary A0: ($A0:) contains access control entries (A0Es) that define per"issions on a specific o)!ect* In ,indo&s 1+ 2*0% &hen a co"puter account is created%
the $o"ain Ad"inistrators local (roup )eco"es the o&ner of the co"puter account* +he user &ho created the co"puter account is stored as part of its data% and the
$A0: on the co"puter account includes li"ited ri(hts for the user (such as deletin( the account)*
,hen you up(rade a ,indo&s -000.)ased ser#er% the follo&in( chan(es occur on each co"puter account3
A co"puter account o)!ect is created in the default 0o"puters container* +he ori(inal o&ner (for exa"ple% ad"inistrator) of the co"puter account re"ains the
sa"e* +he pri#ile(es that the ori(inal o&ner had on the co"puter o)!ect in ,indo&s 1+ 2*0 are retained as part of the up(rade*
+he $A0: on the co"puter account is reset to the default that is defined for o)!ects of the computer class in the sche"a* +his $A0: includes an entry for 0reator
?&ner and% &hen #ie&ed &ith A0: Editor% displays the na"e of the appropriate user*
Note
1ote that other A0Es can )e present if users or (roups are added or if per"issions are chan(ed on parent containers in Acti#e $irectory% &hich results in additional
inherited per"issions
+he follo&in( default $A0:s apply to ne& co"puter accounts3
5elf3
11 of 22 3/18/2014 10:47 PM
0reate All 0hild ?)!ects
$elete All 0hild ?)!ects
Authenticated 6sers3
Read
Read Pu)lic Infor"ation
5yste"3
(;ull 0ontrol)
0reator ?&ner3
(;ull 0ontrol)
$o"ain Ad"inistrators3
(;ull 0ontrol)
0ert Pu)lishers3
(no per"issions)
Enterprise Ad"inistrators (inherited per"issions)3
Read
,rite
0reate All 0hild ?)!ects
0han(e Pass&ord
Recei#e As
Reset Pass&ord
5end As
12 of 22 3/18/2014 10:47 PM
Read Pu)lic Infor"ation
,rite Pu)lic Infor"ation
Account ?perators3
(;ull 0ontrol)
Print ?perators3
(no per"issions)
E#eryone3
0han(e Pass&ord
Note
If the account is created )y usin( the pri#ile(e add workstations to the domain, then the ri(hts of the 0reator ?&ner are li"ited* 5pecifically% the 0reator ?&ner is not
allo&ed to chan(e the $A0: nor to delete the account* In addition% a /uota chec' li"its the nu")er of o)!ects that can )e created )y the person &ho is usin( the /uota*
;or "ore infor"ation a)out $efault $A0:s% see BAccess 0ontrolB in this )oo'*
+op ?f Pa(e
5ecure 0hannel Issues
;or each ,indo&s -000.)ased client or ser#er that is a "e")er of a do"ain% there is a discrete co""unication channel% 'no&n as the secure channel* +his secure channel
is used )y the 1et :o(on ser#ice on the client and on the do"ain controller to co""unicate &ith each other* +he 1etdo" tool is used to reset the secure channel* If the
co"puter accounts pass&ord and the local pass&ord are not synchroni>ed% the 1et :o(on ser#ice lo(s one or )oth of the follo&in( errors "essa(es3
The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the account referenced in the security
database is DOMAINMEMBER$.
The following error occurred: Access is denied.
NETLOGON Event ID 3210:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.
13 of 22 3/18/2014 10:47 PM
+he 1et :o(on ser#ice on the do"ain controller lo(s the follo&in( error "essa(e &hen the pass&ord is not synchroni>ed3
NETLOGON Event 5722:
The session setup from the computer % 1 failed to authenticate. The name of the account referenced in the security database
is %2. The following error occurred: % n % 3
+op ?f Pa(e
Resettin( 5ecure 0hannels and 0o"puter Accounts
+he follo&in( tools are a#aila)le to reset the secure channel and the co"puter account3
Resource <it tools3
1etdo"*exe
1ltest*exe
Acti#e $irectory 6sers and 0o"puters console
+op ?f Pa(e
6sin( 1etdo" to Reset the 5ecure 0hannel
8y usin( the 1etdo"*exe co""and-line tool% &hich is pro#ided in the ,indo&s -000 Resource <it% you can reset the secure channel )et&een the do"ains "e")er
&or'station and the do"ain controller* ;or exa"ple% suppose you ha#e a do"ain "e")er na"ed $?=AI1=E=8ER* Aou can reset the "e")ers secure channel )y
runnin( the follo&in( co""and3
netdom reset member /domain:domain
Aou can run this co""and on the "e")er $?=AI1=E=8ER* +o run this co""and on any other "e")er or do"ain controller in the do"ain% you "ust pro#ide an
account that has ad"inistrator access to $?=AI1=E=8ER*
;or exa"ple3
Netdom reset member /domain:domain /usero:member-admin /passwordo:member-pw
+op ?f Pa(e
Addin( a ,or'station or =e")er 5er#er to a $o"ain
14 of 22 3/18/2014 10:47 PM
+o add a &or'station or "e")er ser#er to a do"ain% do the follo&in(3
Add the &or'station ,or'1 to the ,indo&s 1+ 2*0 do"ain $o"ain1* 1*
1etdo" add Qd3do"ain1 &or'1Q ud3do"ain1Fad"in Qpd3pass&ord* -*
Add the &or'station ,or'1 to the ,indo&s -000 do"ain res'it*co" in the or(ani>ational unit "y-co"puter% as sho&n here3 I*
1etdo" add Q&or'1 Qd3res'it*co" Q?63?6T"y-co"puters%$0Tres'it%$0Tco"
Note
+he Q?6 para"eter re/uires a co"plete distin(uished na"e as specified )y R;0 1KKL* If the Q?6 para"eter is not specified% the co"puter account is created in the
0o"puters container*
+op ?f Pa(e
Joinin( a ,or'station or =e")er 5er#er to a $o"ain
+o !oin a &or'station or "e")er ser#er to a do"ain% you can use the 1etdo" tool* ;or exa"ple% to !oin a &or'station called ,or'1 to the res'it*co" do"ain in the
"y-co"puters or(ani>ational unit% carry out the follo&in(3
Netdom join /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com /reboot:120.
In addition to addin( the co"puter account to the do"ain% the &or'station is "odified to contain the appropriate shared secret to co"plete the Join procedure* If the Join
procedure can )e co"pleted% the Qre)oot s&itch causes the co"puter to )e auto"atically shut do&n and restarted after (i#in( the user t&o "inutes to sa#e &or' in
pro(ress*
+op ?f Pa(e
6sin( 1ltest to Reset the 0o"puter 5ecure 0hannel
8y usin( the 1ltest*exe co""and-line tool% you can reset secure channels that co"puters ha#e &ith do"ain controllers in their do"ains* 1ltest*exe can )e used to test the
trust relationship )et&een a co"puter that is runnin( ,indo&s -000 and is a "e")er of a do"ain and a do"ain controller on &hich its co"puter account resides% as
sho&n in the follo&in( exa"ple3
C:\Ntreskit\Nltest.exe
Usage: nltest [/OPTIONS]
15 of 22 3/18/2014 10:47 PM
/SC_QUERY:<DomainName> - Query secure channel for <domain> on
<ServerName>
/SERVER:<ServerName>
/SC_RESET:<DomainName> - Renegotiates the secure channel in the specified domain for a local or remote workstation, server,
or domain controller
An example to reset the secure channel:
nltest /sc_query:reskit /server:Server22
Flags: 30
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\Server1.reskit.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
nltest /sc_reset:reskit /server:Server2
Flags: 30
Connection Status = 0 0x0 NERR_Success
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server.reskit.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
+op ?f Pa(e
16 of 22 3/18/2014 10:47 PM
6sin( the Acti#e $irectory 6sers and 0o"puters 0onsole to Reset 0o"puter Account Pass&ords
8y usin( ,indo&s -000% you can also reset the co"puter account pass&ord in the Acti#e $irectory 6sers and 0o"puters console* Ri(ht-clic' the co"puter o)!ect in the
Computers folder or other appropriate container% and then clic' 1eset Account * +he 1eset Account context "enu resets the co"puter account pass&ord )ac' to a
startin( pass&ord* +his is used only if the co"puter has )een ta'en offline and )een co"pletely reinstalled* Resettin( the account pass&ord allo&s the (re)uilt) co"puter
to re!oin the do"ain usin( the sa"e na"e* If this co""and is carried out &hen the co"puter has not )een reinstalled% the co"puter cannot authenticate in the do"ain*
Note
Resettin( the pass&ord for do"ain controllers )y usin( this "ethod is not allo&ed*
+op ?f Pa(e
6sin( 1ltest to Mie& +rusted $o"ains
$ifferent data a)out the trust relationship is 'ept in se#eral 'ey attri)utes of each trustedDomain o)!ect* +he follo&in( are the 'ey attri)utes3
flatName * 0ontains the 1et8I?5 na"e of the do"ain for this trust relationship*
trustDirection * 0ontains the direction of the esta)lished trust relationship3
0T$isa)led
1TIn)ound (+rustin( do"ain)
-T?ut)ound (+rusted do"ain)
IT8oth (+rusted and trustin( do"ains)
trustPartner * 0ontains a strin( that represents the $15-style na"e of the do"ain if it is a ,indo&s -000 do"ain or the 1et8I?5 na"e of the do"ain if it is trust
relationship )et&een a ,indo&s -000 do"ain and a non-,indo&s -000 do"ain*
trustType * 0ontains the type of trust relationship that has )een esta)lished to the do"ain*
1TA trust relationship )et&een a ,indo&s -000 do"ain and a ,indo&s 1+ 2*0 or earlier do"ain*
-TA ,indo&s -000 trust relationship*
ITA trust relationship )et&een a ,indo&s -000 do"ain and a non-,indo&s <er)eros real"*
17 of 22 3/18/2014 10:47 PM
8y usin( the 1ltest co""and-line tool% you can display the current list of trusted do"ains 'no&n )y a specified ser#er* 1ltest*exe is a#aila)le &ith ,indo&s -000 5er#er
5upport +ools* (+o use 1ltest% install the tools that are located in the 5upportF+ools folder on the ,indo&s -000 5er#er operatin( syste" 0$* +o install the tools%
dou)le-clic' the Setup icon in that folder* ;or "ore infor"ation a)out usin( 1ltest% see ,indo&s -000 5upport +ools 9elp*)
6se the /domains:trusts option to list the do"ains that ha#e trust relationships &ith the current do"ain* ;or each do"ain listed in the results% the follo&in( data is
displayed3
+rust Index (a nu")er that identifies an entry in the enu"erated list of trusts)*
1et8I?5 do"ain na"e of the trusted do"ain (for exa"ple% res'it)*
$15 do"ain na"e of the trusted do"ain (for exa"ple% res'it*co")*
+rust type (1+ 2 for trust relationship &ith a ,indo&s 1+ do"ain)% 1+ 5 (for a trust relationship &ith a ,indo&s -000 do"ain)% or =I+ (for a trust relationship &ith a
non-,indo&s <er)eros real")* ;or "ore infor"ation a)out types of trust relationships% see BActi#e $irectory :o(ical 5tructureB in this )oo'*
In addition% the follo&in( #alues are reported &here applica)le3
;orest +ree Root3 Identifies the forest root do"ain*
;orest +rust Index3 Indicates the do"ain that is the forest root*
Pri"ary $o"ain3 Identifies the do"ain in &hich the contacted ser#er is located*
$irect ?ut)ound3 Identifies the do"ain as )ein( directly trusted )y the pri"ary do"ain*
$irect In)ound3 Identifies the do"ain as directly trustin( the pri"ary do"ain*
Attr3 Returns the )its specifyin( the #alue in the trustAttributes attri)ute on the trusted$o"ain o)!ect* +his #alue deter"ines% for exa"ple% &hether the trust
relationship is transiti#e or nontransiti#e*
1ati#e3 Identifies a pri"ary do"ain that is runnin( in nati#e "ode* ,here no #alue is displayed for pri"ary do"ain% the pri"ary do"ain is runnin( in "ixed
"ode*
;or exa"ple% the follo&in( 1ltest co""and is executed on a co"puter that is a "e")er of the noa"*res'it*co" do"ain returns*
D:\>nltest /domain_trusts
18 of 22 3/18/2014 10:47 PM
List of domain trusts:
0: RESKIT reskit.com (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: 0x400000 )
1: AVIONICS avionics.reskit.com (NT 5) (Forest: 0)
2: EUROPE europe.reskit.com (NT 5) (Forest: 0)
3: NOAM noam.reskit.com (NT 5) (Forest: 0) (Primary Domain) (Native)
+his output indicates the follo&in(3
Res'it*co" is the forest root do"ain*
All of the do"ains are in the sa"e forest as res'it*co" (identified )y the index nu")er 0)*
All of the trust relationships are ,indo&s -000 trust relationships (indicated )y B1+ 5B)*
1oa"*res'it*co" is the do"ain of the ser#er that is runnin( 1ltest*
1oa"*res'it*co"% &hich is a pri"ary do"ain% is runnin( in nati#e "ode*
+o run a /uery on a specific ser#er% type nltest /server( <servername> domain trusts * ;or exa"ple% the Bdo"ain that is trustedB list "i(ht )e displayed if a /uery is run
on a do"ain controller in the root do"ain of the forest* (+his exa"ple sho&s root*co" as the root do"ain*)
0: TESTDOMAIN testdomain.root.com (NT 5) (Forest: 3) (Direct Outbound)
1: CHILD child.root.com (NT 5) (Forest: 3) (Direct Outbound)
2: GRANDCHILD grandchild.child.root.com (NT 5) (Forest: 1)
3: ROOT root.com (NT 5) (Forest Tree Root) (Primary Domain)
4: NT4DOMAIN (NT 4) (Direct Outbound)
5: NEWROOT newroot.com (NT 5) (Forest Tree Root) (Direct Outbound) ( Attr:
19 of 22 3/18/2014 10:47 PM
0x800000 )
Note
1ote that 1ltest sho&s trusted do"ains &ith transiti#e trust relationships as ,indo&s -000 trust relationships &ithout the $irect ?ut)ound ta(*
Another &ay to #ie& do"ains and trust relationships is )y usin( A$5I Edit*
o view trusted domains and trust relationship properties by using A'SI &dit
In A$5I Edit% expand the do"ain directory partition node and na#i(ate to the 5yste" container* 1*
In the console details pane% use the Class colu"n to identify all o)!ects &ith the type trustedDomain * -*
+o #ie& properties% ri(ht-clic' the trustedDomain o)!ect% and then clic' Properties * I*
In the Select which properties to view )ox% clic' 2oth to #ie& )oth optional and "andatory attri)utes* 2*
In the Select a property to view )ox% select a property* Its #alue is displayed in the ;alue<s= )ox* 5*
+op ?f Pa(e
0hec'in( +rust Relationships Authenticated 8y the <er)eros #5 Protocol
6se the 1etdo" tool to #erify the <er)eros #5 authentication protocol )et&een a client and a tar(et do"ain* +he 1etdo" tool trust #erification option &ith the !erberos
s&itch allo&s you to o)tain a session tic'et fro" the <er)eros authentication ser#ice in the tar(et do"ain* If successful% the conclusion is that <er)eros operations such as
<ey $istri)ution 0enter (<$0) referrals% are operatin( correctly )et&een the &or'station and the tar(et do"ain* 6pon failure% the list of referral tic'ets currently cached% are
displayed* If you do not recei#e the session tic'et% the cause of failure can )e deter"ined )y tracin( the list of referral tic'ets fro" the <$0s located on the path to&ard the
tar(et do"ain*
+o #erify the <er)eros authentication protocol issue the follo&in( co""and3
NETDOM TRUST <trusting_domain_name> /d: <name of the trusted domain> /Kerberos /UserO :<User account for making the
connection with the trusted domain> /PasswordO: <Password of the user account specified by /UserO > /UserD: <User account
used to make the connection with the domain specified by the /domain argument > /PasswordD: <trusted_domain_user_password>
Note
8oth users "ust )e specified )ecause the co""and &ill atte"pt a <er)eros #5 authentication of those users*
20 of 22 3/18/2014 10:47 PM
$id you find this helpfulD
+he a)o#e co""and &ill #erify the follo&in(3
+he trust pass&ords are correct (for exa"ple% deter"ine if the pass&ords "atch)*
+he users can )e located in Acti#e $irectory*
+he users can )e authenticated throu(h the issuance of <er)eros #5 tic'ets*
;or "ore infor"ation on the 1etdo" tool% see ,indo&s -000 5upport +ools 9elp* ;or "ore infor"ation on <er)eros #5 authentication% see B Authentication B in this )oo'*
+op ?f Pa(e
;ail :o(ons in A)sence of 4lo)al 0atalo( 5er#ers
;or ,indo&s -000 in nati#e "ode a 4lo)al 0atalo( is re/uired for the lo(on process* If the do"ain controller cannot contact a 4lo)al 0atalo( ser#er% the user is not )e
a)le to lo( on* An exception is "ade only for the ad"inistrator account in the do"ain (RI$ 0x1;2)* +his account is allo&ed to lo( on e#en &ithout a 4lo)al 0atalo(% so that
in an e"er(ency situation a 4lo)al 0atalo( can )e confi(ured*
5pecifically% (roup expansion durin( to'en creation &hen the user is lo((in( onto a &or'station is as follo&s3
Add the users 5I$ in the to'en* 1*
Add the (lo)al (roups that the user is part of in the to'en* -*
Add the uni#ersal (roups to &hich the users 5I$ and the (lo)al (roups )elon( in the to'en* I*
Add the do"ain local (roups to &hich the precedin( accounts )elon( to the to'en* +his step is perfor"ed at a do"ain controller for the do"ain to &hich the
&or'station)elon(s*
$o"ain local (roups are not added to the to'en% if this do"ain is in "ixed "ode*
2*
Add the local and )uilt-in local (roup "e")erships for the (roups in the &or'station of the set co"puted in steps 1 throu(h 2* If the user is connectin( to or
lo((in( on to a do"ain controller% this step addresses only the )uilt-in local (roupsC if the do"ain local (roups &ere e#aluated in step 2*
5*
+op ?f Pa(e
Aes 1o
21 of 22 3/18/2014 10:47 PM
U -012 =icrosoft
=ana(e Aour Profile
1e&sletter
V
0ontact 6s
V
Pri#acy 5tate"ent
V
+er"s of 6se
V
+rade"ar's
V
5ite ;eed)ac'
22 of 22 3/18/2014 10:47 PM

Join and Authentication Issues

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Join and Authentication Issues

Загружено:

Авторское право:

Доступные форматы

Export (0) Print

Join and Authentication Issues

Вам также может понравиться