Академический Документы
Профессиональный Документы
Культура Документы
Filename: Sniffer Trace File Analysis for Active Directory Authentication Problem v1-5.doc
Overview
Servers DB1 & DB2 are configured with clustering (DB1 is active and DB2 is
backup). The PDC (server NT9) is connected to a different subnet, which is
separated by two firewalls. The DB server clustering services depend on Active
Directory Authentication. When the servers cannot authenticate, the clustering
service cannot start. To initially start the clustering services on the DB servers,
the work-around is to connect to the DB server via terminal services and to
manually map a network drive from the DB server to the PDC server using a
domain USERID. Once the drive is mapped, the clustering service can be
successfully started and then the network drive map can be disconnected. Once
the cluster service is up and running it continues to work fine even if the Active
Directory authentication fails (until the clustering service has to be restarted
again).
Observations
?? Switches and firewalls are not logging any drops between NT9 and the DB servers.
?? Both DB servers are logging NETLOGON system authentication errors because they do
not receive the responses to their RPC NETLOGON request packets submitted to TCP
port 1026 on NT9 (NETLOGON UUID = 12345678-1234-abcd-ef00-01234567cffb).
?? The NETLOGON request packets seen in the LAB appear identical to those sent on the
production network.
?? DB1 can successfully communicate with the Directory Replication Interface via the same
port 1026 on NT9 (NTDS UUID = e3514235-4b06-11d1-ab04-00c04fc2dcd2).
?? The NETLOGON response packets are being intercepted and RESET by utilfw2.
?? utilfw2 runs Firewall-1 software on a Nokia platform.
NOTE: Other successful TCP connections are seen on NT09 port 1026 for another UUID:
No. Time SRC DST Proto Info
800 2003-03-31
16:25:57 DB1 NT09 TCP 3927 > 1026 [SYN] Seq=1126453154 Ack=0 Win=16384 Len=0
804 2003-03-31
16:25:57 NT09 DB1 TCP 1026 > 3927 [SYN, ACK] Seq=3006786322 Ack=1126453155 Win=17520 Len=0
805 2003-03-31
16:25:57 DB1 NT09 TCP 3927 > 1026 [ACK] Seq=1126453155 Ack=3006786323 Win=17520 Len=0
812 2003-03-31
16:25:57 DB1 NT09 DCERPC Bind: call_id: 1 UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 ver 4.0
813 2003-03-31
16:25:57 DB1 NT09 TCP 3927 > 1026 [PSH,ACK] Seq=1126454615 Ack=3006786323 Win=17520 Len=1156
814 2003-03-31
16:25:57 NT09 DB1 TCP 1026 > 3927 [ACK] Seq=3006786323 Ack=1126455771 Win=17520 Len=0
815 2003-03-31
16:25:57 NT09 DB1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
816 2003-03-31
16:25:57 DB1 NT09 DCERPC Alter_context: call_id: 1 UUID: e3514235-4b06-11d1-ab04-
00c04fc2dcd2 ver 4.0
817 2003-03-31 16:25:57 NT09 DB1 DCERPC Alter_context_resp: call_id: 1 accept max_xmit: 5840 max_recv: 5840
818 2003-03-31 16:25:57 DB1 NT09 DCERPC Request: call_id: 1 opnum: 0 ctx_id: 0
819 2003-03-31 16:25:57 NT09 DB1 DCERPC Response: call_id: 1 ctx_id: 0
820 2003-03-31 16:25:57 DB1 NT09 DCERPC Request: call_id: 2 opnum: 12 ctx_id: 0
821 2003-03-31 16:25:57 NT09 DB1 DCERPC Response: call_id: 2 ctx_id: 0
822 2003-03-31 16:25:57 DB1 NT09 DCERPC Request: call_id: 3 opnum: 12 ctx_id: 0
823 2003-03-31 16:25:57 NT09 DB1 DCERPC Response: call_id: 3 ctx_id: 0
824 2003-03-31 16:25:57 DB1 NT09 DCERPC Request: call_id: 4 opnum: 1 ctx_id: 0
825 2003-03-31 16:25:57 NT09 DB1 DCERPC Response: call_id: 4 ctx_id: 0
826 2003-03-31 16:25:57 DB1 NT09 TCP 3927 > 1026 [FIN, ACK] Seq=1126456608 Ack=3006787506 Win=16337 Len=0
827 2003-03-31 16:25:57 NT09 DB1 TCP 1026 > 3927 [ACK] Seq=3006787506 Ack=1126456609 Win=16683 Len=0
828 2003-03-31 16:25:57 NT09 DB1 TCP 1026 > 3927 [FIN, ACK] Seq=3006787506 Ack=1126456609 Win=16683 Len=0
829 2003-03-31 16:25:57 DB1 NT09 TCP 3927 > 1026 [ACK] Seq=1126456609 Ack=3006787507 Win=16337 Len=0
Trace file shows NETLOGON request from DB1 is reaching NT9 and NT9 is
acknowledging!!!
No. Time SRC DST Pro Info
7901 2003-04-02 14:17:54 DB1 NT9 TCP 1280 > 1026 [SYN] Seq=2306675940 Ack=0 Win=16384 Len=0
7902 2003-04-02 14:17:54 NT9 DB1 TCP 1026 > 1280 [SYN, ACK] Seq=1956349167 Ack=2306675941 Win=17520 Len=0
7904 2003-04-02 14:17:54 DB1 NT9 TCP 1280 > 1026 [ACK] Seq=2306675941 Ack=1956349168 Win=17520 Len=0
7905 2003-04-02 14:17:54 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
7906 2003-04-02 14:17:54 NT9 DB1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
7907 2003-04-02 14:17:54 DB1 NT9 TCP 1280 > 1026 [RST] Seq=2306676013 Ack=0 Win=0 Len=0
7912 2003-04-02 14:17:58 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
7913 2003-04-02 14:17:58 NT9 DB1 TCP 1026 > 1280 [RST] Seq=1956349168 Ack=1956349168 Win=0 Len=0
Where are these packets dropped and who is sending the RST on behalf of
the DB servers??? ? obtain trace file from segment between 2 firewalls
3 2003-04-03 00:45:00 DB1 NT9 TCP 4447 > 1026 [ACK] Seq=3797945960 Ack=2862503321 Win=17520 Len=0
4 2003-04-03 00:45:00 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
5 2003-04-03 00:45:03 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON
6 2003-04-03 00:45:03 NT9 DB1 TCP 1026 > 4447 [RST] Seq=2862503321 Ack=2862503321 Win=0 Len=0
Questions
2. Is there any way to determine why NT09 does not even acknowledge
these NETLOGON requests at the TCP layer?
ANSWER: YES! NT09 DOES acknowledge the packets. The
firewall is intercepting and dropping the response, which
includes the TCP ACK!!!
Suggestions
1. Fix Firewall
2. Fix Kerberos problem (Windows patch???)
Conclusion
Once we were able to identify the failed NETLOGON requests in the trace files (corresponding to
the NETLOGON errors on the DB servers), we then moved the Sniffer next to the PDC server
and confirmed that the NETLOGON requests were indeed being answered. Additional traces
from the firewalls allowed us to determine that the NETLOGON responses from the PDC were
being blocked by the utilfw2 firewall. Upon reception of the NETLOGON response packet from
NT9, utilfw2 would immediately send back a TCP RST to NT9. A support call was made to the
firewall vendor (Check-Point) who confirmed that they did not support Microsoft Active Directory
on this version of the firewall-1 software (version 4.x). Their recommendation was to upgrade the
firewall software to a more recent version.
Lessons Learned
?? How Windows 2000 Active Directory Authentication works
?? What Windows 2000 Active Directory Authentication looks like "on-the-wire".