Notes on IT (mainly Microsoft)

Archive for April 2010

Windows Server 2003 ADAM to Windows Server 2008 AD LDS replication fails when using NTLM (negotiate)

with 11 comments

AD LDS can use “negotiated” as the replication security level within a configuration set
(http://technet.microsoft.com/en-us/library/cc770465(WS.10).aspx). This may happen on AD LDS
servers that are domain-joined if there is a problem with Kerberos (e.g. a service principal
name issue) but will also happen for ADAM or AD LDS instances that are only members of a workgroup.

There is a known issue with mixed configuration sets, that is configuration sets containing
both Windows Server 2003 ADAM instances and Windows Server 2008 AD LDS instances, on attempting
to form a configuration set when the replication security level is Negotiate replication may
fail to complete.

The signature of the problem is seen when using repadmin to try and force a replication
of a naming context hosted on the (originating) Windows Server 2003 ADAM instance so e.g.
for a naming context “dc=mycompany,dc=com”

repadmin /syncall w2k3server.mycompany.com:389 “dc=mycompany,dc=com”

results in the following errors

From: W2k3server.mycompany.com:389
To : W2K8Server.mycompany.com:389
Error issuing replication: –2146893008 (0x80090330):
The specified data could not be decrypted.

If the servers are domain-joined then diagnosing the reason that kerberos is not being
used for replication security is the thing to do and will circumvent this issue. In pure
workgroup configurations there is currently no workaround for this problem.

Update 12 August 2010:

Microsoft have now released a fix for this problem:

(http://support.microsoft.com/kb/973678)

as ever test this in a non-production environment and note that in existing configurations sets of ADAM instances on Windows Server 2003  replication will fail between instances that are mixed (where some do and some do not have the patch applied).

Advertisements

Written by adamsync

April 2, 2010 at 01:06

Posted in AD LDS, ADAM, adam-lds, Microsoft

Tagged with , , ,

Mountable snapshots with AD LDS in Windows 7

leave a comment »

Does snapshot database mounting work in AD LDS for Windows 7?

Use dsdbutil to take a snapshot of an AD LDS instance (“instance1”)
(user input in [] below)

==
dsdbutil: [Activate Instance instance1]
Active instance set to “instance1”.

dsdbutil: [snapshot]
snapshot: [create]
Creating snapshot…
Snapshot set {4c2113e1-c6aa-45b8-b4c3-c5a01568d648} generated successfully.

snapshot: [mount {4c2113e1-c6aa-45b8-b4c3-c5a01568d648}]
Snapshot {7352a291-6c27-44e3-9008-c04923274daa} mounted as C:\$SNAP_201004012133_VOLUMEC$\

==

Try and mount the DIT file:

==
C:\> dsamain -dbpath “C:\$SNAP_201004012133_VOLUMEC$\Program Files\Microsoft ADAM\instance\data\adamntds.dit”  -adlds -ldapport 50000

EVENTLOG (Error): ADAM [DSAMAIN] Database / Service Control : 2526
This instance of the directory server does not support placing data files
(database and log files) on multiple disk volumes. As a result, the directory
server will not start.

User Action:

To start this directory server, place all data files (database and log files)
on the same disk volume.

EVENTLOG (Error): ADAM [DSAMAIN] General / Internal Processing : 1168
Internal error: An Active Directory Lightweight Directory Services error has occurred.

Additional Data

Error value (decimal):
87

Error value (hex):
57

Internal ID:
2020b5c
==

However if we copy the DIT file from the snapshot to a folder on a physical partition:

==
C:\>copy “C:\$SNAP_201004012133_VOLUMEC$\Program Files\Microsoft ADAM\instance1\data\adamntds.dit” c:\local\temp
1 file(s) copied.

C:\>dsamain -dbpath “C:\local\temp\adamntds.dit” -adlds -ldapport 50000
EVENTLOG (Informational): ADAM [DSAMAIN] General / Service Control : 1000
Microsoft Active Directory Lightweight Directory Services startup complete, version 6.1.7600.16521

==

which works.

Creating an install from media (IFM) backup of the AD LDS instance works too:

==

dsdbutil: [Activate Instance instance1]
Active instance set to “instance1”.
dsdbutil: [IFM]

ifm: [Create Full c:\local\temp]

Creating snapshot…
Snapshot set {d6ae77f3-d31d-4975-8a7d-c4ae567821b3} generated successfully.
Snapshot {7278807a-e22e-4a3b-ad46-426f5afe0688} mounted as C:\$SNAP_201004012151_VOLUMEC$\
Initiating DEFRAGMENTATION mode…
Source Database: C:\$SNAP_201004012151_VOLUMEC$\Program Files\Microsoft ADAM\instance1\data\adamntds.dit
Target Database: c:\local\temp\adamntds.dit

Defragmentation  Status (% complete)

0    10   20   30   40   50   60   70   80   90  100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

Snapshot {7278807a-e22e-4a3b-ad46-426f5afe0688} unmounted.
IFM media created successfully in c:\local\temp
ifm:
==

and then mounting the DIT file as above:

==

C:\> dsamain -dbpath “C:\local\temp\adamntds.dit” -adlds -ldapport 50000
EVENTLOG (Informational): ADAM [DSAMAIN] General / Service Control : 1000
Microsoft Active Directory Lightweight Directory Services startup complete, version 6.1.7600.16521

==

So if you need a snapshot of your AD LDS instance using IFM is the way to go and provides
you with a supported way to backup (http://technet.microsoft.com/en-us/library/cc816727(WS.10).aspx)
and restore (http://technet.microsoft.com/en-us/library/cc770886(WS.10).aspx) your AD LDS instances.

Written by adamsync

April 1, 2010 at 22:07

Posted in AD LDS, adam-lds, Microsoft, Windows 7

Tagged with , , ,

ADAM AD LDS enhancements timeline

leave a comment »

ADAM has seen a number of enhancements since the initial release these are listed below as gleaned from KB articles and TechNet.

ADAM SP1 (KB902838):

  • Let ADAM users bind to an ADAM instance by using Digest authentication.
  • Enables password chaining to Active Directory users through ADAM proxy objects.
  • Updated LDP utility: Includes a graphical user interface (GUI) that lets you grant access to directory objects by manipulating access control lists.
  • ADSchemaAnalyzer: Active Directory Schema Analyzer tool.
  • ADAMSync: Active Directory to ADAM Synchronizer tool.
  • Lets you create users in the configuration partition. ADAM users can now be ADAM administrators.

AD LDS Server Role for Windows Server 2008

http://technet.microsoft.com/en-gb/library/cc754361(WS.10).aspx

  • A supported role for Server Core installations 
  • Install from Media (IFM) option. Allows a one-step Ntdsutil or Dsdbutil process to create installation media for subsequent AD LDS installations results in DIT that can be mounted using dsamain (see below).
  • Auditing for AD LDS changes http://go.microsoft.com/fwlink/?LinkId=94846 and http://blogs.technet.com/askds/archive/2009/04/02/one-stop-audit-shop-for-adam-and-adlds.aspx
  • Database Mounting Tool (Dsamain.exe). Improves recovery processes by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This feature eliminates the need to restore multiple backups to compare the AD LDS data that they contain. (http://go.microsoft.com/fwlink/?LinkId=94847).
  • Support for Active Directory Sites and Services. The Active Directory Sites and Services snap-in can be used to manage replication among AD LDS instances.
  • A dynamic list of LDAP Data Interchange Format (LDIF) files during instance setup. Custom LDIF files are available during AD LDS setup—in addition to the default LDIF files that are provided with AD LDS—by adding the files to the %systemroot%\ADAM directory.
  • Recursive linked-attribute queries: A single LDAP query can follow nested attribute links, which can be very useful in determining group membership and ancestry. For more information, see Microsoft Knowledge Base Article 914828.

AD LDS Server Role for Windows Server 2008 R2

  • Active Directory Recycle Bin: Enhances your ability to preserve and recover accidentally deleted Active Directory objects. For more information, see What’s New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392).
  • Active Directory PowerShell: Provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. For more information, see What’s New in AD DS: Active Directory PowerShell (http://technet.microsoft.com/en-us/library/dd378783.aspx).
  • Active Directory Web Services: Provides a Web service interface to Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances. For more information, see What’s New in AD DS: Active Directory Web Services (http://technet.microsoft.com/en-us/library/dd391908.aspx).

Written by adamsync

April 1, 2010 at 20:39

Posted in AD LDS, ADAM, adam-lds, Microsoft

Tagged with , ,

ADAM AD LDS Platforms and Installation

leave a comment »

 

In Windows Server 2008 ADAM was rebranded as AD LDS:

Platform Package Installation
Windows XP SP1 (or later) ADAM SP1 (refresh) Windows installer package
Windows Server 2003 ADAM SP1 (refresh) Windows installer package [1]
Windows Server 2003 R2 ADAM SP1 optional feature [UI] Add/Remove Programs| Add/Remove Windows Components|Active Directory Service (Details)|Active Directory Application Mode (ADAM).

[CLI]: Sysocmgr [2]

Windows Server 2008 Core AD LDS Server role start /w ocsetup DirectoryServices-ADAM-ServerCore
Windows Server 2008 AD LDS Server role [UI] ServerManager|Roles|Add Roles| Active Directory Lightweight Directory Services

[CLI]: ServerManagerCmd –i ADLDS

Windows Server 2008 R2 Core AD LDS Server role Dism /online /enable-feature /featurename:DirectoryServices-ADAM-ServerCore

[PSH]: Import-Module ServerManager; Add-WindowsFeature ADLDS

Windows Server 2008 R2 AD LDS Server role [UI]: ServerManager|Roles|Add Roles| Active Directory Lightweight Directory Services

[CLI (deprecated use PSH)]: ServerManagerCmd –i ADLDS

[PSH]: Import-Module ServerManager; Add-WindowsFeature ADLDS

Windows 7 AD LDS Windows installer [3]

 

[1]  http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en

[2] http://technet.microsoft.com/en-us/library/cc784575(WS.10).aspx

[3] http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a45059af-47a8-4c96-afe3-93dab7b5b658

Written by adamsync

April 1, 2010 at 18:44

Posted in AD LDS, ADAM, adam-lds, Microsoft

Tagged with , ,