Apr
6
2013
Networking // Windows

Don't rejoin to fix the trust relationship between this

An article by Shawn No Comments

Copied from here: http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx

 

f you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.

The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.  The machine’s private secret is not set to the same value store in the domain controller.  You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority.  When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.  I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller.  This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before.  When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months.  The password changes are required to maintain the security integrity of the domain.

 

Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship.  Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic: http://support.microsoft.com/kb/162797

I’m not a fan of any of these options.  This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain.  Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out.  There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.

Just change your computer password using netdom.exe! 

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password

Here are the full steps:

  1. You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, ".\Administrator" in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
  2. You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link: http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx"
  3. Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
    1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
    2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17657
    3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
  4. Run netdom.exe to change the password.
    1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select "run as Administrator".
    2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
  5. Reboot the machine.
Here is more information on netdom.exe: http://support.microsoft.com/kb/325850

 

I hope this is helpful.  This problem comes up every few months for me, so I wanted to document it for my own use.  It is difficult to find when you just search for the error you get in the login window.

,
Jan
6
2012
Windows

IIS7: Moving the INETPUB directory to a different drive

An article by Shawn No Comments

Great article on what is involved in moving the IIS root folder in Server 2008 and newer OSs.

 

Having your content on a different partition than your Operating System is a good security practice. In previous IIS versions is was possible to do this during setup time in an unattend file. Due to changes in Vista and Windows Server 2008 setup it became impossible to do that however. After setup the IIS7 INETPUB directory will be on the same partition as Windows. Moving the INETPUB directory to a different drive has to be done after setup completes. Here is a table of configuration entries that use the INETPUB directory on a default install. An example in the right column shows how to move the setting to a different drive using the APPCMD command-line tool. Once all the settings are moved the only step left is to copy the INETPUB directory via XCOPY. Here is a link to a batch file (packaged up in MOVEIIS7ROOT.ZIP) that moves the INETPUB directory to a drive of your choice.

Directory Config setting location Example how to move setting to a different drive (this example uses the F:\ drive)
LOGS\FREBLOGS Failed Request Event Buffering (FREB) is a new IIS7 feature that logs failed requests. The default path for FREB logs is %systemdrive%\inetpub\logs\FailedReqLogfiles. %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:"F:\inetpub\logs\FailedReqLogFiles"
LOGS\LOGFILES The default path for IIS7 log files is %systemdrive%\inetpub\logs\logfiles. %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"F:\inetpub\logs\logfiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"F:\inetpub\logs\logfiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"F:\inetpub\logs\logfiles"
TEMP\APPPOOLS AppPool isolation is a new feature in IIS7. A dedicated AppPool configuration file gets automatically created before a new Application Pool is started. The default location of these files is %systemdrive%\inetpub\temp\appPools  reg add HKLM\System\CurrentControlSet\Services\WAS\Parameters /v ConfigIsolationPath /t REG_SZ /d f:\inetpub\temp\appPools 
HISTORY Configuration history ensures that changes can be rolled back. The default location for configuration history is %systemdrive%\inetpub\history %windir%\system32\inetsrv\appcmd set config -section:system.applicationhost/configHistory -path:f:\inetpub\history
TEMP\ASP COMPILED TEMPLATES Classic ASP stores compiled ASP code on disk if more than 250 compiled templates are in memory. The default disk cache location is "%systemdrive%\inetpub\temp\ASP Compiled Templates" %windir%\system32\inetsrv\appcmd set config -section:system.webServer/asp -cache.disktemplateCacheDirectory:"f:\inetpub\temp\ASP Compiled Templates"
TEMP\IIS TEMPORARY COMPRESSED FILES IIS7 will cache compressed responses on disk if necessary. The default location for the compression cache is "%systemdrive%\inetpub\temp\IIS Temporary Compressed Files" %windir%\system32\inetsrv\appcmd set config -section:system.webServer/httpCompression -directory:"f:\inetpub\temp\IIS Temporary Compressed Files"
WWWROOT IIS7 comes with a Default Web Site which points to %systemdrive%\inetpub\wwwroot. %windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:f:\inetpub\wwwroot
CUSTERR IIS7 stores Custom Error Pages in %systemdrive%\inetpub\custerr %windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='401'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='403'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='404'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='405'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='406'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='412'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='500'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='501'].prefixLanguageFilePath:f:\inetpub\custerr%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='502'].prefixLanguageFilePath:f:\inetpub\custerr
WWWROOT and FTPROOT Locations Service Packs and other installers need to know where your WWWROOT and FTPROOT directory is. That's why the location is also specified in the registry.

reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d f:\inetpub\wwwroot
reg add HKLM\Software\Microsoft\inetstp /v PathFTPRoot /t REG_SZ /d f:\inetpub\ftproot

 

MOVING THE CONTENT:

Once the configuration is changed you have to copy all content from your root drive to your new drive including ACLs and empty directories:

Example:

                    xcopy c:\inetpub f:\inetpub /E /O /I

 

/E copies all directories even if they are empty
/O copies all security settings, i.e. Access Control Lists on files and directories
/I assumes the destination is a directory

PLEASE BE AWARE OF THE FOLLOWING:
WINDOWS SERVICING EVENTS (I.E. HOTFIXES AND SERVICE PACKS) WOULD STILL REPLACE FILES IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE
TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES IS NOT POSSIBLE.

Local copy of download

moveiis7root.zip (1.66 kb)

, , ,
Nov
22
2011
Networking

Connection via Cisco VPN Client stops local DNS resolution

An article by Shawn No Comments
Reprint from here...
If you use the Cisco VPN Client with Windows XP, you may have noticed that all of your DNS requests go via the VPN, rather than the local network. You can test which DNS server you are using through the use of the NSLOOKUP command. The Cisco VPN Client creates a disabled Local Area Connection, to which it assigns null values until connected. When you connect using the client this connection profile becomes enabled and is set with the appropriate DNS, WINS, gateway and IP address from the other end of the VPN, usually by a DHCP server. By default when you install the client the priority of the Cisco VPN connection is higher than the default local connection assigned to your ethernet NIC or wireless card and it is this that causes two major problems for users:
  1. You cannot connect to local named servers, but you can access them by IP. The only common workaround suggested for this (see Google Groups) is to manually add them to your HOSTS file. This is not a solution that you could widely roll out to a network of users, and is a dirty hack.
  2. Your DNS resolution is SLOW. This is because your request has to go to the DNS server at the other end of the VPN, before being returned to you locally, whereby it sends you out over your local LAN to the internet as normal via your broadband router.
To test which DNS server you are using by default when connected normally, first disconnect from the VPN client and pop open a command window:
  • Start -> Run -> type "cmd"
  • type "nslookup".
You'll see something along the lines of:
C:\Documents and Settings\Administrator>nslookup
Default Server: 192.168.0.1
Address: 192.168.0.1

>
Type "exit" and then open up your Cisco VPN Client, connect via VPN, and repeat the NSLOOKUP command. You'll see the change to your default DNS server:
C:\Documents and Settings\Administrator>nslookup
Default Server: core.office.junto.co.uk
Address: 172.30.2.1

>
Now all DNS requests will go through the VPN, and not your local router. Slow and pointless (security caveats aside). Why does the Cisco VPN Client change this, and can we alter it at the client level? We don't really want to bother our over worked Cisco technician back in the office, and often he's an expensive contract resource anyway.

Most importantly why does the Cisco VPN Client connection always seem to have a higher priority than the standard local ethernet connection or wireless connection under Windows XP? My initial thought was that Cisco designed it to be this way, and there was no way to change it, but now I believe that the simple answer is one of installation order. Hence, as the connections are installed, the last one to be installed seems to be given the highest priority. Someone more knowledgeable with XP networking might be able to clarify this.
Whether or not this is true or not, the fix is to change the priority of the connections. A bit of digging around gives you some advanced settings to network connections:
  • Start -> Control Panel -> Network Connections
  • Then under the menu option Advanced -> Advanced Settings
  • Change the priority of your default local connection, to be above that of the Cisco VPN Client. The Cisco VPN Client often installs for most people as "Local Area Connection 2".
Now try the NSLOOKUP command again. You'll see something along the lines of:
C:\Documents and Settings\Administrator>nslookup
Default Server: 192.168.0.1
Address: 192.168.0.1

>
You're back to using your local DNS server, but still connected to the VPN. Problem solved. Nice! You should now be able to see your local servers inside your LAN by name, plus general browsing should be faster.
Some caveats:
  1. There may be security considerations to allowing DNS requests via the local LAN rather than the VPN. DNS works so that it rolls down the list of DNS servers, so the local LAN will ask the world for an internal DNS name first. That could give information away in terms of your local private LAN set up.
  2. I'm using an up-to-date-patched version of Windows XP Professional SP2
  3. I'm using the Cisco Client 4.0.4. Newer versions have given me grief.
  4. In the properties of the VPN profile in question (Cisco VPN Client -> Connection Entry -> Modify) the Transport tab has the option "Allow Locale LAN Access" checked.
  5. This may also be a solution for other VPN clients, but I haven't tried it.
, ,
Nov
9
2011
Scripting // Utilities // Windows // Windows 7

Sudo for Windows

An article by Shawn No Comments

With the existance of UAC in the windows world, I find my self looking for easier ways to run a command as administrator (usually via command line) without needing to turn off UAC.

Here are some useful links that helped me solve this very issue

Elevation Power Toys

http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx  (note, you also need to sysinternals suite installed in "%ProgramFiles%\Sysinternal Suite"

Elevate Utility

http://code.kliu.org/misc/elevate/

Sudo for windows

http://sourceforge.net/projects/sudowin/

, , , ,
May
9
2011
Windows // Windows 7 // Utilities

A couple of useful free tools

An article by Shawn No Comments

FreeCommanderis an easy-to-use alternative to the standard windows file manager. The program helps you with daily work in Windows. Here you can find all the necessary functions to manage your data stock. You can take FreeCommander anywhere - just copy the installation directory on a CD or USB-Stick - and you can even work with this program on a foreign computer.

FuturixImager is a compact and customizable image viewer. It is capable of opening more then 40 file types, including all most popular ones (GIF, JPEG, PNG, TIFF, JPEG2000, raw, DNG).

Texter saves you countless keystrokes by replacing abbreviations with commonly used phrases you define. Unlike software-specific text replacement features, Texter runs in the Windows system tray and works in any application you're typing in. Texter can also set return-to markers for your cursor and insert clipboard contents into your replacement text, in addition to more advanced keyboard macros.

Stickies is a PC utility was written to try to cut down on the number of yellow notes I was leaving stuck to my monitor. It is a computerised version of those notes. The design goal behind Stickies is that the program is small and simple. Stickies will not mess with your system files, or write to the registry. Stickies stores information in a single text-based ini file. 

ShellRunAs is a command-line tool call Runas that is handy for launching programs under different accounts, but it’s not convenient if you’re a heavy Explorer user. ShellRunas provides functionality similar to that of Runas to launch programs as a different user via a convenient shell context-menu entry. Read more..

Command Prompt Here tool

, , ,
Jan
5
2011
Information

100 Fantastic Backgrounds

An article by Shawn No Comments

http://iniwoo.net/inspiration/100-creative-desktop-backgrounds/

Dec
23
2010

Great low cost backup tool (online and offline)

An article by Shawn No Comments

http://b4.crashplan.com/consumer/index.html

Truly dependable backup means backing up to multiple locations - not just online - which until now could be complicated. CrashPlan automatically backs up to multiple destinations for FREE!

CrashPlan's groundbreaking social backup concept makes it easy to back up to computers belonging to your network of friends or family for offsite backup, in addition to using your own computers and external drives for onsite backup. CrashPlan works on all your computers, so you don't have to worry about compatibility either.

CrashPlan is true backup; uncomplicated, reliable and even a little fun.

,
Dec
23
2010
Windows

How to display hidden NIC card drivers in Windows Server

An article by Shawn No Comments

http://support.microsoft.com/kb/269155

  1. Click Start, click Run, type cmd.exe, and then press ENTER.
  2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
  3. Type Start DEVMGMT.MSC, and then press ENTER.
  4. Click View, and then click Show Hidden Devices.
  5. Expand the Network Adapters tree.
  6. Right-click the dimmed network adapter, and then click Uninstall.