| Author | Messages | |
miallen
Posts:19
 | | 07/18/2008 2:06 PM |
| How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| michael1
Posts:426
| | 07/18/2008 2:14 PM |
| C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:386
| | 07/18/2008 2:14 PM |
| You can use klist.exe or kerbtray (gui app) from the Reskit Tools to get
this info.
Darren
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 11:05 AM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| MThommes
Posts:106
| | 07/18/2008 2:34 PM |
| Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| irishbug
Posts:55
| | 07/18/2008 2:47 PM |
| Depending on how many resources you touch, you can have tickets from many
differnt domain controllers in many different domains. klist and kerbtray
will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
> Is there any reason why the DC returned here would be any different from
> "set logonserver"?
>
> Mike Thommes
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
> Smith
> Sent: Friday, July 18, 2008 1:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
> Tickets From?
>
> C:\>nltest /sc_query:essential
> Flags: 30 HAS_IP HAS_TIMESERV
> Trusted DC Name \\win2003-dc.essential.local
> Trusted DC Connection Status Status = 0 0x0 NERR_Success
> The command completed successfully
>
> C:\>
>
> Lots of fun arguments that might help you out.
>
> Regards,
>
> Michael B. Smith
> MCITP:SA,EMA/MCSE/Exchange MVP
> http://TheEssentialExchange.com
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
> Sent: Friday, July 18, 2008 2:05 PM
> To: activedir@activedir.org
> Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
> From?
>
> How does one determine which specific domain controller a client is
> getting tickets from?
>
> Is there some kind of ipconfig /all type of output that will tell me
> the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
> believe it does have "sticky" behavior.
>
> I have some code that depends on the Keberos ticket containing groups
> but we're seeing certain groups being left out even though they're
> Global groups and checking these groups on the DC shows the user is
> definitely a member of them. I want to rule out any kind of
> replication issues by making sure everyone's using the same DC.
>
> Mike
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
| michael1
Posts:426
| | 07/18/2008 2:49 PM |
| I'm no AD guru, but there is at least one trivial reason: the LOGONSERVER
has gone offline and the workstation has had to spin up a secure channel to
another DC.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, July 18, 2008 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:821
| | 07/18/2008 2:57 PM |
| I don't think klist nor kerbtray tells you what DC you got the ticket from
do they? Possibly they have been upgraded from the last time I looked but I
just don't recall that data in there.
RE: LOGONSERVER.... what is actually used can change from that server for a
variety of reasons. It isn't maintained, it is set once at logon and stays
that way until you log off and log on again.
Best option, I think, for determining where your tickets are coming from for
the machine's domain would be to do a nltest /sc_query:domain command. Now
if you are worried about other domains then you would have chase the trust
path with nltest /sc_query I expect.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Friday, July 18, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Depending on how many resources you touch, you can have tickets from many
differnt domain controllers in many different domains. klist and kerbtray
will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| matheesha
Posts:34
| | 07/18/2008 3:13 PM |
| I think its worth investigating the groups that the user belongs to.
Perhaps they've exceed the kebreros ticket size? You can use ntdsutil
and find out if this is the case.
http://support.microsoft.com/kb/934185
2008/7/18 Michael B Allen <ioplex@gmail.com>:
> How does one determine which specific domain controller a client is
> getting tickets from?
>
> Is there some kind of ipconfig /all type of output that will tell me
> the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
> believe it does have "sticky" behavior.
>
> I have some code that depends on the Keberos ticket containing groups
> but we're seeing certain groups being left out even though they're
> Global groups and checking these groups on the DC shows the user is
> definitely a member of them. I want to rule out any kind of
> replication issues by making sure everyone's using the same DC.
>
> Mike
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:386
| | 07/18/2008 4:04 PM |
| This is an example of klist tickets command on my test domain. Seems to be
telling me which server is granting me a ticket for a given service.
Cached Tickets: (11)
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: HOST/sdm2.cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: GC/sdm2.cpandl.com/cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: LDAP/sdm1.cpandl.com/CPANDL@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, July 18, 2008 11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
I don't think klist nor kerbtray tells you what DC you got the ticket from
do they? Possibly they have been upgraded from the last time I looked but I
just don't recall that data in there.
RE: LOGONSERVER.... what is actually used can change from that server for a
variety of reasons. It isn't maintained, it is set once at logon and stays
that way until you log off and log on again.
Best option, I think, for determining where your tickets are coming from for
the machine's domain would be to do a nltest /sc_query:domain command. Now
if you are worried about other domains then you would have chase the trust
path with nltest /sc_query I expect.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Friday, July 18, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Depending on how many resources you touch, you can have tickets from many
differnt domain controllers in many different domains. klist and kerbtray
will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:821
| | 07/18/2008 4:38 PM |
| Those are the resources to which the ticket is for, not where they came
from.
For example, say I try to connect to the c$ share of a Windows XP
workstation (which obviously isn't running a MSFT KDC) named sfmxp32 for
something I see a ticket like
Server: cifs/sfmxp32@TEST.LOC
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/19/2008 2:29:43
Renew Time: 7/25/2008 16:29:43
I know for a fact that the ticket came from a domain controller called
test-dc1.test.loc because it is the only DC turned on in the forest when I
made the connection.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, July 18, 2008 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
This is an example of klist tickets command on my test domain. Seems to be
telling me which server is granting me a ticket for a given service.
Cached Tickets: (11)
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: HOST/sdm2.cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: GC/sdm2.cpandl.com/cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: LDAP/sdm1.cpandl.com/CPANDL@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, July 18, 2008 11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
I don't think klist nor kerbtray tells you what DC you got the ticket from
do they? Possibly they have been upgraded from the last time I looked but I
just don't recall that data in there.
RE: LOGONSERVER.... what is actually used can change from that server for a
variety of reasons. It isn't maintained, it is set once at logon and stays
that way until you log off and log on again.
Best option, I think, for determining where your tickets are coming from for
the machine's domain would be to do a nltest /sc_query:domain command. Now
if you are worried about other domains then you would have chase the trust
path with nltest /sc_query I expect.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Friday, July 18, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Depending on how many resources you touch, you can have tickets from many
differnt domain controllers in many different domains. klist and kerbtray
will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:386
| | 07/18/2008 6:36 PM |
| Ah, thanks joe. Makes sense.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, July 18, 2008 1:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Those are the resources to which the ticket is for, not where they came
from.
For example, say I try to connect to the c$ share of a Windows XP
workstation (which obviously isn't running a MSFT KDC) named sfmxp32 for
something I see a ticket like
Server: cifs/sfmxp32@TEST.LOC
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/19/2008 2:29:43
Renew Time: 7/25/2008 16:29:43
I know for a fact that the ticket came from a domain controller called
test-dc1.test.loc because it is the only DC turned on in the forest when I
made the connection.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, July 18, 2008 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
This is an example of klist tickets command on my test domain. Seems to be
telling me which server is granting me a ticket for a given service.
Cached Tickets: (11)
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: HOST/sdm2.cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: GC/sdm2.cpandl.com/cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
Server: LDAP/sdm1.cpandl.com/CPANDL@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, July 18, 2008 11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
I don't think klist nor kerbtray tells you what DC you got the ticket from
do they? Possibly they have been upgraded from the last time I looked but I
just don't recall that data in there.
RE: LOGONSERVER.... what is actually used can change from that server for a
variety of reasons. It isn't maintained, it is set once at logon and stays
that way until you log off and log on again.
Best option, I think, for determining where your tickets are coming from for
the machine's domain would be to do a nltest /sc_query:domain command. Now
if you are worried about other domains then you would have chase the trust
path with nltest /sc_query I expect.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Friday, July 18, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
Depending on how many resources you touch, you can have tickets from many
differnt domain controllers in many different domains. klist and kerbtray
will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
Is there any reason why the DC returned here would be any different from
"set logonserver"?
Mike Thommes
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?
C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>
Lots of fun arguments that might help you out.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?
How does one determine which specific domain controller a client is
getting tickets from?
Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.
I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.
Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|