Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets From?
Prev Next
You are not authorized to post a reply.

AuthorMessages
ASteeleUser is Offline

Posts:22

07/18/2008 4:14 PM  
I agree, you are seeing which server is granting you resource tickets, what you don't see is which server granted you your TGT. I think this would be the verifier of which server you asked for and which server logged you on.

/aaron

Aaron Steele
PointBridge | Consultant
M: 773.580.8099
EM/IM: asteele@pointbridge.com<mailto:asteele@pointbridge.com>

Do you have Office Communicator? Federate<http://technet.microsoft.com/en-us/magazine/cc137801.aspx> with PointBridge and Securely Instant Message<sip:asteele@pointbridge.com> or Call Me<tel:asteele@pointbridge.com>.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, July 18, 2008 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets From?

This is an example of klist tickets command on my test domain. Seems to be telling me which server is granting me a ticket for a given service.


Cached Tickets: (11)

Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30


Server: krbtgt/CPANDL.COM@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30


Server: HOST/sdm2.cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30


Server: GC/sdm2.cpandl.com/cpandl.com@CPANDL.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30


Server: LDAP/sdm1.cpandl.com/CPANDL@xxxx.yyy
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2008 16:45:30
Renew Time: 7/25/2008 6:45:30

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, July 18, 2008 11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting Tickets From?

I don't think klist nor kerbtray tells you what DC you got the ticket from do they? Possibly they have been upgraded from the last time I looked but I just don't recall that data in there.

RE: LOGONSERVER.... what is actually used can change from that server for a variety of reasons. It isn't maintained, it is set once at logon and stays that way until you log off and log on again.

Best option, I think, for determining where your tickets are coming from for the machine's domain would be to do a nltest /sc_query:domain command. Now if you are worried about other domains then you would have chase the trust path with nltest /sc_query I expect.


joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm



________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Friday, July 18, 2008 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Determining Which DC a Client is Getting Tickets From?
Depending on how many resources you touch, you can have tickets from many differnt domain controllers in many different domains. klist and kerbtray will tell you every current ticket from each source.
On Fri, Jul 18, 2008 at 2:32 PM, Thommes, Michael M. <MThommes@anl.gov<mailto:MThommes@anl.gov>> wrote:
Is there any reason why the DC returned here would be any different from
"set logonserver"?

Mike Thommes

-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>
[mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Michael B.
Smith
Sent: Friday, July 18, 2008 1:10 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Determining Which DC a Client is Getting
Tickets From?

C:\>nltest /sc_query:essential
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\win2003-dc.essential.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>

Lots of fun arguments that might help you out.

Regards,

Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>
[mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Michael B Allen
Sent: Friday, July 18, 2008 2:05 PM
To: activedir@activedir.org<mailto:activedir@activedir.org>
Subject: [ActiveDir] Determining Which DC a Client is Getting Tickets
From?

How does one determine which specific domain controller a client is
getting tickets from?

Is there some kind of ipconfig /all type of output that will tell me
the FQDN hostname or IP? I realize the DC isn't set indefinitely but I
believe it does have "sticky" behavior.

I have some code that depends on the Keberos ticket containing groups
but we're seeing certain groups being left out even though they're
Global groups and checking these groups on the DC shows the user is
definitely a member of them. I want to rule out any kind of
replication issues by making sure everyone's using the same DC.

Mike

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Determining Which DC a Client is Getting Tickets From?



ActiveForums 3.7
Friends

Friends

Button
Members

Members

MembershipMembership:
Latest New UserLatest:shams
New TodayNew Today:4
New YesterdayNew Yesterday:2
User CountOverall:4698
People OnlinePeople Online:
VisitorsVisitors:61
MembersMembers:2
TotalTotal:63
Online NowOnline Now:
01: alpeshshinde25
02: shams

Ads

Copyright 2009 ActiveDir.org
Terms Of Use