How RPC Works

How RPC Works

Hello Guys, Today will share some idea about how RPC works.

An RPC service configures itself in the registry with a universally unique identifier (UUID). UUIDs are well-known identifiers, unique for each service and common across all platforms. When an RPC service starts, it obtains a free high port and registers that port with the UUID. Some services use random high ports and  others try to use the same high ports all the time (if they are available).

Below is the the diagram that shows How RPC works.

When a client wants to communicate with a particular RPC service, it cannot determine in advance which port the service is running on. It establishes a connection to the server's portmapper service (on 135) and requests the service it wants by using the service's UUID. The portmapper returns the corresponding port number to the client and closes the connection. Finally, the client makes a new connection to the server by using the port number it received from the portmapper.Because it is impossible to know in advance which port an RPC service will use, the firewall must permit all high ports through.

 

When a program tries to connect to a RPC, it requests a free port from the system. The system randomly generates the port no and give it to program requesting the port no. The default dynamic range is 1024-65535. System can give out the ports available from this range randomly.

• KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters
• Entry Name: TCPWindowSize
• Type: DWORD
• Value: 65535

Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000

Below are some Kb for more details about RPC Configuration in different scenarios.

How to configure RPC dynamic port allocation to work with firewalls

http://support.microsoft.com/kb/154596/

         If you want to specify static ports for known services on DC like 

         Netlogon, NTDS, FRS etc. then follow the articles below.

Restricting Active Directory replication traffic to a specific port

http://support.microsoft.com/?id=224196

How to restrict FRS replication traffic to a specific static port

http://support.microsoft.com/?id=319553

Windows Server 2008 R2 Offline Domain Join

                                            Windows Server 2008 R2 Offline Domain Join

Hello Again,

Today will share a nice feature of windows server 2008 R2 i.e. offline domain join.With the help of this new feature you can join any system in the domain without contacting the domain controller that mean if the client is not in contact with the DC , still it can be added into the Active directory.

Offline domain join is a new process that computers that run Windows 7 or Windows Server 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network

Requirements

You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also be running Windows 7 or Windows Server 2008 R2. 

By default, Djoin.exe commands target the domain controller that runs Windows 2k8 R2.However we can also use optional /downlevel parameter if we have to target the DC that is running older version than 2008 R2.

Two steps

There are basically two steps necessary to offline domain join a computer. First, you have to create the computer account in Active Directory. This process is called “provisioning.” The easiest way to do that is on an R2 domain controller. Djoin will create a base 64-encoded metadata as text file. This file then has to be used to offline domain join the Windows 7 machine.

Provisioning

The command to provision the computer account on an R2 domain controller looks like this:

C:\Users\Administrator\Desktop>djoin /provision /domain dc1.com /machine client1 /savefile domain_join.txt

This command will add a computer account named client1 in the AD database that can be seen on AD console.

NOTE:-If you don’t have a Windows Server 2008 R2 domain controller, you can run djoin.exe with the /downlevel parameter on a Windows 7 machine that is already a domain member.

 

Offline domain join

Then you have to copy that txt to the computer that has to be joined to the domain and launch this command:

C:\Users\Administrator\Desktop>djoin /requestODJ /loadfile domain_join.txt /windowspath %SystemRoot% /localos

 

Note:Issuing the above command on a domain controller will result in a broken Active Directory Domain Controller with the only option left is demote/promote.

After issuing the above command you need to reboot the system and the system will be in the domain now.

You can get more parameters by using djoin help

C:\Users\Administrator\Desktop>djoin //
Usage: djoin.exe [/OPTIONS]

  /PROVISION  - Provision a computer account in the domain
      /DOMAIN <Name> - <Name> of the domain to join
      /MACHINE <Name> - <Name> of the computer joining the domain
      /MACHINEOU <OU> - Optional <OU> where the account is created
      /DCNAME <DC> - Optional <DC> to target for account creation
      /REUSE - Reuse any existing account (password will be reset)
      /SAVEFILE <FilePath> - Save provisioning data to a file at <FilePath>
      /NOSEARCH - Skip account conflict detection, requires DCNAME (faster)
      /DOWNLEVEL - Support using a Windows Server 2008 DC or earlier
      /PRINTBLOB - Return base64 encoded metadata blob for an answer file
      /DEFPWD - Use default machine account password (not recommended)

  /REQUESTODJ  - Request offline domain join at next boot
      /LOADFILE <FilePath> - <FilePath> specified previously via /SAVEFILE
      /WINDOWSPATH <Path> - <Path> to the Windows directory in an offline image
      /LOCALOS - Allows /WINDOWSPATH to specify the locally running OS.
                 This command must be run as a local Administrator.
                 This option requires a reboot for changes to be applied.

Some Hidden facts and Questions

NTDS.dit file location:-

Most of us we know that Ntds.dit file is located on %SystemRoot%\NTDS\Ntds.dit ,But we can also find the Ntds.dit file on %SystemRoot%\System32\Ntds.dit location.Whenever we promote a server to DC the file from %SystemRoot%\System32\Ntds.dit is used and we don't need
any installation media to run dcpromo.

How to recover deleted object from Active directory using LDP.exe

Recover deleted object from Active directory using LDP.exe

Hi Guys,

Today I am here going to share the knowledge on how to recover deleted objects from Active directory using LDP.exe tool.

In my scenario I have my domain as a cluster.com and having the user vijay Sharma.

Now you need to download the tools LDP.exe. You can download the same from here.

Now I have deleted the object vijay from the Active directory.

To recover the object vijay , need to open the LDP.exe tool and perform the following


Step 1: click on connection tab and goto connect tab and enter the name of your Domain.
Step 2: Bind the connection by going to connect tab and click on bind and provide the administrator credentials.

Step 4: Now goto options tab and click on control option.

Step 5: Now in the box under load predefined select "Return deleted objects" and click on OK.

Step 6: Click on view and select tree option and in this write the DC=cluster,DC=com.

Step 7:Select the tree from the left side and expand the tree and expand the tree deleted object. (CN=Deleted Objects,DC=Cluster,DC=com)

Step 8: Select the deleted user which you wanna recover (Vijay Sharma)

Step 9: Right click on the selected user and click on modify.
Step10:In the modify box write "isdeleted" in attribute box and select the "delete" operation and click on "Enter" option.
NOTE: Do not click on "Run" option in this step.

Step11:Now write "distinguishedName" in the attribute box and select the "replace" operation and click on "Enter". Select synchronous and extended check box and click on Run.

Step12: Now the user is recovered in the same container but it will be in disable mode.

Step13: Enable the user account.

NOTE: The main limitation of using LDP.exe is that you can not restore the attributes of the objects
             Like in my case the user was member of many groups but after recovering it loose the group
             membership.

How to Analyze Windows Memory Dump

How to Analyze the Memory Dump

Welcome back guys :)

Today here I am going to explain about how to analyze the memory dump.

As in my previous post I have describe to you: How to create memory dump and where you can find that dump file.

Let’s say you have configured a memory dump on a server and server got unexpected down with BSOD.

Now you need to go to the default location i.e. %SystemRoot%\Memory.dmp for the memory dump file.

You can find the memory.dmp as below.

This memory.dmp file is the dump file for complete dump. Now you need to analyze it ;)

There are bundle of software in the market for the same, some are free of cost and some are licensed.
Microsoft has tool that we can use to analyze the memory dump on Microsoft platforms called as windows debugger (dbg_x86_6.11.1.404). You can download it from here.

After downloading the debugger you need to do little bit configuration before analyzing the dump.

Now you need to configure the symbol path for it. Before doing it just do the following

1.      Create a folder named “symbols” without quotes in the root drive.
2.      Open the Windbg and then go to FileàSymbol file path.
3.     Set the path to “SRV*c:\symbols*http://msdl.microsoft.com/download/symbols “without quotes.

Symbol Path:- Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs).Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure.

Now the configuration is done, now you need to open the dump file in the debugger.

Now you need to open dump file , To do this goto File-->Open Crash Dump

After you open the Memory.dmp, it will make some calculation and load the symbols as below.

Now you need to write the command "!analyze -v " to get the details

After this command you will get the details about the reason behind the Crash :)

The reason for the crash was fltmgr.sys file.

As you all are System Admins so you must have good google search skills,Now just google it and get the reason for the same.

I have found the reason and the there is some Hotfix from Microsoft for this error.

http://support.microsoft.com/kb/955087

This is How we can Analyze the dump.Please comment if you need any other help from my side.

Windows Memory Dump

Hello Techies,

It is very often we see the blue screen on the Microsoft based OS.Basically we called this blue screen as 
Blue Screen Of Death (BSOD).

I have asked the question "what is BSOD" from many guys during the interviews but usually they replied
that it happened due to RAM or HDD failure, they simply reply that in this case they will replace either RAM or HDD to fix this issue on the server. 

So today i will give a idea about this BSOD and how to analyze this issue on windows platform.

->What is BSOD ?
->The Blue Screen of Death , displayed by the Microsoft Windows family of operating systems upon encountering a critical error,of a non-recoverable nature, that causes the system to crash.Stop errors are hardware or driver related, causing the computer to stop responding in order to prevent damage to the hardware or data.

->Type of memory dump ?
->There are three type of dumps created

1. Complete Memory Dump
2. Kernal Memory Dump
3. Small Memory Dump

1. Complete Memory Dump:-A Complete Memory Dump is the largest kernel-mode dump file. This file contains all the physical and virtual memory for the machine at the time of the fault.If you select the complete memory dump option, you must have a paging file on the boot volume The Complete Memory Dump file is written to %SystemRoot%\Memory.dmp by default.The Complete memory dump option is not available on computers that are running a 32-bit operating system and that having 2 gigabytes (GB) or more of RAM (by default).

2. Kernal Memory Dump:  A Kernel Memory Dump contains all the memory in use by the kernel at the time of the crash.The dump file will be around one-third the size of the physical memory on the system. This dump will not include unallocated memory or any memory allocated to applications. It only includes memory allocated to Windows kernel.The Kernel Memory Dump file is written to %SystemRoot%\Memory.dmp by (default)

3. Small Memory Dump:- A Small Memory Dump is much smaller than the other two crash dump files. It is exactly 64 KB in size (128KB on 64-bit systems) .This kind of dump file can be useful when space is greatly limited. However, it contains very less information for the reason of the crash.

                              How to enable memory dump on a windows server

Here i am going to configure the memory dump on Win-7/server 2008

1. Right click on my computer and click on properties then click on 2. Advance system setting option on left side ,then click on 3. Advance tab, Now click on 4. setting under Startup and recovery.Below are the screenshot

Same you can configure from the registery as well from the location as mentioned below

HKLM\System\CurrentControlSet\Control\CrashControl
All the things that you can configure via GUI can be configured via registery as well.

• Write an event to the System Log checkbox = LogEvent
• Automatically Restart checkbox = AutoReboot
• Write Debugging Information drop-down = CrashDumpEnabled
• Dump File text box = DumpFile
• Overwrite any existing file checkbox = Overwrite 

                              How to Crash the server manually using keyboard

Now you have configured the memory dump on the server and now you can check as well if it is creating the memory dump file on the server or not.Also when you need to create memory dump file manually after a crash ,do the following to configure the same.

Using PS/2 keyboard :-


1. Start Registry Editor.
2. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

3. On the Edit menu, click Add Value, and then add the following registry entry:

Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1

4. Exit Registry Editor, and then restart the computer.


 Using USB keyboad:

1. Start Registry Editor.
2. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters

3. Make sure that the following registry entry is enabled:

Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1

4. Exit Registry Editor.

If You can generate a system memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key twice. (Ctrl+Scroll lock twice)

Note: Pressing left CTRL key does not generate the system memory dump.



Will come with new Blog shortly on How to Analyze the memory dump....... ;)

offline Hardware diagnostic test on HP servers

Performing Offline Diagnostic test using HP SmartStart CD

Guys, Very useful article.Just wanna share with you.

The HP Insight Diagnostics utility is a Hardware diagnostic tool available with HP SmartStart CDs. You can launch this tool by booting to HP SmartStart CD. HP Insight Diagnostics tool is helpful when you do the hardware troubleshooting on a server.
 
HP Insight Diagnostics (Using SmartStart CD) is also used  to check if all the hardware devices installed on your Server is recognized by the server OR functioning properly.

Offline Hardware test using SmartStart CD:

1. Boot the server using Smart Start CD (It might take some time, be patient!) 2. Now you will be at Language and Keyboard Selection page.
3. Select language as English (US), keyboard layout as US English and click Next. 4. Accept HP EULA by clicking Agree button (You have no choice here lol  )5. Now you are the Home page of SmartStart CD (Check below provided screenshot)
6. Click on Maintenance button. 7. Now you are at the Maintenance Options window (Check below provided screenshot)
8. Select HP Insight Diagnostics. 9. HP Insight Diagnostics window will load and generate hardware report in a moment. 10. Now you will be at the System Survey main page.

11. Click on the Test tab. You will be at the below provided screen.
12. Click on Complete Test tab.
13. Select Test mode as Unattended
14. Ensure that the option Stop on first error is unchecked.
15. Set the Number of loops to 15 (Set 7 as minimum)
Note:-The above step is the main step ( 1 loop takes approx 1.5hrs-2hrs depend on your hardware)

16. Select All Devices in the list of devices
17. Click on Begin Testing button

18. Now the test will run on all hardware. This process might take hours to complete.
      To save the logs you must require external drive.

19. Click on the Logs tab
20. Click on the Diagnosis Log sub-tab.
21. Click Save to save the report.

22. Click on the Test Log sub-tab.
23. Click Save to save the report.

24. Click on the Error Log sub-tab.
25. Click Save to save the report.

26. Also save the Integrated Management Log.
27. To save the report, click on Save button at the bottom of page.
28. Success!! You have generated all the Offline diagnostics logs!
29. Click on Exit Diagnostics button.
30. Reboot/Restart you Server.