nerdicism
Bitte denken Sie an die Umwelt bevor Sie diese Seite ausdrucken.
05.03.2009
Findings of the week, Vol. 1
Categories: Science & Technology | Written by ninan

In this somehow weekly series of posts I summarize noteworthy problems I encountered during my work week and how I solved them.

This week one Windows 2003 Domain Controller crashed badly and left behind a struggling network. So I made up some optimizations.

Install additional domain controllers as VMware Virtual Machine

The affected location had only one dedicated domain controller. So I chose to set up another one. Since virtualization is cool I did it using VMware Server. Windows installed flawlessly and everything went right until i started DCPROMO.EXE to get the beast into the domain. All I got was:

Active Directory Installation Wizard

The wizard cannot gain access to the list of domains in the forest.

This
condition may be caused by a DNS lookup problem. For information about
troubleshooting common DNS lookup problems, please see the following
Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is:

The RPC server is unavailable.

I found the solution (not the reason) here (german). I had to reinstall the VMware Tools and deselect the Shared Folders component. That´s it. It can be reinstalled after the server became a DC. Alternativly installation of VMware Tools can be delayed until the DC setup is finished.

Use more than one LDAP server with Apache httpd mod_authnz_ldap

Since I had two domain controllers now, I wanted to use them. Due historically reasons I do authentication on web services by accessing the domain controller via LDAP instead NTLM. Until the crash there was only one LDAP server in Apache config. I tried to add the new server to by entering the host names without domain (e.g. dc1 dc2) into AuthLDAPUrl directive.

Unfortunally this didn´t worked. Apache cried about format validation of LDAP URL. So I went back and entered the FQDN of the domain controllers as in:

AuthLDAPUrl ldap://dc1.domain.local dc2.domain.local/dc=domain,dc=local?sAMAccountName?sub" NONE

That´s it. BTW. Here is my full config if you mind:

AuthType Basic
AuthName "Enter your Windows credentials"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc1.domain.local dc2.domain.local/dc=domain,dc=local?sAMAccountName?sub" NONE
AuthLDAPBindDN apache@domain.local
AuthLDAPBindPassword secret
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthzLDAPAuthoritative On

That´s it.

Scheduled Task runs as non-administrative domain user batch script

Not really related to the crash, but noteworthy. I tried to talk Windows 2003 Server into running a scheduled task as domain user with no administrative privileges that is a .bat file.

Sounds simple, doesn´t it? Windows showed itself very unruly. All I got, when I ran the script, was “Not started”. So what? Here is the solution:

First c:\Windows\System32\cmd.exe, which is interpreting batch scripts, is allowed to be run by either administrators and an ominous group named INTERACTIVE. This group is applied to any user, that is logged into the system either locally or with terminal services, but not when running as scheduled task.

So what I did was to add a group BATCHSERVICES to my domain, added the user in question to that group and changed the security settings of cmd.exe to allow members of BATCHSERVICES to read and execute cmd.exe.

Unfortually that´s not enough. To allow non-admin users to run scheduled tasks, they need to have the authorization to login into the system as batch process. So add the user to the local security policy “Log on as batch job”. That´s it.

Now it´s weekend.

Leave a Reply