Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New MS patches crashed my 2k3 SP1 PDC

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: New MS patches crashed my 2k3 SP1 PDC
Date: Mon, 22 Aug 2005 13:10:24 -0400 
First off, what is the stop code?  Without that, we might as 
well blame sunspots for the BSOD.  What kind of system?  What 
other roles does the server hold?  What was your friend's stop code?


If it's related to the LOGON subsystem things might not be salvagable. I
had a Windows 2003 DC (the "PDC", which I'll get to later) go down after
a Windows update at the end of June. It would make it to right before
the logon screen and then throw a STOP error about the LOGON subsystem
or something along those lines. Safe mode, Directory Restore mode, none
of them would boot it. Since our previous sys admin decided not to back
up the entire system drive I wasn't able to restore either. Our
"secondary domain controller" was having replication issues and was of
no assistance so I had to rebuild the whole domain.

The most amusing part was when I ran dcpromo (without /force) on the
second DC and told it that it was the last domain controller so please
just hose the domain. It gave me an error that it was "unwilling to
process the request" since the DNS records still indicated another
domain controller (which couldn't be found since it was gone...).
Needless to say I changed a few things around the place regarding
backups and learned a few things about domain controllers, which leads
me to the "PDC" bit...
 

And let's get some more clarification on what you mean by 
"2k3 SP1 PDC." 
Win2k3 (and Win2k) domain controllers all have read-write AD 
databases that 
are synchronized-- there is no such thing as a "PDC" in 
Win2k3.   There is, 
of course, the "PDC Emulator" role that a DC can assume for 
legacy client support, but that's a different issue.


There are actually five roles (FSMO) that only one domain controller can
have (http://support.microsoft.com/kb/255504):
Schema master
Domain naming master
RID master
PDC master
Infrastructure master

So technically there aren't "PDCs" but there are. You lose a DC with all
five of those roles and you can be seriously screwed if one of your
other DCs is unable to seize those roles (if they have "replication
issues" they probably won't).


Are you saying that only DC's that 
serve the "PDC Emulator" role are affected?   Has this been 
verified using 
ntdsutil? Have you tried to restore the last known good 
config?  Any luck with Safe mode?  Did it ever properly load 
after the patches were applied? 
How did you apply the patches?

There are lots of people on this list that are willing to 
help, but we need something to work with.

t




This probably isn't so helpful to the current situation, but after I
lost a whole domain thanks to Windows Update (and some not so bright
backup policies) I've come up with the following steps to safe patching:

1. Run dcdiag on all DCs involved with patching. If dcdiag reports no
errors (other than the occasional log error), you're good to go.
Otherwise fix them first before moving on.

2. Find out which of your DCs holds what FSMO roles. If they are spread
out, put them all on one DC, which you will not patch for the time
being. The KB article I linked to earlier tells you how to do this.

3. If you moved any of the roles, run dcdiag again on your domain
controllers to make sure they are still playing nicely. You might want
to make a user and see that it shows up in Active Directory on all the
other domain controllers or something of that nature.

4. Patch one of the secondary domain controllers, restart, and run
dcdiag on it and verify things are still working. Do some other tests
(like adding and removing a user or messing with group policy) if you
are really paranoid.

5. Do #4 to all remaining non-FSMO domain controllers.

6. When you are satisfied that Microsoft hasn't hosed one of your DCs
with a new wallpaper update, transfer all the FSMO roles off the one
remaining DC and patch it too.

I do this any time I have to restart a domain controller, whether it is
patch related or not. It's pretty heavy-handed but I work for a 24/7 app
service provider whose software runs as a domain account (sigh). Thus,
Active Directory has to be continuously available.

Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IEEE 802.1x & dynamic vlan assignment, Devanathan . Balaji
Next by Date:  RE: Latest patches: restart issues?, Evan Mann
Previous by Thread:  RE: New MS patches crashed my 2k3 SP1 PDC, Matthew Mucker
Next by Thread:  RE: New MS patches crashed my 2k3 SP1 PDC, Benjamin D. Goldman
Indexes:  [Date] [Thread] [Top] [All Lists]