Tuesday, January 27, 2015

Domain User Login Process

Domain User Login Process 

Many of us as Windows Server Engineer knows and aware well about how to make Domain, How to join a PC to Domain. How to troubleshoot about slow login process. But very few from us as Engineer knows and think about what exactly process runs in background when user logins to a Domain. It takes few seconds to login but in this few seconds lots of process runs in background. Let us try to see and understand what exactly happens in background when user logins.

When User Logon to Workstation below steps happens:-

When a user enters his password and hits enter key, the Kerberos Client on his Workstation converts his password to an encryption key. Kerberos is based on concept of symmetric encryption keys, means same keys were used to encrypt and decrypt message. This also referred as Share private key.

After Kerberos Client converted User's password to an encryption key, its saves in Workstation's credential cache. The Workstation than sent an authentication request to DC or KDC (Key Distribution Center). The authentication request identifies User, and names the service that user is requesting access to, and some per-authentication data, which proves that User knows password. 
First portion of Authentication request identifies User and ask for access to TGS (Ticket Granting Service). TGS is service on KDC that issues tickets for access to other services. All of services within Kerberos  domain trust the TGS, so they know if ticket was issued by TGS, User successfully authenticated him/her self and is really who he/she claims to be. The second part of authentication request contain the per-authentication data, and is a generic timestamp encrypted with User's long-term key.

When KDC receives authentication request, it checks the local AD database for User's password. Decrypts the per-authentication info that was sent in the package, and if the timestamp is within the permissible guidelines, it send User  TGT (Ticket Granting Ticket) that User is going to access TGS in future.When User's workstation receives a reply from the KDC, it decrypts the session ticket with User's password and stores same is credential cache.This is the authentication info that User's workstation will use to communicate with KDC from now onwards. Next time when User log on, session ticket will be completely different  as KDC does not use same session keys. The Workstation also extracts the TGT, which will still be encrypted with KDC's long term key.

This is the process which happens in background when User will hit Enter key after putting Username and Password.

Wednesday, January 14, 2015

Offline Domain Join

Offline Domain Join

Offline Domain Join is a new process for a computers running Windows 7 and Windows Server 2008 R2 that can use to join a Domain without contacting Domain Controller. This makes possible for Computers to join to a Domain in location where their is no connectivity to corporate network. 

A Domain Join establishes trust relationship between computer running Windows and Operating System and Active Directory Domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on computer that is joining in Domain. To join a computer in Domain in Past requires that Computer that joined in Domain is connected to Network and should be contactable to Domain Controller.


# Active Directory State Changes are completed without any Network traffic to the computer.

# The Computer state changes are completed without any Network traffic to a Domain Controller.

# Each set of changes can be completed at different time.


To Perform Offline Domain join run command by using new tool Djoin.exe. Run Djoin.Exe to provision computer account data in to AD DS. You also need to insert Computer account data into windows directory of destination computer, Computer which you want to join in domain. The Offline Domain join does not required to complete in a specific period of time. The Computer account which is provisioned can remain in AD DS till administrator intervenes. 

Operating System:-

Note: You can run Djoin.exe only on a computer running Windows 7 and Windows Server 2008 R2.  The Computer that you want to join in a Domain must also be running Windows 7 or Windows Server 2008 R2. By Default Djoin.exe command target Domain Controller running Windows Server 2008 R2. If you want to target Domain running previous version of Windows Server than Windows Server 2008 R2, you need to specify optional /downlevel  parameter.


To perform Offline Domain Join, You must have rights that requires to join workstation to Domain. Domain Admin Group members have this rights by default.

You can use Group Policy Management Console (GPMC)  to modify domain policy or to create new policy that has settings to grant User rights to join PC to Domain.

Steps to assign rights to user to join workstation to domain:-

1. Click Start, Administrative Tools and Click Group Policy Management.

2. Double Click name of Forest, Double Click name of Domain to which u want to join a computer. Right Click on Default Domain Policy and Click on Edit.

3. Double Click Computer Configuration, Double Click Policies, Double Click Windows Settings, Double Click Security Settings, Double Click Local Policies and Double Click User Rights Assignment.

4. In Details Pane, Double Click on Add Workstations to Domain.

5. Select Define these policy settings check box and Click Add User or Group.

6. Type name of account that you want to grant rights to add workstation to Domain and Click OK twice.

Steps to perform for Offline Domain Join:-

1. Run Djoin.exe/provision command to create computer account metadata for destination computer ( Computer which you want to join in Domain). You must specify name of Domain that you want computer to join as a part of this command.

2. Run Djoin.exe/requestODJ command to insert computer account metadata into windows directory of destination computer.

3. When u start destination computer after installing OS, Computer will be join in Domain which you specify.

Friday, January 9, 2015

FTP Server in Windows Server 2012

FTP Server in Windows Server 2012

Installation of FTP Server in Windows Server 2012

1. Open Server Manager Dashboard and Click on Manage and Add Roles and Features.


2. Next step contains Type of Installation. Select      Role-based or Featured-based Installation and Click Next.

3. Next Step if for selecting Server or Virtual HDD on which we want to install Roles and Features. Here we will select a Server  from Server pool to Select Local Server option and Click Next.

4. Next Step is to Select Roles to install. Select Web Server (IIS) role and Click Next.

5. Next Step is to install any Additional Features which you want to install and Click Next.

6. Click on Next again.

7. Select FTP Server Service as a part of IIS Features and Click on Next.

8.After Clicking on Next, It will ask for your Confirmation to Restart Server Automatically after Features Installation over. Click Yes.