Friday, October 24, 2008

Token Bloat

A colleague called having issues administering his domain.

DCDiag reported
DsBindWithSpnEx() failed with error 14,
Not enough storage is available to complete this operation..
Warning: is the Schema Owner, but is not responding to DS RPC Bind.
Warning: is the Domain Owner, but is not responding to DS RPC Bind.
Warning: is the PDC Owner, but is not responding to DS RPC Bind.
Warning: is the Rid Owner, but is not responding to DS RPC Bind.
Warning: is the Infrastructure Update Owner, but is not responding to DS RPC Bind.

Additionally, the following kereros errors were being reported.

Event Type: Warning
Event Source: Kerberos
Event ID: 6
The kerberos SSPI package generated an output token of size 6F43 bytes, which was too large to fit in the 6F42 buffer provided by process id 0. If the condition persists, please contact your system administrator.

The following questions were asked :
1. Do your colleagues who are "Domain Admins" also see these errors?
2. Using your account can you run "whoami /groups" and send the results.

It looks like we are experiencing Kerberos issues resulting from issues with token size, like those discussed in

The first thing to do is :
1. Determine if it is just your account with the problem.
2. Has your group membership changed recently? Have you accidentally become a member of a large number of groups due to nesting - this occasionally happens.
3. If your account is a member of a large number of groups and these are all needed, we'll have to look at setting MaxTokenSize.

The result of this being that they remember that some recent group changes had taken place. These were reviewed and modified. After doing so, all was well with the world.

Thursday, September 25, 2008

UK Active Directory User Group - Inaugural Meeting

There was a post on the mailing list regarding the UK Active Directory User Group's Inaugural Meeting.

I'm very much looking forward to it. It looks like it will be an interesting evening and will an opportunity to meet some of the names that regularly appear on the ActiveDir list.

For details see the home page at

Tuesday, September 23, 2008


Following an issue with time synchronisation resulting from a customer accidentally forwarding time by 3 months on a production Domain Controller, the following events were being logged even after the time was correctly synchronised across all domains in the forest.

Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
The Security System detected an authentication error for the server DNS/DC.domainname.rootdomainname.local. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.

These authentication related errors were being logged as a side effect of attempts to register records in DNS, update group policy and so on. The error could be generated by a ipconfig /registerdns or GPUpdate /force

A DC in the root domain had an atomic clock attached to it but was NOT the PDCe for the root domain.

The time synchronisation settings were set so that all DCs in the forest were obtaining time from the DC with the atomic clock.

So this was not as per Microsoft best practice. Therefore we rearranged things to bring them into line with best practice organising the hierarchy as default.

While the servers time was in sync, we obtained the following information which eventually resolved the errors :
w32tm /config /update
w32tm /resync

Restart the machine.

If the issue persists. Verify the time zone settings on the client and the
domain controller.

Finally run the following command on the client:

net time \\ /set /yes

A combination of one or more of the above finally resolved these errors.

Keywords : LSASRV SPNEGO EventID 40960 time synchronization synchronisation

Monday, August 18, 2008

Cannot re-create cluster disk resource

A cluster in User Acceptance Testing was required to test Windows 2003 Service Pack 2 and driver updates. For one reason or another some of the disk resources had been deleted but were required.

When attempting to recreate the disk resources, at the end of the New Resource wizard, Disk parameters, the Disk drop down dialog was not populated. Therefore the resource could not be recreated.

This drop down dialog is populated from :

In this case, the disk was still listed under the "signatures" key.

To confirm the disk signature :
1. Locate the disk number from Device Manager. Properties of the disk, volume tab, populate.

2. Use diskpart :
Select disk
Detail disk

The resource can then be manually added from the command line using cluster.exe :

e.g. disk signature 0xA00AB325 and assigned letter K:
cluster . res "Disk F:" /create /group:"Disk Group" /type:"physical disk"
cluster . res "Disk F:" /priv signature=0xA00AB325

The disk could then be brought on line successfully.

Sunday, August 10, 2008

The DHCP Bad Address Saga.

For some time now we've been working on an issue that resulted in "Bad Address" being reported in the DHCP console.

The client was getting an address successfully but this lease did not get registered in the database and hence not in the MMC. When the next client came along it was assigned an address already in use. Conflict detection was enabled and hence BAD_ADDRESS was recorded.

When the Bad Address is noted. The column that should contain the MAC address contains something different. This is the IP Address in hex and reversed. Example :

After lots of troubleshooting it was found that there two machines that had something wrong with their cable. Since removing these two cables from the sub net, the issue has gone away.

With hindsight, we could have got an idea that the issue was a rogue machine earlier. The network covered 3 class C subnets. If we'd split them, we'd have seen the issue was one just one of them. This was one of those suspicions that crossed our mind but didn't follow up.

Tuesday, June 24, 2008


...not the one from Casulty but the other one. Can I just say how much I'm enjoying Rockferry:

DWL-G520 hangs Windows 2008 on startup

So my home grown Windows 2008 machine is fast and cheap but not exactly on the HCL! The DLink Wireless DWL-G520 adapter appears as a "Atheros Wireless Network Adapter".

It works fine apart from one anoying feature - it prevents the machine from starting! With it disabled, it comes up OK, and can then be started OK - just need to disable it every time before shutting down.

Any one else getting this?

Update to Virtual Server 2005 R2 SP1 for Vista

Still in the process of getting my new Vista SP machine right...I was having issues (could not install additions, could not shut down the guest, Virtual Server serivce could not be managed) when running an XP SP3 guest on the Vista SP1 host.

The following update made things much better :

Update for Virtual Server 2005 R2 SP1 Available
This update qualifies support for the following additional Guest and Host Operating Systems: Windows Vista SP1 (Business, Enterprise, Ultimate), Windows XP SP3, Windows Server 2008 (Standard, Enterprise, Datacenter, Web).

Generate a memory dump using a keyboard without the right Ctrl key

We quite often make use of the CrashOnCtrlScroll feature : Windows feature lets you generate a memory dump file by using the keyboard

However, many of the keyboards in our racks do not have a righthand Ctrl key. Previously we had to plug in a full sized keyboard but functionality has been added to allow the keys to be modified. I was slightly confused by the article, so to save anyone else any time head scratching :

To configurethe Left CTRL and SPACE BAR you would set :

Dump1Keys = 0x20 (hex)

Dump2Key = 0x3D (hex)

Or to use CTRL and D :

Dump1Keys = 0x20 (hex)

Dump2Key= 0x21 (hex)

The value for Dump1Keys being :







and Dump2Key being one of the following but converted to hex:


Day 1

My first post on!

So I've tried My Space, Facebook, Livespaces, the overhead of doing my own site was too much, so here I am. Let's see how things progress...

You may know me as Ali or Alastair, or you may not know me, hopefully you'll find something here interestering or funny. Let me know if you do!