Blog - Title

June, 2009

  • New Directory Services KB Articles/Blogs 6/21-6/27

    KB Articles

    972852

    Promoting a Windows Server 2008 RODC with a pre-created computer account fails wit error "c00002e2 Directory Services could not start...."

    973049

    The logon screen on a portable computer may not be resized correctly after you remove an external monitor, and then you wake the Windows XP based computer from sleep or hibernation

    959085

    When you run the "Ipconfig /displaydns" command in Windows XP, the results are incomplete

    960890

    Some tabs are not available in the properties of a user account in the Active Directory Users and Computers MMC snap-in after you install Remote Server Administration Tools (RSAT) on a computer that is running Windows Vista

    971259

    Some security events are not logged into the security event log on a computer that is running Windows Server 2008 or Windows Vista after you restart the computer

    970146

    The Group Policy setting is not displayed in the GPMC after you configure either the "Change the time zone" or the "Create symbolic links" Group Policy setting on a computer that is running Windows Server 2008 or Windows Vista

    969874

    When you use the Active Directory Lookup feature for Microsoft Services for NFS the ownership information of the files and folders in an NFS share is missing after several minutes

    971404

    You encounter poor performance after thousands of IP addresses are bound to a network adapter on a computer that is running Windows Server 2008 or Windows Vista

    949538

    A smart card logon to a terminal session stops responding on a terminal server that is running Windows Server 2008

    968292

    Cached passwords for computer accounts are reset when you remove a RODC that is running Windows Server 2008 from an Active Directory after you clear the check box that resets cached passwords for computer accounts

     

    Blogs

    · Internet Explorer behaviors with Kerberos Authentication

    · Recovering from Unsupported One-Way Replication in DFSR Windows Server 2003 R2 and Windows Server 2008.

    · Implementing an OCSP responder Part 1 (Part 2, Part 3)

    · RSAT and ADUC for Vista - Update to add tabs for Terminal Services Profile, Environment, Sessions, and Remote Control

    · Debunking the Vista Remote Differential Compression Myth

    · Deploying DFSR Clustering in Windows Server 2008 R2

    · How many DFS-N namespace servers do you need?

    · Active Directory Enhancements - Windows Server 2008 R2 Demo Screencast 4 of 4

    · Detection logic for PowerShell installation

    · Discovery options with R2 AD Cmdlets

    · Active Directory Port Requirements

    · Use Active Directory Powershell to manage Windows 2003/2008 DCs

  • Implementing an OCSP responder: Part IV - Configuring OCSP for use with Standalone CAs

    Chris here again. In part I of this series we covered the basics of how OCSP works. We also covered the underlying reasons for deploying an OCSP Responder. In Part II we covered configuring the Certificate Authorities for whom which the OCSP Responder will check revocation status for on behalf of the clients. In Part III we covered configuring and OCSP Responder to support an Enterprise CAs. You may use Standalone CAs in your environment. In this blog post, I will be covering deploying a Revocation Configuration to support a Standalone CA.

    Enterprise CAs are very tightly integrated with Active Directory. As such the certificates for the Root CA and for intermediate CAs are published to Active Directory. These certificates are automatically placed in the appropriate certificate stores on the clients. If you publish the Root CA certificate that the issuing CA chains up to; in Active Directory the clients will have that Root CA certificate published to the Trusted Root Certification Authorities container in the user and machine store. If you have not, or do not plan to deploy the Root CA certificate through Active Directory and Group Policy you will need to manually publish the Root Certificates in the Trusted Root Certification Authority store.

    Installing OCSP Responder Role

    The first step is to install the OCSP Responder Role.

    To install the OCSP Responder: Open a command prompt and type: servermanagercmd.exe –install ADCS-Online-Cert

    Requesting and Installing the OCSP Responder Signing Certificate

    The next step is to request the OCSP Response Signing Certificate from the Standalone CA. Since a Standalone CA does not have certificate templates we must manually request the attributes we would like in the certificate. To do this we use a utility called certreq.exe. More information for Certreq is available here: http://technet.microsoft.com/en-us/library/cc736326.aspx.

    To use certreq we must first generate a configuration file. FIgure 1 shows a sample configuration file. The key items that must be included is the OCSP Signing OID, and the OCSP No Revocation Check Extension, otherwise known as the id-pkix-ocsp-nocheck extension.

    image

    Let us take a look at this configuration file.

    · First we have [NewRequest] which is a required section indicating that this is for a new certificate request.

    · Then we have the subject in X.500 format. You can also use the ldap format which is derived from X.500. For example: CN=FCOCSP01,DC=Fourthcoffe,DC=Com. Alternatively, you could use just the common name, such as CN=FCOCSP01.

    · PrivateKeyArchive=False since we will not be archiving the private key.

    · Exportable=True which gives us the option to export the private key if so desired.

    · UserProtected=False which disables strong key protection.

    · MachineKeySet =True which is used to indicte that the resulting certificate will be stored in the machine store.

    · ProviderName=”Microsoft Enhanced Cryptographic Provider v1.0” specifies the Cryptographic Service Provider (CSP) that will be used.

    · UseExistingKey Set=False indicates that this request is for a new certificate, with a new key pair.

    · RequestType=CMC tells certreq to generate the request in CMC format.

    · Then we specify the new section [EnhancedKeyUsageExtension] which indicates what extensions should be placed in the EKU Extension in the certificate. Under that extension we specify that this certificate can be used for OCSP Signing by specifying the OCSP Signing OID (OID=”1.3.6.1.5.5.7.3.9).

    · We then start a new section called [Extensions] and specify that the id-pkix-ocsp-nocheck extension should be included in the certificate.

    Below are the steps for generating the request and installing the signing certificate:

    1. First we use certreq to generate the request file. We specify the configuration file and the output request file. The key pair for this certificate is generated at the same time the request file is created by Certreq.

    image

    2. Next, we must submit the request to the CA. Copy the request file over to the Standalone CA. From the Certification Authority MMC, right click on the CA Name, and select All Tasks from the context menu, and then Submit New Request.

    image

    3. Browse to the request file, and select Open.

    4. The request will then show up in Pending Requests. Right click on the request, and select All Tasks from the context menu, then select Issue.

    image

    5. You will now find the requested Certificate under Issued Certificates. Double click on the certificate to view its properties.

    image

    6. Verify the certificate. Key things to look for here are the presence of the OCSP No Revocation Checking Extension. And that OCSP Signing is specified in the Enhanced Key Usage (EKU) Extension.

    image

    Exporting the Certificate from the CA

    1. First select Copy to File from the Details Tab of the Certificate Properties. This will open the Certificate Export Wizard.

    2. Click Next at the Welcome Screen.

    3. Select DER encoded binary x.509 (.CER), and click Next.

    4. Browse to the location where you which to save the resulting certificate, and give the certificate a name, and click on Save.

    5. Click Finish at the Completing the Certificate Export Wizard screen.

    6. You will be prompted that The export was successful. Click OK.

    Installing the OCSP Response Signing Certificate

    Copy the resulting certificate to the OCSP Server. Open up a command prompt. Navigate to the location where you saved the certificate file, and run certreq –accept <Certificate Name>, to complete the installation of the certificate.

    image

    Configuring Private Key Permissions

    The Online Responder Service runs under the Network Service account. By default the Network Service account does not have access to private keys of certificates located in the Local Computer Personal store. To give the Network Service access, perform the following steps:

    1. Open up the Certificates MMC targeted for the Local Computer.

    2. Right click on the certificate, then select “All Tasks” from the context menu, and then select Manage Private Keys….

    image

    3. Click Add on the Permissions dialog box.

    image

    4. Type Network Service,and then click Check Names to resolve the name. Then click OK.

    image

    5. The Network Service only needs read permissions to the Private Key, so deselect the Allow privilege for Full Control, and verify the Allow privilege is granted for Read, and click OK.

    image

     

    Now that we have installed the OCSP Response Signing certificate, and configured Private Key permissions, we must now configure the Revocation Configuration for the CA, on the OCSP Responder. Open the OCSP Management Console. Follow the following steps to configure the Revocation Configuration:

    1. Right click on Revocation Configuration, and select Add Revocation Configuration from the context menu.

    image

    2. This will start the Add Revocation Configuration wizard. Click Next, when presented with the Getting started with adding a revocation configuration screen.

    image

    3. On the Name the Revocation Configuration screen, give a name to the configuration, and click Next. Note: It is a good idea to name the configuration for the CA server, in case this Responder will be used for multiple CAs.

    image

    4. On the Select CA Certificate Location screen, Select a certificate from the Local certificate store, and click Next.

    image

    5. On the Choose CA Certificate screen, click Browse.

    image

    6. Select the CA certificate, for the CA you are configuring on the OCSP Responder, and click OK.

    image

    7. You will then be returned to the Choose CA Certificate screen. The CA that you selected will be displayed. Click Next to continue.

    image

    8. You will now need to select a signing certificate, on the Select Signing Certificate screen. Select Manually select a signing certificate, and click Next.

    image

    9. You will then be returned to the Revocation Provider screen, click Finish to complete the wizard.

    Assigning the Signing Certificate

    After completing the Wizard, you will notice under the “Revocation Configuration Status” portion of the “Online Responder Configuration” page that the OCSP Configuration that you just added has an error indicating “Bad Signing certificate on Array controller. No need to panic at this point. This error is generated because we have not assigned the OCSP Response Signing certificate yet.

    image

    Now let us go ahead and assign the Signing certificate.

    1. In the OCSP MMC, expand Array Configuration, and click on the name of the OCSP Server. Then in the center pane of the console, select the appropriate Revocation Configuration, then right click on that revocation configuration, and elect Assign Signing Certificate from the context menu.

    image

    2. You will then be prompted select the Signing certificate. Select the appropriate Signing certificate, and click OK.

    image

    At this point you will now see some warnings. If you look under the Revocation Configuration Status for the Revocation Configuration you are configuring, you will notice this error:

    image

    Also, on the Online Responder Configuration page you will notice this error:

    image

    This is due to the fact that the Revocation Provider has not yet been verified. To verify the Revocation Provider, right click on Array Configuration, and select Refresh Revocation Data.

    image

    Once the Revocation Provider has been verified, you should see this under Revocation Configuration Status for the Revocation Configuration you are configuring.

    image

    And that OCSP Signing is specified in the Enhanced Key Usage (EKU) Extension.

    image

    Verify OCSP Configuration

    To verify your ocsp configuration please follow the Verify OCSP Configuration section in Part III of this series.

    Conclusion

    This concludes Part IV of this Series. I hope you enjoyed the first four parts of the series and find them useful. I plan to cover other PKI topics in the near future.

    Implementing an OCSP responder: Part I Introducing OCSP
    Implementing an OCSP responder: Part II Preparing Certificate Authorities
    Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
    Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs 
    Implementing an OCSP Responder: Part V High Availability
    Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

    - Chris Delay

  • Deploying DFSR Clustering in Windows Server 2008 R2

    Ned here again. The DFSR development team has posted a new series for anyone wanting top learn more about the new DFSR clustering capabilities in Windows Server 2008 R2. It's pretty indepth and walks you through the entire process.

    1. Deploying DFS Replication on a Windows Failover Cluster – Part I: Explains how to create a new Windows Server 2008 R2 failover cluster.
    2. Deploying DFS Replication on a Windows Failover Cluster – Part II: Explains how to configure DFS Replication service for high availability on the failover cluster.
    3. Deploying DFS Replication on a Windows Failover Cluster – Part III: Explains how to add the failover cluster as a member server in a DFS replication group.

    Nice stuff, Mahesh!

    - Ned Pyle

  • Implementing an OCSP responder: Part III - Configuring OCSP for use with Enterprise CAs

    Chris here again. As promised I will be covering configuring an OCSP Responder to support Enterprise CA. I will also be covering validating your OCSP Configuration.

    Installing OCSP Responder Role

    The first step is to install the OCSP Responder Role.

    To install the OCSP Responder: Open a command prompt and type: servermanagercmd.exe –install ADCS-Online-Cert.

    Configuring the OCSP Responder

    First we will add a Revocation Configuration to the OCSP Responder.

    Right click on the Revocation Configuration and select Add Revocation Configuration from the context menu.

    image

    The Add Revocation Configuration wizard opens. Click Next to continue.

    image

    Give a Friendly Name to the Revocation Configuration, and click Next. It is a good idea to include the name of the CA for which you are setting up this Revocation Configuration, especially if this OCSP Responder will handle requests for multiple CAs.

    image

    On the Select CA Certificate page, you will need to select a CA certificate. This is where you determine the CA for which you will be providing revocation information.

    Select a certificate for an Existing enterprise CA, and click Next

    image

    Select Browse CA certificates published in Active Directory, and click Browse.

    image

    Select the appropriate CA, and click OK

    image

    Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests.

    Select Automatically select a signing certificate. If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked. Select the certificate template that you configured for use with the OCSP Responder, then click Next.

    image

    On the Revocation Provider page, you can click Provider to select revocation providers. The Windows Server 2008 OCSP Responder can only use CRLs for revocation information. If you have the CDP Extension available in the signing certificate, the Revocation Providers will be populated from the information in the CDP Extension from the OCSP Response Signing Certificate.

    image

    You can add the repository locations for your CRLs and Delta CRLs if appropriate. By default these will be populated from information included in the CDP extension of the Signing certificate. After you have reviewed the configuration or made any changes, click OK.

    image

    That completes the initial Configuration of the OCSP Responder. If you would like to modify the configuration of the OCSP Responder, you can right click on the Revocation Configuration and select Properties from the context menu.

    image

    The Local CRL tab allows you to configure a Local CRL. You can add revocation information for certificates which you wish to consider revoked. It is recommended that you do not use this option, as it adds unnecessary complexity to the revocation configuration.

    image

    The Revocation Provider tab allows you to modify the location of the CRLs and Delta CRLs that will be used for providing revocation information.

    image

    Signing Tab

    In the signing tab you can:

    • Modify the hash algorithm used to sign responses.
    • Do not prompt for credentials for cryptographic operations. This setting may need to be disabled if you are using an HSM to protect the private key of the OCSP Signing certificate. Disabling this setting allows you to be prompted for the password that is associated with the operator card on the HSM.
    • Use renewed certificates for signing certificates. This option is enabled by default, when you use the OCSP Responder with an Enterprise CA and automatically renew certificates. If you use OCSP Responder with a standalone CA, the OCSP responder will use renewed signing certificates even if this setting is not enabled.
    • Enable NONCE extension support allows the user to attach the NONCE sent in the request with the OCSP response. If this setting is used, you will not be able to utilize cached responses.
    • Use any valid OCSP signing certificate. Not recommended if the OCSP Responder is supporting Vista clients since they do not support this option. This allows the OCSP responder to use any certificate that the OCSP Signing configured in the Extended Key Usage extension of the certificate. Vista clients will only accept OCSP responses that are signed by the same CA for which the OCSP Responder is providing revocation information.
    • All responses will included the following Online Responder identifies: This setting determines whether a Key Hash or Subject will be included in the response. RFC 2560 specifies the structure of the response. In section 4.2.1 of the RFC it is specified that the Responder ID field can either be populated with a Name or Key hash. This setting determines which is included in the response. The Key hash is a hash of the OCSP Responder’s public key. The Name is the distinguished name of the subject of the OCSP signing certificate.

    image

    Verify OCSP Configuration

    After configuring the OCSP Responder, you will want to verify that the OCSP responder is functioning properly. The easiest way to verify that the OCSP is functioning is to use the Certutil URL Retrieval tool.

    First request a certificate from the CA. Place a copy of that cert on the file system, and run the following command: certutil –URL <Certificate Name>. This will open the URL Retrieval Tool

    image

    Select OCSP, and click on the Retrieve button.

    image

    If the certificate is valid you will get the following response.

    image

    If the certificate is revoked, you will get the following response.

    image

    And if it fails, the status will be listed as Failed.

    image

    You can also use the PKIView tool to verify the configurations of the OCSP Responder.

    image

    Conclusion

    This concludes configuring an OCSP Responder to support an Enterprise CA. If you follow the steps listed here you now have your OCSP configured to support your Windows Server 2003 or Windows Server 2008 CA. In the next part of this series, I will be configuring an OCSP Responder to support Standalone CA.

    Implementing an OCSP responder: Part I Introducing OCSP
    Implementing an OCSP responder: Part II Preparing Certificate Authorities
    Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
    Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs 
    Implementing an OCSP Responder: Part V High Availability
    Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

    - Chris Delay

  • Debunking the Vista Remote Differential Compression Myth

    Ned here again. Have you ever visited Snopes.com? It’s a terrific urban legend reference where they research folklore. Snopes is the place you go to find out if eating Thanksgiving turkey makes you sleepy (it doesn’t), if Coca Cola can dissolve a tooth overnight (it can’t), or if a man really did live in a Paris airport for 8 years (he did!).

    Today I’m going to talk about another urban legend – that removing the Remote Differential Compression feature from Windows Vista will make your file copying faster over the network.

    Background on RDC

    Remote Differential Compression (RDC) is a Microsoft algorithm that was originally created for DFSR five years ago. RDC divides a file’s data into chunks by using signatures. When a file exists on two computers and the file is modified, only the differing chunks need to be sent to the other computer.

    image

    An application needs to be specifically written to support RDC. Windows Vista and Windows 7 include MSRDC.DLL to allow apps like Windows Live Messenger to use that functionality.

    image

    The feature can be turned on and off within the Control Panel “Program and Features” applet.

    image

    When turned on, the MSRDC.DLL will exist in the %SYSTEMROOT%\System32 directory. When it’s turned off, this DLL is removed.

    image

    The Myth

    Unfortunately, the Internet is full of people telling you that RDC will somehow make your network communication slower. I have no idea how this got started, but this nonsense has been reprinted on thousands of websites by people unfamiliar with the Scientific Method. Folks have actually convinced themselves that turning this feature on or off has some affect on file transfer speeds. While there are a variety of things you can do to speed up Vista file copy performance, this isn’t one of them.

    The Method

    So after hearing this baloney for the umpteenth time, I set out to debunk it once and for all:

    • I setup a Windows Server 2008 SP2 file server and a Windows Vista SP2 client as virtual guests inside a Hyper-V host.
    • Each guest got 1GB of RAM and a virtual gigabit NIC.
    • I dropped a 3GB ISO file onto a share on the file server.
    • I used robocopy.exe (which automatically reports bytes per second and megabytes per minute) to copy that ISO file five times with MSRDC.DLL installed, then five more times with MSRDC.DLL removed.
    • In between every copy, I rebooted both the client and server to ensure that there was no caching of the file that might artificially improve my results.

    The Results

    Here is what I found after the ten total passes, with and without RDC installed:

    Pass

     

    With MSRDC.DLL

     

    Without MSRDC.DLL

     

    1st pass

     

    1237.939

     

    1210.479

     

    2nd pass

     

    1186.415

     

    1330.882

     

    3rd pass

     

    1192.068

     

    1175.328

     

    4th pass

     

    1111.13

     

    1170.281

     

    5th pass

     

    1320.867

     

    1153.863

     

     

    image

    Hmmm… What if I sort my data points highest to lowest?

    image

    Interesting. Let’s look at the actual averages:

    With MSRDC.DLL installed: 1209.6838 MB/min

    With MSRDC.DLL removed: 1208.1666 MB/min

    Wait – so removing RDC actually made it slower? Not really – the variance there is well within any respectable margin of error. These results mean that the two sets of copies were 99.87% identical. Removing RDC did nothing at all. There are going to be various performance differences when copying a file, depending on what else happens on the network, what the computers are doing, and I think when people claim RDC removal made things ‘faster’, it’s because they are not testing repeatedly over time to see variance.

    Maybe you want more proof? Alright, let’s go to the debugger.

    • I installed Notmyfault on my Vista client and configured the computer for a complete memory dump
    • I started yet another file copy, then I listed out the process and service information with TASKLIST.EXE and TASKLIST.EXE /SVC
    • After a few seconds, I intentionally crash dumped (the so-called “Blue Screen of Death”) the Vista computer. I then cracked open the MEMORY.DMP file in the Windows debugger

    First, I listed loaded modules - all libraries and drivers loaded in the kernel memory space:

    kd> lm
    start             end                 module name
    00000000`75f50000 00000000`75f88000   odbcint    (deferred)            
    00000000`77aa0000 00000000`77b6d000   USER32     (deferred)            
    00000000`77b70000 00000000`77c9d000   kernel32   (deferred)            
    00000000`77ca0000 00000000`77e26000   ntdll      (export symbols)       ntdll.dll
    00000000`77e50000 00000000`77e54000   Normaliz   (deferred)            
    00000000`ffec0000 00000000`fff41000   Robocopy   (deferred)            
    000007fe`f4be0000 000007fe`f4d30000   MFC42u     (deferred)            
    000007fe`f9200000 000007fe`f9271000   ODBC32     (deferred)            
    000007fe`fbd90000 000007fe`fbe30000   COMCTL32   (deferred)            
    000007fe`fcc80000 000007fe`fce79000   comctl32_7fefcc80000   (deferred)            
    000007fe`fe420000 000007fe`fe4ac000   COMDLG32   (deferred)            
    000007fe`fe620000 000007fe`fe64d000   IMM32      (deferred)            
    000007fe`fe6f0000 000007fe`fe8c8000   ole32      (deferred)            
    000007fe`fe8d0000 000007fe`fe92f000   iertutil   (deferred)            
    000007fe`fe930000 000007fe`fe937000   NSI        (deferred)            
    000007fe`feb80000 000007fe`fecc3000   RPCRT4     (deferred)            
    000007fe`fecd0000 000007fe`fed6a000   USP10      (deferred)            
    000007fe`fed70000 000007fe`fedb4000   WS2_32     (deferred)            
    000007fe`fedc0000 000007fe`fee33000   SHLWAPI    (deferred)            
    000007fe`fee40000 000007fe`feedc000   msvcrt     (deferred)            
    000007fe`feee0000 000007fe`fefe2000   MSCTF      (deferred)            
    000007fe`feff0000 000007fe`feffd000   LPK        (deferred)            
    000007fe`ff000000 000007fe`ffc53000   SHELL32    (deferred)            
    000007fe`ffc60000 000007fe`ffd5e000   WININET    (deferred)            
    000007fe`ffd60000 000007fe`ffdc4000   GDI32      (deferred)            
    000007fe`ffdd0000 000007fe`ffea3000   OLEAUT32   (deferred)            
    000007fe`ffeb0000 000007fe`fffb8000   ADVAPI32   (deferred)            
    fffff800`01804000 fffff800`01d1c000   nt         (private)
    fffff800`01d1c000 fffff800`01d62000   hal        (deferred)            
    fffff960`000c0000 fffff960`00371000   win32k     (deferred)            
    fffff960`00480000 fffff960`0049e000   dxg        (deferred)            
    fffff960`00600000 fffff960`0060a000   TSDDD      (deferred)            
    fffff960`00820000 fffff960`0082b000   VMBusVideoD   (deferred)            
    fffffa60`00602000 fffffa60`0060c000   kdcom      (deferred)            
    fffffa60`0060c000 fffffa60`00647000   mcupdate_GenuineIntel   (deferred)            
    fffffa60`00647000 fffffa60`0065b000   PSHED      (deferred)            
    fffffa60`0065b000 fffffa60`006b8000   CLFS       (deferred)            
    fffffa60`006b8000 fffffa60`0076a000   CI         (deferred)            
    fffffa60`0076a000 fffffa60`007d0000   volmgrx    (deferred)            
    fffffa60`007d0000 fffffa60`007e4000   NDProxy    (deferred)            
    fffffa60`007e4000 fffffa60`007ef000   Msfs       (deferred)            
    fffffa60`007ef000 fffffa60`00800000   Npfs       (deferred)            
    fffffa60`00808000 fffffa60`008e2000   Wdf01000   (deferred)            
    fffffa60`008e2000 fffffa60`008f0000   WDFLDR     (deferred)            
    fffffa60`008f0000 fffffa60`00946000   acpi       (deferred)            
    fffffa60`00946000 fffffa60`0094f000   WMILIB     (deferred)            
    fffffa60`0094f000 fffffa60`00959000   msisadrv   (deferred)            
    fffffa60`00959000 fffffa60`00989000   pci        (deferred)            
    fffffa60`00989000 fffffa60`0099e000   partmgr    (deferred)            
    fffffa60`0099e000 fffffa60`009b2000   volmgr     (deferred)            
    fffffa60`009b2000 fffffa60`009ba000   intelide   (deferred)            
    fffffa60`009ba000 fffffa60`009ca000   PCIIDEX    (deferred)            
    fffffa60`009ca000 fffffa60`009fd000   netvsc60   (deferred)            
    fffffa60`00a00000 fffffa60`00a3d000   vmbus      (deferred)            
    fffffa60`00a3d000 fffffa60`00a51000   winhv      (deferred)            
    fffffa60`00a51000 fffffa60`00a64000   mountmgr   (deferred)            
    fffffa60`00a64000 fffffa60`00a6c000   atapi      (deferred)            
    fffffa60`00a6c000 fffffa60`00a90000   ataport    (deferred)            
    fffffa60`00a90000 fffffa60`00ad7000   fltmgr     (deferred)            
    fffffa60`00ad7000 fffffa60`00aeb000   fileinfo   (deferred)            
    fffffa60`00aeb000 fffffa60`00af8000   storvsc    (deferred)            
    fffffa60`00af8000 fffffa60`00b55000   storport   (deferred)            
    fffffa60`00b55000 fffffa60`00bdb000   ksecdd     (deferred)            
    fffffa60`00bdb000 fffffa60`00bee000   intelppm   (deferred)            
    fffffa60`00bee000 fffffa60`00bf7000   rdpencdd   (deferred)            
    fffffa60`00bf7000 fffffa60`00c00000   rasacd     (deferred)            
    fffffa60`00c00000 fffffa60`00c0e000   vga        (deferred)            
    fffffa60`00c0f000 fffffa60`00dd2000   ndis       (deferred)            
    fffffa60`00dd2000 fffffa60`00dee000   cdrom      (deferred)            
    fffffa60`00dee000 fffffa60`00df7000   Null       (deferred)            
    fffffa60`00df7000 fffffa60`00e00000   RDPCDD     (deferred)            
    fffffa60`00e00000 fffffa60`00e0a000   Fs_Rec     (deferred)            
    fffffa60`00e0c000 fffffa60`00e5c000   msrpc      (deferred)            
    fffffa60`00e5c000 fffffa60`00eb5000   NETIO      (deferred)            
    fffffa60`00eb5000 fffffa60`00ede000   fvevol     (deferred)            
    fffffa60`00ede000 fffffa60`00f0a000   CLASSPNP   (deferred)            
    fffffa60`00f29000 fffffa60`00f35000   tunnel     (deferred)            
    fffffa60`00f35000 fffffa60`00f4b000   i8042prt   (deferred)            
    fffffa60`00f4b000 fffffa60`00f59000   kbdclass   (deferred)            
    fffffa60`00f59000 fffffa60`00f65000   mouclass   (deferred)            
    fffffa60`00f65000 fffffa60`00f82000   serial     (deferred)            
    fffffa60`00f82000 fffffa60`00f8e000   serenum    (deferred)            
    fffffa60`00f8e000 fffffa60`00f9b000   fdc        (deferred)            
    fffffa60`00f9b000 fffffa60`00fad000   HIDCLASS   (deferred)            
    fffffa60`00fad000 fffffa60`00fb7000   VMBusVideoM   (deferred)            
    fffffa60`00fb7000 fffffa60`00fdc000   VIDEOPRT   (deferred)            
    fffffa60`00fdc000 fffffa60`00fec000   watchdog   (deferred)            
    fffffa60`00fec000 fffffa60`00ff5000   vms3cap    (deferred)            
    fffffa60`00ff5000 fffffa60`01000000   mouhid     (deferred)            
    fffffa60`01000000 fffffa60`01007b80   HIDPARSE   (deferred)            
    fffffa60`01008000 fffffa60`0117d000   tcpip      (deferred)            
    fffffa60`0117d000 fffffa60`011a9000   fwpkclnt   (deferred)            
    fffffa60`011a9000 fffffa60`011b9000   vmstorfl   (deferred)            
    fffffa60`011b9000 fffffa60`011e5000   ecache     (deferred)            
    fffffa60`011e5000 fffffa60`011ef000   crcdisk    (deferred)            
    fffffa60`01208000 fffffa60`01388000   Ntfs       (deferred)            
    fffffa60`01388000 fffffa60`013cc000   volsnap    (deferred)            
    fffffa60`013cc000 fffffa60`013d4000   spldr      (deferred)            
    fffffa60`013d4000 fffffa60`013e6000   mup        (deferred)            
    fffffa60`013e6000 fffffa60`013fa000   disk       (deferred)            
    fffffa60`013fa000 fffffa60`013ff500   VMBusHID   (deferred)            
    fffffa60`02200000 fffffa60`0220b000   flpydisk   (deferred)            
    fffffa60`0220f000 fffffa60`02248000   msiscsi    (deferred)            
    fffffa60`02248000 fffffa60`02255000   TDI        (deferred)            
    fffffa60`02255000 fffffa60`02278000   rasl2tp    (deferred)            
    fffffa60`02278000 fffffa60`02284000   ndistapi   (deferred)            
    fffffa60`02284000 fffffa60`022b5000   ndiswan    (deferred)            
    fffffa60`022b5000 fffffa60`022c5000   raspppoe   (deferred)            
    fffffa60`022c5000 fffffa60`022e3000   raspptp    (deferred)            
    fffffa60`022e3000 fffffa60`022fb000   rassstp    (deferred)            
    fffffa60`022fb000 fffffa60`02395000   rdpdr      (deferred)            
    fffffa60`02395000 fffffa60`023a8000   termdd     (deferred)            
    fffffa60`023a8000 fffffa60`023a9480   swenum     (deferred)            
    fffffa60`023aa000 fffffa60`023de000   ks         (deferred)            
    fffffa60`023de000 fffffa60`023e9000   mssmbios   (deferred)            
    fffffa60`023e9000 fffffa60`023f9000   umbus      (deferred)            
    fffffa60`02401000 fffffa60`0241e000   tdx        (deferred)            
    fffffa60`0241e000 fffffa60`02439000   smb        (deferred)            
    fffffa60`02439000 fffffa60`024a4000   afd        (deferred)            
    fffffa60`024a4000 fffffa60`024e8000   netbt      (deferred)            
    fffffa60`024e8000 fffffa60`02506000   pacer      (deferred)            
    fffffa60`02506000 fffffa60`02514000   nm3        (deferred)            
    fffffa60`02514000 fffffa60`02523000   netbios    (deferred)            
    fffffa60`02523000 fffffa60`0253e000   wanarp     (deferred)            
    fffffa60`0253e000 fffffa60`0258b000   rdbss      (deferred)            
    fffffa60`0258b000 fffffa60`02597000   nsiproxy   (deferred)            
    fffffa60`02597000 fffffa60`025c0000   srvnet     (deferred)            
    fffffa60`025c0000 fffffa60`025de000   bowser     (deferred)            
    fffffa60`02c08000 fffffa60`02c7e000   csc        (deferred)            
    fffffa60`02c7e000 fffffa60`02c9b000   dfsc       (deferred)            
    fffffa60`02c9b000 fffffa60`02cb7000   cdfs       (deferred)            
    fffffa60`02cb7000 fffffa60`02cc5000   crashdmp   (deferred)            
    fffffa60`02cc5000 fffffa60`02cd1000   dump_dumpata   (deferred)            
    fffffa60`02cd1000 fffffa60`02cd9000   dump_atapi   (deferred)            
    fffffa60`02cd9000 fffffa60`02cec000   dump_dumpfve   (deferred)            
    fffffa60`02cec000 fffffa60`02cf8000   Dxapi      (deferred)            
    fffffa60`02cf8000 fffffa60`02d1a000   luafv      (deferred)            
    fffffa60`02d1a000 fffffa60`02d2e000   lltdio     (deferred)            
    fffffa60`02d2e000 fffffa60`02d46000   rspndr     (deferred)            
    fffffa60`02d46000 fffffa60`02de5000   HTTP       (deferred)            
    fffffa60`02de5000 fffffa60`02dff000   mpsdrv     (deferred)            
    fffffa60`03805000 fffffa60`0382c000   mrxdav     (deferred)            
    fffffa60`0382c000 fffffa60`03855000   mrxsmb     (deferred)            
    fffffa60`03855000 fffffa60`0389e000   mrxsmb10   (deferred)            
    fffffa60`0389e000 fffffa60`038bd000   mrxsmb20   (deferred)            
    fffffa60`038bd000 fffffa60`038ef000   srv2       (deferred)            
    fffffa60`038ef000 fffffa60`03980000   srv        (deferred)            
    fffffa60`03c03000 fffffa60`03c9d000   spsys      (deferred)            
    fffffa60`03c9d000 fffffa60`03d53000   peauth     (deferred)            
    fffffa60`03d53000 fffffa60`03d5e000   secdrv     (deferred)            
    fffffa60`03d5e000 fffffa60`03d6e000   tcpipreg   (deferred)            
    fffffa60`03d6e000 fffffa60`03d75000   myfault    (deferred)            

    Note how MSRDC.DLL is not loaded in memory in the Kernel space. It’s still possible that a given process or service might have it loaded though, so then I listed all processes to see which ones would be interesting and likely to be involved in file copies. The TASKLIST output comes in handy here to see which PID is which hexadecimal CID value. In my case though I dumped them all just for exploratory purposes.

    kd> !process 0 0

    <snipped out some>

    PROCESS fffffa8009af9040
        SessionId: 1  Cid: 0790    Peb: 7fffffdf000  ParentCid: 0a08
        DirBase: 34e57000  ObjectTable: fffff880066f60d0  HandleCount:  65.
        Image: Robocopy.exe

    PROCESS fffffa800b9adc10
        SessionId: 0  Cid: 0340    Peb: 7fffffd5000  ParentCid: 0280
        DirBase: 1efc3000  ObjectTable: fffff8800634fb60  HandleCount: 522.
        Image: svchost.exe

     

     

     

     

    I know that the Workstation Service is responsible for SMB file copying, and the robocopy process is definitely doing work, so I examined those.

    kd> .process fffffa8009af9040
    Implicit process is now fffffa80`09af9040
    kd> !peb
    PEB at 000007fffffdf000
        InheritedAddressSpace:    No
        ReadImageFileExecOptions: No
        BeingDebugged:            No
        ImageBaseAddress:         00000000ffec0000
        Ldr                       0000000077db2960
        Ldr.Initialized:          Yes
        Ldr.InInitializationOrderModuleList: 00000000001226c0 . 00000000001373c0
        Ldr.InLoadOrderModuleList:           00000000001225d0 . 00000000001373a0
        Ldr.InMemoryOrderModuleList:         00000000001225e0 . 00000000001373b0
                Base TimeStamp                     Module
            ffec0000 479191ad Jan 19 00:59:09 2008 C:\Windows\system32\Robocopy.exe
            77ca0000 49e0421d Apr 11 03:09:17 2009 C:\Windows\system32\ntdll.dll
            77b70000 49e041d1 Apr 11 03:08:01 2009 C:\Windows\system32\kernel32.dll
         7feffeb0000 49e040cb Apr 11 03:03:39 2009 C:\Windows\system32\ADVAPI32.dll
         7fefeb80000 49e041ea Apr 11 03:08:26 2009 C:\Windows\system32\RPCRT4.dll
         7fef4be0000 49e04151 Apr 11 03:05:53 2009 C:\Windows\system32\MFC42u.dll
         7fefee40000 49e04189 Apr 11 03:06:49 2009 C:\Windows\system32\msvcrt.dll
            77aa0000 49e0420e Apr 11 03:09:02 2009 C:\Windows\system32\USER32.dll
         7feffd60000 49e04114 Apr 11 03:04:52 2009 C:\Windows\system32\GDI32.dll
         7fefe6f0000 49e041cf Apr 11 03:07:59 2009 C:\Windows\system32\ole32.dll
         7feffdd0000 49e041d2 Apr 11 03:08:02 2009 C:\Windows\system32\OLEAUT32.dll
         7feffc60000 49e04252 Apr 11 03:10:10 2009 C:\Windows\system32\WININET.dll
         7fefedc0000 49e041f4 Apr 11 03:08:36 2009 C:\Windows\system32\SHLWAPI.dll
            77e50000 4549b4d2 Nov 02 05:05:22 2006 C:\Windows\system32\Normaliz.dll
         7fefe8d0000 49e04146 Apr 11 03:05:42 2009 C:\Windows\system32\iertutil.dll
         7fefed70000 49e0422d Apr 11 03:09:33 2009 C:\Windows\system32\WS2_32.dll
         7fefe930000 4791adea Jan 19 02:59:38 2008 C:\Windows\system32\NSI.dll
         7fef9200000 49e041c1 Apr 11 03:07:45 2009 C:\Windows\system32\ODBC32.dll
         7fefbd90000 4791ac7c Jan 19 02:53:32 2008 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_40ba501d3c2b20ff\COMCTL32.dll
         7feff000000 49e041ef Apr 11 03:08:31 2009 C:\Windows\system32\SHELL32.dll
         7fefe420000 49e041e9 Apr 11 03:08:25 2009 C:\Windows\system32\COMDLG32.dll
         7fefe620000 49e0417d Apr 11 03:06:37 2009 C:\Windows\system32\IMM32.DLL
         7fefeee0000 49e04184 Apr 11 03:06:44 2009 C:\Windows\system32\MSCTF.dll
         7fefeff0000 4791ad25 Jan 19 02:56:21 2008 C:\Windows\system32\LPK.DLL
         7fefecd0000 49e04211 Apr 11 03:09:05 2009 C:\Windows\system32\USP10.dll
         7fefcc80000 49e041e9 Apr 11 03:08:25 2009 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_1509f8bef40ee4da\comctl32.dll
            75f50000 4549d310 Nov 02 07:14:24 2006 C:\Windows\system32\odbcint.dll

    kd> .PROCESS fffffa800b9adc10
    Implicit process is now fffffa80`0b9adc10
    kd> !peb
    PEB at 000007fffffd5000
        InheritedAddressSpace:    No
        ReadImageFileExecOptions: No
        BeingDebugged:            No
        ImageBaseAddress:         00000000ff820000
        Ldr                       0000000077db2960
        Ldr.Initialized:          Yes
        Ldr.InInitializationOrderModuleList: 00000000002125f0 . 0000000003a08ac0
        Ldr.InLoadOrderModuleList:           0000000000212500 . 0000000003a08aa0
        Ldr.InMemoryOrderModuleList:         0000000000212510 . 0000000003a08ab0
                Base TimeStamp                     Module
            ff820000 47919291 Jan 19 01:02:57 2008 C:\Windows\system32\svchost.exe
            77ca0000 49e0421d Apr 11 03:09:17 2009 C:\Windows\system32\ntdll.dll
            77b70000 49e041d1 Apr 11 03:08:01 2009 C:\Windows\system32\kernel32.dll
         7fefee40000 49e04189 Apr 11 03:06:49 2009 C:\Windows\system32\msvcrt.dll
         7feffeb0000 49e040cb Apr 11 03:03:39 2009 C:\Windows\system32\ADVAPI32.dll
         7fefeb80000 49e041ea Apr 11 03:08:26 2009 C:\Windows\system32\RPCRT4.dll
         7fefd440000 49e0422f Apr 11 03:09:35 2009 C:\Windows\system32\NTMARTA.DLL
            77aa0000 49e0420e Apr 11 03:09:02 2009 C:\Windows\system32\USER32.dll
         7feffd60000 49e04114 Apr 11 03:04:52 2009 C:\Windows\system32\GDI32.dll
         7fefe940000 49e0427e Apr 11 03:10:54 2009 C:\Windows\system32\WLDAP32.dll
         7fefed70000 49e0422d Apr 11 03:09:33 2009 C:\Windows\system32\WS2_32.dll
         7fefe930000 4791adea Jan 19 02:59:38 2008 C:\Windows\system32\NSI.dll
            77e40000 47919b74 Jan 19 01:40:52 2008 C:\Windows\system32\PSAPI.DLL
         7fefdce0000 49e041e3 Apr 11 03:08:19 2009 C:\Windows\system32\SAMLIB.dll
         7fefe6f0000 49e041cf Apr 11 03:07:59 2009 C:\Windows\system32\ole32.dll
         7fefe620000 49e0417d Apr 11 03:06:37 2009 C:\Windows\system32\IMM32.DLL
         7fefeee0000 49e04184 Apr 11 03:06:44 2009 C:\Windows\system32\MSCTF.dll
         7fefeff0000 4791ad25 Jan 19 02:56:21 2008 C:\Windows\system32\LPK.DLL
         7fefecd0000 49e04211 Apr 11 03:09:05 2009 C:\Windows\system32\USP10.dll
         7fefc1c0000 49e0419d Apr 11 03:07:09 2009 c:\windows\system32\es.dll
         7feffdd0000 49e041d2 Apr 11 03:08:02 2009 C:\Windows\system32\OLEAUT32.dll
         7fefc000000 49e041dd Apr 11 03:08:13 2009 c:\windows\system32\PROPSYS.dll
         7fefd510000 49e041ed Apr 11 03:08:29 2009 C:\Windows\system32\rsaenh.dll
         7fefe650000 4791acc9 Jan 19 02:54:49 2008 C:\Windows\system32\CLBCatQ.DLL
         7fefc4b0000 4791adeb Jan 19 02:59:39 2008 c:\windows\system32\nsisvc.dll
         7fefe250000 49e04210 Apr 11 03:09:04 2009 C:\Windows\system32\secur32.dll
         7fefdb10000 49e04202 Apr 11 03:08:50 2009 C:\Windows\system32\CRYPT32.dll
         7fefdcc0000 4791ad5c Jan 19 02:57:16 2008 C:\Windows\system32\MSASN1.dll
         7fefe270000 49e04210 Apr 11 03:09:04 2009 C:\Windows\system32\USERENV.dll
         7fefd8f0000 4791adc3 Jan 19 02:58:59 2008 C:\Windows\system32\credssp.dll
         7fefd4b0000 49e041f1 Apr 11 03:08:33 2009 C:\Windows\system32\schannel.dll
         7fefdfc0000 49e041a5 Apr 11 03:07:17 2009 C:\Windows\system32\NETAPI32.dll
         7fefbc50000 49e04225 Apr 11 03:09:25 2009 c:\windows\system32\webclnt.dll
         7fefba50000 49e04251 Apr 11 03:10:09 2009 c:\windows\system32\WINHTTP.dll
         7fefedc0000 49e041f4 Apr 11 03:08:36 2009 C:\Windows\system32\SHLWAPI.dll
         7fefe4b0000 49e04209 Apr 11 03:08:57 2009 C:\Windows\system32\urlmon.dll
         7fefe8d0000 49e04146 Apr 11 03:05:42 2009 C:\Windows\system32\iertutil.dll
         7fefcc80000 49e041e9 Apr 11 03:08:25 2009 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_1509f8bef40ee4da\comctl32.dll
         7feff000000 49e041ef Apr 11 03:08:31 2009 C:\Windows\system32\shell32.dll
         7feffc60000 49e04252 Apr 11 03:10:10 2009 C:\Windows\system32\WinInet.dll
            77e50000 4549b4d2 Nov 02 05:05:22 2006 C:\Windows\system32\Normaliz.dll
         7fefbc10000 4791ae1c Jan 19 03:00:28 2008 c:\windows\system32\wkssvc.dll
         7fefda40000 49e04193 Apr 11 03:06:59 2009 c:\windows\system32\IPHLPAPI.DLL
         7fefd9f0000 49e040f3 Apr 11 03:04:19 2009 c:\windows\system32\dhcpcsvc.DLL
         7fefdd00000 49e04119 Apr 11 03:04:57 2009 c:\windows\system32\DNSAPI.dll
         7fefd9e0000 4791ae08 Jan 19 03:00:08 2008 c:\windows\system32\WINNSI.DLL
         7fefd9b0000 49e040f4 Apr 11 03:04:20 2009 c:\windows\system32\dhcpcsvc6.DLL
         7fefdc90000 4791adef Jan 19 02:59:43 2008 c:\windows\system32\NTDSAPI.dll
         7fefd5a0000 4791adf5 Jan 19 02:59:49 2008 c:\windows\system32\WINBRAND.dll
         7fefb7d0000 4549d27e Nov 02 07:11:58 2006 c:\windows\system32\fdrespub.dll
         7fefb500000 49e0423a Apr 11 03:09:46 2009 c:\windows\system32\wsdapi.dll
         7fefb810000 4791ad11 Jan 19 02:56:01 2008 c:\windows\system32\HTTPAPI.dll
         7fefd3a0000 4791ae1a Jan 19 03:00:26 2008 c:\windows\system32\WINTRUST.dll
         7fefe400000 4791ad46 Jan 19 02:56:54 2008 C:\Windows\system32\imagehlp.dll
         7fefcfc0000 4791addb Jan 19 02:59:23 2008 c:\windows\system32\XmlLite.dll
         7fefd290000 4791ace8 Jan 19 02:55:20 2008 c:\windows\system32\FirewallAPI.dll
         7fefd820000 49e04210 Apr 11 03:09:04 2009 c:\windows\system32\VERSION.dll
         7fefb280000 49e0411b Apr 11 03:04:59 2009 C:\Windows\system32\FunDisc.dll
         7fefc840000 4791ac8a Jan 19 02:53:46 2008 C:\Windows\system32\ATL.DLL
         7fefe9a0000 49e041ed Apr 11 03:08:29 2009 C:\Windows\system32\SETUPAPI.dll
         7fefd790000 49e0418f Apr 11 03:06:55 2009 C:\Windows\system32\mswsock.dll
         7fefd400000 4791aeae Jan 19 03:02:54 2008 C:\Windows\System32\wshtcpip.dll
         7fefd810000 4791aea8 Jan 19 03:02:48 2008 C:\Windows\System32\wship6.dll
         7fefacc0000 49e04191 Apr 11 03:06:57 2009 C:\Windows\System32\msxml3.dll
         7fefb140000 4791ae0e Jan 19 03:00:14 2008 c:\windows\system32\ssdpsrv.dll
         7fefafa0000 49e0420a Apr 11 03:08:58 2009 c:\windows\system32\w32time.dll
         7fefdd40000 4791adc8 Jan 19 02:59:04 2008 c:\windows\system32\cryptdll.dll
         7fefd3e0000 49e04118 Apr 11 03:04:56 2009 C:\Windows\system32\GPAPI.dll
         7fefdae0000 49e041da Apr 11 03:08:10 2009 C:\Windows\system32\slc.dll
         7fefb100000 49ee93d7 Apr 21 23:49:43 2009 C:\Windows\System32\vmictimeprovider.dll
         7fefa300000 4791ad84 Jan 19 02:57:56 2008 c:\windows\system32\netprofm.dll
         7fefc900000 4791ad8c Jan 19 02:58:04 2008 c:\windows\system32\nlaapi.dll
         7fefa2a0000 4791adbc Jan 19 02:58:52 2008 c:\windows\system32\upnphost.dll
         7fefb3f0000 4549d324 Nov 02 07:14:44 2006 c:\windows\system32\SSDPAPI.dll
         7fefaf90000 4549d36c Nov 02 07:15:56 2006 C:\Windows\System32\npmproxy.dll
         7fefe070000 4791adb4 Jan 19 02:58:44 2008 C:\Windows\system32\SXS.DLL
         7fefce90000 4791acf3 Jan 19 02:55:31 2008 c:\windows\system32\fdphost.dll
         7fef69c0000 49e04124 Apr 11 03:05:08 2009 C:\Windows\system32\fdwsd.dll
         7fef6980000 4791ad25 Jan 19 02:56:21 2008 C:\Windows\system32\MLANG.dll
         7fef6960000 49e04121 Apr 11 03:05:05 2009 C:\Windows\system32\fdssdp.dll
         7fefd020000 49e0411f Apr 11 03:05:03 2009 C:\Windows\system32\fdproxy.dll
         7fefb840000 4791ad5c Jan 19 02:57:16 2008 C:\Windows\system32\napinsp.dll
         7fef97d0000 4791adb8 Jan 19 02:58:48 2008 C:\Windows\system32\pnrpnsp.dll
         7fefb860000 4791ae09 Jan 19 03:00:09 2008 C:\Windows\System32\winrnr.dll
         7fef9660000 4791ad9a Jan 19 02:58:18 2008 C:\Windows\system32\rasadhlp.dll

     

    Note how neither process has MSRDC.DLL loaded either. It’s simply not being used, and a module that is not being used cannot possibly affect anyone. Remember, an application has to be coded to use RDC. Nothing in the Kernel, in Robocopy, or in the Workstation service uses RDC at all in Vista or Win7.

    Still don’t believe me? Here is the Microsoft Remote File Systems development team stating it as well.

    Changes that can truly improve file copy performance

    By now you want me to get to the helpful part. Here’s a short list of some things that can improve your file copy network performance on Windows Vista and Windows Server 2008:

    • Install Service Pack 2
    • Install the latest NIC drivers from your vendor.
    • Try disabling Receive Side Scaling, Chimney Offload, and NetDMA support, then testing like I did above to see if the results are measurably different after many copies of the same file. Note that this just disables the Windows implementation of those components – your vendor may also support them through their NIC configuration and it will need to be turned off there as well. While these components are intended to help performance, mileage can vary based on how good your hardware and vendor drivers are.
    • Use robocopy.exe rather than Explorer – the price of the friendly shell showing progress and browsing folders is slightly slower performance.

    Wrapup

    It’s amazing that a component that was designed to speed up network file performance can somehow be vilified as a cause of bad performance; especially when it’s not even being used. I welcome people following my steps and telling me what you find out.

    Don’t believe everything you read on the Internet. Unless I wrote it. :-)

    - Ned ‘Rick Rolled’ Pyle

  • Implementing an OCSP responder: Part II - Preparing Certificate Authorities

    Chris here again. In Part I we covered some of the basics and background information on the reason for the OCSP Responder and a basic understanding of how the OCSP Responder functions. So now we look towards implementing the OCSP Responder. However, before we move forward with the Install of the OCSP Responder we must first configure the CA to support OCSP for revocation status checking.

    As discussed in the first part of this series, the OCSP Responder provides revocation information to clients or application requesting revocation status for a specific certificate. In order for this to be accomplished there are certain prerequisites that need to be in place.

    Some of the prerequisites are different depending on which version of the CA you are using, and whether you are using a Standalone or Enterprise CA.

    Configuring AIA Extension to support OCSP

    To advertise that revocation status information for a particular CA can be obtained via OCSP, the CA must include a pointer to the OCSP Responder in the certificate. This is done by adding an OCSP URI to the AIA extension of the certificate.

    Although this is mentioned as a prerequisite, you may want to do this after the OCSP Responder is configured. The reason being is that if you issue certificates before the Responder is available you will create unnecessary traffic to the soon to be OCSP location.

    1. Open the Certification Authority Snap-in on the CA, as an Enterprise Administrator.

    2. Right click on the CA name, and select Properties

    clip_image002

    3. Click on the Extension Tab. From the Select Extension drop down Box, select Authority Information Access (AIA).

    clip_image002[4]

    4. Then click on the Add… button to add the OCSP location

    5. Type the location for the OCSP responder. This will typically be:

    http://<fqdn of the ocsp responder>/ocsp

    6. Then click OK.

    clip_image002[6]

    7. Check the Checkbox for Include in the online certificate status protocol (OCSP) extension.

    clip_image002[8]

    8. And click OK, to close the CA Properties.

    Preparing Windows Server 2003 Standalone CA for use with OCSP Responder

    OCSP Signing Certificates

    In order to be able to deploy the OCSP Signing Certificate used by the OCSP Responder, there are some configuration changes that need to be made on a Windows Server 2003 CA.

    A signing certificate includes the id-pkix-ocsp-nocheck extension. This extension informs the OCSP client that the OCSP signing certificate should not be checked for revocation during the lifetime of the certificate. The OCSP Signing certificate should therefore have a short lifetime. By default, a Windows Server 2003 CA will ignore the id-pkix-ocsp-nocheck extension in a certificate request and will not include that extension in the issued certificate. To change this behavior, you must allow custom extensions to be used in certificate requests.

    To enable support for custom extensions, run the following command on the CA:

    image

    The extension object ID (OID) for the id-pkix-ocsp-nocheck extension is1.3.6.1.5.5.7.48.1.5. The above command instructs the CA to include that extension in the issued certificate if it is found in the request.

    Preparing Windows Server 2003 Enterprise CA for use with OCSP Responder

    If you plan on using a Windows Server 2003 Enterprise CA to issue the OCSP Signing Certificate you will need to follow the instructions outlined in the previous section for enabling the use of custom extensions.

    If you plan on using a certificate template on the Windows Server 2003 Enterprise CA, you must have at least 1 Windows Server 2008 Enterprise CA in the environment. The reason is you will be duplicating the Version 3 OCSP Signing Template on the Windows Server 2008 CA for use with the Windows Server 2003 CA. Both the Windows Server 2003 and Windows Server 2008 CA, must be running Enterprise Edition. This is due to the fact that only Version 1 templates are supported in the Standard Editions of the Server OS.

    Duplicating the OCSP Signing Template

    1. Logon to a Windows Server 2008 Enterprise CA, with an account that is a member of the Enterprise Admins group.

    2. Open up the Certificate Template management console (certtmpl.msc).

    3. Right click on OCSP Response Signing Template, and select Duplicate Template from the context menu, as illustrated below:

    image

    4. From the Duplicate Template dialog box, select Windows Server 2003 Server, Enterprise Edition, and click OK. Selecting Windows Server 2003 Server, Enterprise Edition, creates a Version 2 Template instead of a Version 3 Template.

    image 
    5. Give a Name to the Duplicated Template, and click OK.

    6. Log on to the Windows Server 2003 CA, and open the Certificate Authority Snapin (Certsrv.msc), and right click on Certificate Templates, and select New, then Certificate Template to Issue from the context menu.

    image

    7. Select the Duplicated Template, and click on OK.

    image

    Preparing Windows Server 2008 Standalone CA for use with OCSP Responder

    In the previous section on preparing the Windows Server 2003 Standalone CA, we had to enable the CA to accept custom extensions sent in the request. This was to allow us to request a certificate with the id-pkix-ocsp-nocheck extension. Windows Server 2008 natively supports the id-pkix-ocsp-nocheck extension, so there is no need to allow custom extensions. On the Windows Server 2008 Enterprise CA there is no action necessary to support the id-pkix-ocsp-nocheck extension. However, on the Windows Server 2008 Standalone CA, we need to run the following command to add support for the id-pkix-ocsp-nocheck extension:

    image

    Preparing Windows Server 2008 Enterprise CA for use with OCSP Responder

    The only preparation required for the Windows Server 2008 Enterprise CA, is to give permissions to the templates to the OCSP Servers, and to make the template available for issuance.

    1. Open the Certificate Template Management console (certtmpl.msc)

    2. Locate the OCSP Certificate Template, Right-click, and select Properties

    3. On the Security Tab, add the hostname of the soon to be OCSP Server, and give the server Read and Enroll permissions to the template. Note: A more scalable solution, as seen in the illustration below, is to create a security group, assign permissions to the security group, and add any OCSP servers to the Security Group.

    clip_image002[11]

    4. Go back to the Certification Authority management console, Right-click on the Certificates Templates node, and from the context menu, select New and then "Certificate Template to issue.

    clip_image002[13]

    5. Select the OCSP Response Signing Template, and select OK.

    Conclusion

    You should now have your Certificate Authorities configured to support the OCSP Responder as a source of revocation status. In the next part of this series I will cover installing and the configuring the OCSP Responder to support Enterprise CAs.

    Implementing an OCSP responder: Part I Introducing OCSP
    Implementing an OCSP responder: Part II Preparing Certificate Authorities
    Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
    Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs 
    Implementing an OCSP Responder: Part V High Availability
    Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

    - Chris Delay

  • RSAT and ADUC for Vista - Update to add tabs for Terminal Services Profile, Environment, Sessions, and Remote Control

    Ned here. After much strife, here is the hotfix to get RSAT AD Users and Computers to include tabs for:

    • Terminal Services Profile 
    • Environment 
    • Sessions 
    • Remote Control 

    960890 Some tabs are not available in the properties of a user account in the Active Directory Users and Computers MMC snap-in after you install Remote Server Administration Tools (RSAT) on a computer that is running Windows Vista
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;960890

    If you have been hacking away at this previously to make it work, make sure to unregister and remove your server DLL's before installing this update.

     Linda Taylor rules.

    - Ned Pyle

  • New Directory Services KB Articles/Blog Posts 6/14-6/20

    KB Articles

    971421

    You cannot access a network share by using a client-side redirector that uses the server message block (SMB) protocol on a computer that is running Windows XP

    960874

    Restricted registry access in Internet Explorer when using Windows SteadyState

    971277

    You cannot access an administrative share on a computer that is running Windows Vista or Windows Server 2008, after you set the SrvsvcDefaultShareInfo registry entry to configure the default share permissions for a network share

    971832

    A server certificate renewal request that is created in Internet Information Services 7.0 is invalid

    971165

    The CLIENTNAME environment variable returns the value "Console" instead of the actual client name when users first log on to a Windows XP SP3-based computer by using Remote Desktop Connection

    972817

    While resuming Windows XP Service Pack 3 from hibernation, you may see a blank screen instead of the splash screen

    969972

    You encounter a slow application startup or a slow logon on a computer that is running Windows Server 2008 or Windows Vista after you apply software restriction policies

    968991

    File copying from down-level systems to Windows Vista or Windows Server 2008 is significantly slower if Intel I/OAT is enabled

    972386

    The logoff screen is displayed when you close a Citrix Metaframe application on a Windows Server 2008-based computer

     

    Blog Posts

    Migrating from PolicyMaker to Group Policy Preferences with GPPMIG

    Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

    The Strange Case of Unenforced Password Complexity

    DFSRMIG and the Connection Gremlin

    Windows 7: Offline Files & Folders - Transparent Caching

    FDCC and Internet Explorer 7, Part 3 – Protected Mode

    Office Integration with MOSS and ADFS

    Where to put SSL certificate for LDAP …

    Getting the Contents of an Active Directory Integrated DNS Zone

    Power Management in Group Policy – What do you do?

    What's Happening in the GP World???

    Major carriers ramping up support for IPv6

    Command Line version of Server Manager in Windows Server 2008 R2