bpraveen's Blog

Let me explain you the background on an issue I have faced. A member server which has several applications running on it. All of a sudden all applications are stopped and not allowing us to start. The error seems to be with the service account used for the application. Its clearly says that its problem with authentication. So, in the process of troubleshooting one of our sysadmin disjoined the server from the domain. When he tried adding back the server to domain, then the actual problem started. It didn’t allow joining the server back to DC saying that LDAP Query Failed and got Access denied.

We had to rename and rebuild the server. But it didn’t help us to solve the issue.

Finally, after lot of investigations, found the root cause which says that the server IP has been added to the LdapIPDeny List in AD which was causing ldap failed errors and not allowing this server to join back to domain. After we removed the IP from the list and successfully joined back to the domain.

Very brief information on the LdapIPDeny List which is as follows:

To provide higher level of security for the DC, you can apply an IP Deny List that prevents the DC from accepting LDAP queries from clients with specified IP addresses. Similar to the LDAP administration limits, the IP Deny list only alters the Default LDAP Policy object. The default LDAP Policy is applied to any DC that has not had a specific LDAP policy applied to it or the site in which it belongs.

A DC uses the following three mechanisms to apply LDAP Policies:

• A DC might refer to a specific LDAP Policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
• In the absence of a specific query policy being applied to a DC, the DC applies the Query Policy that has been assigned to the DC’s site. The ntDSSiteSettings object includes an option attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
• In the absence of a specific DC or site Query Policy, a DC uses the default query policy named Default-Query Policy.

A Query Policy object includes the multivalued  attributes LDAPIPDeny List and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administrator limits and IP Deny List for the Default-Query Policy Object.

The following links might be helpful for you to understand how ldapipdeny list works.

http://technet.microsoft.com/en-us/library/cc976714.aspx

http://msdn.microsoft.com/en-us/library/cc220058(PROT.10).aspx

http://technet.microsoft.com/en-us/library/cc976703.aspx

I have come across many a times issues with Virtual memory, /3GB,/PAE etc. So is with you I guess. Here is a brief description of how /3GB and /PAE works and where to use them.

/3GB – This is a switch in boot.ini file which increases the User mode Virtual Address Space and decreases for Kernel mode. By default, /3GB switch is not enabled, system will allocate 2GB for User mode and 2GB for Kernel mode. It means, 2GB of Virtual Address space can be used by Applications in User mode and rest can be used by Kernel mode. In other words, 2 Billion memory addresses for kernel mode and 2 billion for Applications. MS W2k, W2k3 can directly address up to 4GB of Memory address space, regardless of how much physical RAM is installed. From the process perspective, each element of virtual address conceptually refers to a byte of physical memory.

Now we see what is Virtual Address Space. Is it the same as Virtual Memory? … No. Virtual Address space is different from Virtual Memory. Virtual address space is something to do with allocating address space for each process of user mode and kernel mode. Now you can understand the advantage and disadvantage of /3GB switch.

Let’s see how it works.

Adding /3GB switch increases the performance of programs/applications that are
capable of using the /3GB switch.
For example, Active Directory is capable of using /3GB switch and this allows AD to improve its caching.
W2k – /3Gb switch allows AD caching a maximum – 1024MB
W2k – without /3GB switch, AD caching is limited to 512MB
W2k3 – AD Cache is allowed to grow more freely but remains by virtual address space.

Note1: Do not enable /3GB switch unless the application is aware of /3GB. If you enable /3GB for application who is not aware of large address spaces, that will hurt the kernel address space and do not improve the performance.
Note2: If you use /3GB with /PAE will have conflicts and kernel is limited to 16GB of memory. This is caused as the kernel virtual memory address space limitations.

/PAE - Causes Ntldr to load Ntkrnlpa.exe, which is the version of the x86 kernel that is able to take advantage of x86 PAEs. The PAE version of the kernel presents 64-bit physical addresses to device drivers, so this switch is helpful for testing device driver support for large memory systems.

Operating system Maximum memory support with PAE
Windows 2000 Advanced Server – 8 GB of physical RAM
Windows 2000 Datacenter Server – 32 GB of physical RAM
Windows XP (all versions) – 4 GB of physical RAM
* Windows Server 2003 (and SP1), Standard Edition – 4 GB of physical RAM
* Windows Server 2003, Enterprise Edition – 32 GB of physical RAM
Windows Server 2003, Datacenter Edition – 64 GB of physical RAM
Windows Server 2003 SP1, Enterprise Edition – 64 GB of physical RAM
Windows Server 2003 SP1, Datacenter Edition – 128 GB of physical RAM
* Total physical address space is limited to 4 GB on these versions of Windows.

I will cover PTEs, paged and non-paged pool in my next article.