public void DRSR_RODC_FAS_Add_Attribute()
{
int timeOut = 0;
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
ResultCode r = ResultCode.Other;
// FAS: first try "Employee-Number"
string nc = LdapUtility.GetDnFromNcType(dc1, NamingContext.SchemaNC);
string searchFlagsAttr = "searchFlags";
string attrDn = "CN=Employee-Number," + nc;
string attrName = "employeeNumber";
uint searchFlags = 0;
// wait until FAS is modified on DC01
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
searchFlags = Convert.ToUInt32(
ldapAdapter.GetAttributeValueInString(dc1, attrDn, searchFlagsAttr)
);
if ((searchFlags & kRODC_FAS) != 0)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "FAS already effective.");
// the attribute is already in the FAS
break;
}
ldapAdapter.ModifyAttribute(dc1, attrDn, new DirectoryAttribute(searchFlagsAttr, kRODC_FAS.ToString()));
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue((searchFlags & kRODC_FAS) != 0, "FAS is set successfully on {0}", dc1.NetbiosName);
uint ret = drsTestClient.DrsBind(rodcEnum, EnvironmentConfig.User.ParentDomainAdmin, DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE);
Assert.IsTrue(ret == 0);
ret = drsTestClient.DrsReplicaSync(rodcEnum, DrsReplicaSync_Versions.V1, dc1Enum, DRS_OPTIONS.DRS_FULL_SYNC_NOW, false, NamingContext.SchemaNC);
BaseTestSite.Assert.IsTrue(ret == 0, "Start replica from {0} to {1}.", dc1.NetbiosName, rodc.NetbiosName);
// wait until FAS is replicated to RODC
BaseTestSite.Log.Add(LogEntryKind.Comment, "Waiting for FAS to be replicated, searchFlags: {0}", searchFlags);
bool isReplicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.SchemaNC, attrDn))
{
// exit the loop when FAS is replicated to the RODC
isReplicated = true;
BaseTestSite.Log.Add(LogEntryKind.Comment, "FAS applied.");
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue(isReplicated, "Replica from {0} succeeded.", dc1.NetbiosName);
// create the user first if it doesn't exist.
string userDn = ldapAdapter.TestAddUserObj(dc1);
Assert.IsNotNull(userDn);
// take a "snapshot" of the current RODC replication state.
// We'll use this snapshot to impersonate earlier state of the RODC
// AFTER the changes are replicated to the actual RODC.
USN_VECTOR? usnFrom = null;
UPTODATE_VECTOR_V1_EXT?utdVector = null;
SnapshotReplicationState(dc1, rodc, NamingContext.DomainNC, out usnFrom, out utdVector);
// modify Employee Number
int newValue = _rnd.Next();
DirectoryAttribute employeeNumberAttr = new DirectoryAttribute(attrName, newValue.ToString());
r = ldapAdapter.ModifyAttribute(dc1, userDn, employeeNumberAttr);
Assert.AreEqual <ResultCode>(ResultCode.Success, r);
//ret = drsTestClient.DrsBind(rodcEnum, EnvironmentConfig.User.ParentDomainAdmin, DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE);
//Assert.IsTrue(ret == 0);
ret = drsTestClient.DrsReplicaSync(rodcEnum, DrsReplicaSync_Versions.V1, dc1Enum, DRS_OPTIONS.DRS_ASYNC_OP, false, NamingContext.DomainNC);
BaseTestSite.Assert.IsTrue(ret == 0, "Start replica from {0} to {1}.", dc1.NetbiosName, rodc.NetbiosName);
// Wait until the change is replicated by the actual RODC
bool replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
// First, check the originating USNs on RODC to make sure the replication has completed.
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, userDn))
{
replicated = true;
break;
}
// sleep
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage = null;
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
ret = drsTestClient.DrsBind(dc1Enum, EnvironmentConfig.User.RODCMachineAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
if (replicated)
{
ret = drsTestClient.DrsGetNCChangesV2(
dc1Enum,
dc1,
rodc,
userDn,
usnFrom.Value,
utdVector.Value,
false,
out outVersion,
out outMessage);
}
// remove the temp user
ldapAdapter.DeleteObject(dc1, userDn);
// DRSUnbind
ret = drsTestClient.DrsUnbind(dc1Enum);
Assert.IsTrue(ret == 0);
BaseTestSite.Assert.IsTrue(replicated, "Replica from {0} succeeded.", dc1.NetbiosName);
// check in outMessage that the secret attributes are not replicated.
DRS_MSG_GETCHGREPLY_V6 replyV6 = outMessage.Value.V6;
REPLENTINFLIST[] objectList = replyV6.pObjects;
if (objectList != null)
{
foreach (REPLENTINFLIST entInf in objectList)
{
for (int i = 0; i < entInf.Entinf.AttrBlock.attrCount; ++i)
{
ATTR attr = entInf.Entinf.AttrBlock.pAttr[i];
string displayName = GetLdapDisplayName(dc1, attr.attrTyp, replyV6.PrefixTableSrc);
if (displayName == attrName)
{
// examine the new value
string value = System.Text.Encoding.Unicode.GetString(
attr.AttrVal.pAVal[0].pVal);
BaseTestSite.Assert.AreNotEqual <string>(
newValue.ToString(),
value,
"{0} is in FAS, should not be replicated", attrName);
}
}
}
}
// FAS: Remove "Employee-Number" from the FAS
DirectoryAttribute searchAttr = new DirectoryAttribute(searchFlagsAttr, "0");
r = ldapAdapter.ModifyAttribute(dc1, attrDn, searchAttr);
}
public void DRSR_RODC_Unidirectional_Replication_Denied()
{
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
uint ret = drsTestClient.DrsBind(rodcEnum, EnvironmentConfig.User.MainDCAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
// test user DN
string nc = LdapUtility.GetDnFromNcType(dc1, NamingContext.DomainNC);
string userDn = "CN=" + EnvironmentConfig.DomainUserName + ",CN=Users," + nc;
EnvironmentConfig.ExpectSuccess = false;
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage;
bool exceptionCaught = false;
try
{
ret = drsTestClient.DrsGetNCChanges(
rodcEnum,
DrsGetNCChanges_Versions.V8,
dc1Enum,
DRS_OPTIONS.NONE,
NamingContext.DomainNC,
EXOP_REQ_Codes.EXOP_REPL_SECRETS,
FSMORoles.None,
userDn,
out outVersion,
out outMessage);
}
catch (Exception e)
{
if (EnvironmentConfig.UseNativeRpcLib)
{
// windows behavior, an RODC cannot process GetNCChange request
// Illegal RODC RPC call
BaseTestSite.Assert.IsInstanceOfType(
e,
typeof(SEHException),
"The call should not be accepted by the RODC");
}
else
{
BaseTestSite.Assert.AreEqual <int>(87, int.Parse(e.Message), "RPC error code " + e.Message);
}
exceptionCaught = true;
}
finally
{
EnvironmentConfig.ExpectSuccess = true;
}
BaseTestSite.Assert.IsTrue(exceptionCaught, "An exception should be raised to indicate invalid GetNCChange calls");
}
public void DRSR_RODC_Credential_Caching_Not_Revealed()
{
uint timeOut = 0;
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
// take a snapshot of the current replication state of the RODC
USN_VECTOR? usnFrom = null;
UPTODATE_VECTOR_V1_EXT?utdVector = null;
SnapshotReplicationState(dc1, rodc, NamingContext.DomainNC, out usnFrom, out utdVector);
// we need a user and put it into the Revealed List.
// create the user first if it doesn't exist.
string userDn = ldapAdapter.TestAddUserObj(dc1);
Assert.IsNotNull(userDn);
// at this time, the user is NOT in the revealed list
// wait until the object is replicated by the actual RODC
bool replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, userDn))
{
replicated = true;
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue(replicated, "The object should be replicated to the RODC");
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
uint ret = drsTestClient.DrsBind(dc1Enum, EnvironmentConfig.User.RODCMachineAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage;
ret = drsTestClient.DrsGetNCChangesV2(
dc1Enum,
dc1,
rodc,
userDn,
usnFrom.Value,
utdVector.Value,
true, // request secrets
out outVersion,
out outMessage);
BaseTestSite.Assert.IsTrue(
(uint)Win32ErrorCode_32.ERROR_DS_DRA_SECRETS_DENIED == ret,
"Replication of secrets should be denied when the object is not in the revealed list"
);
// remove the temp user
ldapAdapter.DeleteObject(dc1, userDn);
// DRSUnbind
ret = drsTestClient.DrsUnbind(dc1Enum);
}
public void DRSR_RODC_Credential_Caching_Revealed()
{
int timeOut = 0;
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
// take a snapshot of the current replication state of the RODC
USN_VECTOR? usnFrom = null;
UPTODATE_VECTOR_V1_EXT?utdVector = null;
SnapshotReplicationState(dc1, rodc, NamingContext.DomainNC, out usnFrom, out utdVector);
// we need a user and put it into the Revealed List.
// create the user first if it doesn't exist.
string nc = LdapUtility.GetDnFromNcType(dc1, NamingContext.DomainNC);
string userDn = ldapAdapter.TestAddUserObj(dc1);
Assert.IsNotNull(userDn);
// add this user to the "Allowed RODC Password Replication Group"
string allowedDn = "CN=Allowed RODC Password Replication Group, CN=Users,"
+ LdapUtility.GetDnFromNcType(dc1, NamingContext.DomainNC);
ResultCode r = ldapAdapter.AddObjectToGroup(dc1, userDn, allowedDn);
Assert.IsTrue(r == ResultCode.Success);
// Set password of the user
LdapUtility.ChangeUserPassword(dc1, userDn, "1*admin");
// wait until the object is replicated by the actual RODC
bool replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, userDn))
{
replicated = true;
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
// wait until the "Allowed RODC Password Replication Group object is replicated by the actual RODC
replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, allowedDn))
{
replicated = true;
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue(replicated, "{0} should be replicated to the RODC", allowedDn);
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
uint ret = drsTestClient.DrsBind(dc1Enum, EnvironmentConfig.User.RODCMachineAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage = null;
ret = drsTestClient.DrsGetNCChangesV2(
dc1Enum,
dc1,
rodc,
userDn,
usnFrom.Value,
utdVector.Value,
true, // request secrets
out outVersion,
out outMessage);
// DRSUnbind
ret = drsTestClient.DrsUnbind(dc1Enum);
Assert.IsTrue(ret == 0);
ldapAdapter.DeleteObject(dc1, userDn);
// check in outMessage that the secret attributes are not replicated.
DRS_MSG_GETCHGREPLY_V6 replyV6 = outMessage.Value.V6;
REPLENTINFLIST[] objectList = replyV6.pObjects;
bool secretFound = false;
string firstSecretAttrbute = null;
foreach (REPLENTINFLIST entInf in objectList)
{
for (int i = 0; i < entInf.Entinf.AttrBlock.attrCount; ++i)
{
ATTR attr = entInf.Entinf.AttrBlock.pAttr[i];
if (IsSecretAttribute(dc1, attr.attrTyp, replyV6.PrefixTableSrc, out firstSecretAttrbute))
{
if (attr.AttrVal.pAVal != null)
{
secretFound = true;
}
}
}
}
BaseTestSite.Assert.IsTrue(
secretFound,
"Secret attribute {0} should appear in the response when user is in the revealed list",
firstSecretAttrbute);
}
public void DRSR_DRSGetNCChanges_Failed_NoStrongEncryptionByClient()
{
DrsrTestChecker.Check();
EnvironmentConfig.Machine dcServer = EnvironmentConfig.Machine.WritableDC1;
EnvironmentConfig.Machine dcPartner = EnvironmentConfig.Machine.WritableDC2;
DsServer dcServerMachine = (DsServer)EnvironmentConfig.MachineStore[dcServer];
DsServer dcPartnerMachine = (DsServer)EnvironmentConfig.MachineStore[dcPartner];
NamingContext specifiedNC = NamingContext.DomainNC;
string userdn = ldapAdpter.TestAddUserObj(dcServerMachine);
AddObjectUpdate aou = new AddObjectUpdate(dcServer, userdn);
updateStorage.PushUpdate(aou);
string groupdn = DRSTestData.DRSGetNCChange_ExistGroup + "," + LdapUtility.ConvertUshortArrayToString(((AddsDomain)dcServerMachine.Domain).DomainNC.StringName);
DRS_OPTIONS ulFlags = DRS_OPTIONS.NONE;
try
{
ldapAdpter.RemoveObjectFromGroup(dcServerMachine, userdn, groupdn);
}
catch
{
//it's OK if user is not in group
}
drsTestClient.SyncDCs(dcServer, dcServer);
//add a user to group dn
BaseTestSite.Log.Add(LogEntryKind.Comment, "Add user dn {0} to group dn {1} on DC {2}", userdn, groupdn, dcServer);
ResultCode addret = ldapAdpter.AddObjectToGroup(dcServerMachine, userdn, groupdn);
BaseTestSite.Assert.IsTrue(addret == ResultCode.Success, "add userdn {0} to group dn {1} failed", userdn, groupdn);
AddObjectUpdate adduserUpdate = new AddObjectUpdate(dcServer, userdn);
updateStorage.PushUpdate(adduserUpdate);
DRS_EXTENSIONS_IN_FLAGS clientCapbilities = DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE | DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6; // not contains | DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
BaseTestSite.Log.Add(LogEntryKind.Comment, "Bind to DC server: {0}", dcServer);
uint ret = drsTestClient.DrsBind(dcServer, EnvironmentConfig.User.WritableDC2Account, clientCapbilities);
BaseTestSite.Assert.AreEqual <uint>(0, ret, "IDL_DRSBind should return 0 with a success bind to DC");
BaseTestSite.Log.Add(LogEntryKind.Comment,
"Calling IDL_DRSNCChanges (V8 request) to get changes for a specified NC from a DC server. The reply compression is not required.");
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage;
ret = drsTestClient.DrsGetNCChanges(
dcServer,
DrsGetNCChanges_Versions.V8,
dcPartner,
ulFlags,
specifiedNC,
EXOP_REQ_Codes.None,
FSMORoles.None,
null,
out outVersion,
out outMessage);
BaseTestSite.Assert.AreNotEqual <uint>(0, ret, "IDL_DRSGetNCChanges should not return 0x0 for failure");
BaseTestSite.Assert.AreEqual <uint>((uint)Win32ErrorCode_32.SEC_E_ALGORITHM_MISMATCH, ret, "Verify error code detail: IDL_DRSNCChanges should return SEC_E_ALGORITHM_MISMATCH due to DRS_EXT_STRONG_ENCRYPTION not included in bind.");
}
