First, I think you're right about the secure channel for NT, but does this
apply to 9x as well?
Second, even though a bogus DC won't participate in a domain, it will still
register itself in the 1C record. Try it if you don't believe me. I also
disagree that an H-node configuration is "properly configured". NetBIOS
broadcasts only allow you to query your network segment (assuming you aren't
forwarding broadcasts). This system might work fine in a small environment,
but P-node is the only way to go for an enterprise scale operation.
David Byrne, MCSE
TIAA CREF
-----Original Message-----
From: Attonbitus Deus [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 17, 2001 5:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Invalid WINS entries
It doesn't work that way. If you put a bogus BDC on the lan, the server
service won't even start unless its computer account is verified against the
dc based on the SID. Same with putting a bogus PDC with the same domain
name... A workstation won't even set up a secure channel in the first place
unless its account is verified which must happen before the
challenge/response take's place (insofar as NtLmSsp is concerned.)
Granted, you could screw with WINS a bit, but even then the IP stack will
fall back on broadcast to find a 'real' dc if you have properly configured
your node type to 0x8 (Hybrid). If you are already on the LAN to the point
of doing all this stuff, just capture SMB packets over a few days---
