RE: [ActiveDir] Add junior admin to Local workstations admin grou p
True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified front end to distict back ends. I mean, can you imagine build your own folders?? select mailfrom, subject, date, size from email_messages where mailfrom = [EMAIL PROTECTED] Or would that be: delete from email_messages where mailfrom = [EMAIL PROTECTED]... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) Microsoft has this new, cool DB technology that is being used in: * Yukon - the next version of SQL Server * Longhorn Client for the file system (WinFS) * Future server versions for AD database (Longhorn server, Blackcombe - you figure it out) * Future versions of Exchange for store database * etc, etc, etc. Now, one might this that this is all really suprising and a sweeping change. And, by some rights, it is. But, if you take a look at the store and AD (ntds) database today - they're very much the same; and strikingly similar to SQL 2000. The big change is really the file system. So, to say that Exchange is going to be based on SQL, yeah, that's pretty much true. But, then, so will AD, and WinFS - but SQL will be based on a base technology that is shared amongst the entire server family. I haven't had the DBAs over lately trying to convince upper management that they own Exchange or AD - and that's not likely to happen in the next iteration, either. Do I think that you need to get to know Yukon (which will likely be the first PUBLICLLY available (not beta, not preview) code of the next gen database, um. Yeah. That might be a really good idea. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costanzo, Ray Sent: Tuesday, August 26, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE:
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Darn that Bill... I guess he didn't sign the NDA... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] - reverse encryption of ad passwords
Brent, I don't think it's a good idea to store reversibly encrypted passwords in AD, especially since they get replicated to DCs which you not be able to physically secure. However, you can use the password filter DLL to intercept password changes, and dynamically store the new passwords away somewhere safe, for use in a RADIUS service or other system. That is essentially what we do with our P-Synch product -- intercept password changes in progress, apply a supplementary quality policy, and automatically push the new password to other systems (including other LDAP directories, passwd files on Unix, whatever). This approach keeps AD pristine, only introduces a small DLL on each DC, has negligible performance impact on the domain, and lets users keep one password on multiple systems. You might consider using three products to get the desired effect without turning on plaintext or reversibly encrypted password: * Your preferred RADIUS service (sounds like Steel Belted). (http://funk.com) * Microsoft's MIIS to automatically mirror the user base from AD to whatever Steel Belted RADIUS likes to use natively. (http://microsoft.com/miis/) * P-Synch to synchronize passwords between the two. (http://psynch.com) Good luck! -- Idan On Tue, 26 Aug 2003, Wilhelm, Brent wrote: Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505. asp So... of course we don't want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Accessing share
Title: Message Thanks joe for suggestions. The machine had stored the previous connection session inregistry as it restores the share connection when you log in again, i simply disconnected the share and logged the machine again with new user/pass it worked. Thanks regards, Sunil Shetty - Original Message - From: Joe To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 5:52 PM Subject: RE: [ActiveDir] Accessing share This really isn't an AD question and the subnets should have nothing to do with it either. The domain piece is only marginally involved as well. Basically you are trying to make a NetBIOS connection to a machine that you already have a NetBIOS connection to. The way NetBIOS connects (aka SMB or CIFS) connections work with Windows is that you create an authenticated pipe between machines and then your requests flow through that pipe. You have a couple of options. 1. Break the previously generated connection. You should be able to do this with NET USE * /DELETE. You could also do it by typing NET USE to enumerate your connections and then NET USE DEVICE: /DELETE or NET USER \\machine\share /DELETE depending on how the connection is set up. 2. You can establish a new pipe using one of the other naming formats. This is kind of tricky because you have to know how you are already connected or you have to try the different methods to find how you don't have a connection already. Basically somewhere internally where Windows maintains its session info, its lookup is by machinename supplied, so if you supply a different format for the machine you can generally make another connection. The three main formats are NETBIOS NAME, FQDN, and IP. NetBIOS name is what you normally call your machine when you call it by its name (and you aren't calling it a cuss word) - like for instance the machine I am typing this on is MAINPRO, this name is resolvable viaNetBIOS resolution which depending on the PC configuration could be Broadcast, WINS, or LMHOSTS file. The FQDN is the full name with the domain scope attached, again in this example my machine is MAINPRO.JOEHOME.COM, the FQDN is resolvable through normal IP resolution like DNS or HOSTS files or broadcast or the system can also fall back to the NETBIOS methods.Finally you can use the IP address like say 209.247.228.201. The IP address doesn't have to go through much name resolution except to MAC address eventually. Anyway, if you don't want to break your other pipe because you don't know what you will break, you can attempt to make a connection with one of the other naming formats. Most likely the connection you already have is with the NetBIOS Name. So you can skip that one and try the others. So the different types of connections would look like NetBIOS Name Connection net use x: \\mainpro\sharename FQDN Connection net use x: \\mainpro.joehome.com\sharename IP Connection net use x: \\209.247.228.201\sharename Hope that helps out. The comicalthing about this is that I was just quizzing one of my really good friends about this type of stuff yesterday and Ihave now totally given out the answer to a question I asked. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sunil ShettySent: Tuesday, August 26, 2003 5:02 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Accessing share hi all, I have two machine in different subnet, one is logged into domain controller and the other one is not, and now when i try to access the share of one which is logged into domain controller thru the one which is not in DC, it gives me error - Credentials supplied conflict with existing set of credentials Any idea, pls suggest. regards, Sunil Shetty
RE: [ActiveDir] LDAP query on ObjectSID attribute
Title: Message Basically you can do searches in LDP using a DN, GUID or SID as the Base DN (GUIDs and SIDs need to be surrounded by GUID=. or SID= as in Joes example below) really useful in Account Unknown scenarios in the ACL Editor to translate the SID shown to an actual group or user object. I believe that this works simply by searching first for the object with that specific GUID or SID and then binding to this object, rather than a container as will normally occur in a search but that could be wrong J You could also use it to keep track of any renamed or moved security principals (SID) or any object in the directory which may be renamed or moved (GUID) As Joe alluded to, you can actually bind directly to an object using its SID or GUID using ADSI as well use GetObject(LDAP://SID=.) or GetObject(LDAP://SID=.) HTH Cheers Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: 26 August 2003 23:30 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute You know after rereading this thread I realize that they weren't doing a SID BIND... They were doing a Search with a BASEDN of a SID. That isn't something I have seen... I saw the formatting of the string and associated it with a SID Bind and went on my merry way... So I am now wondering all sorts of things... Not that doing a base dn of a SID will be extremely useful or at least I can't see it as such except for maybe for vbscript or other script languages that don't support decent LDAP search calls and you have to muck around in ADO. So the SID Bind part I was talking about is part of ADSI, the SID BaseDN thing is I don't know what though I wonder if LDP just changes it to a direct Bind. I guess it would take a network trace of it going to see what it really ends up doing. If my lab wasn't in complete disarray right now I would take a swing at that. However it is and I ain't... No research in this lab until I can flop down in the bean bag couch on the floor with my books and connect to the world via High Speed... I hate dialup. (Note Read this slowlyso my 26.4k connection doesn't stumble...). joe -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute No problem, you wrote the good book, I simply mention it. SID Bind is like the GUID bind using the LDAP provider of ADSI. Only part of ADSI 2.5+I believe. I am not the big consumer of ADSI, just recall running into it several times,google for LDAP://SID=for code examples. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 25, 2003 1:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Hey Joe, Wow, thanks for the compliment dude. Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attributeas your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this:Base DN SID=S-1-5-21-709049380-3306950797-3746505139Filter ((ObjectCategory=*)(name=*))(I used a SID from my lab domain)You might need to load the control for deleted objects, if it's deleted.Regards,/Jimmy- Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory-- www.qadvice.com -- -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 12:35 AMTo: [EMAIL PROTECTED]Anyone know how to query AD on the ObjectSID? My query looks like this:
RE: [ActiveDir] Add junior admin to Local workstations admin group
Its absolutely going to be a fun ride, that's for sure. I'm VERY interested in seeing how they choose to overcome the inherent limitations in the structured vs. unstructuctured debate. I'm starting to be of the opinion that structured data storage is going the way of the dodo - again because of increases in raw horsepower, the speed benefit provided by structured storage might no longer be worth the distiction. That being said, technically NTFS IS structured storage - I burn a cluster no matter how small the amount of data being stored. So that begs the questions of can we make everything fit into a reasonable structured storage model? (answer is obviously yes) and Can we make the structure modifiable? (I'd assume yes). The latter question is akin to saying Can we make hard drive clusters in different sizes? That's been done for 20+ years, IIRC. So maybe the future engine is SQL server with variable page sizes rather than fixed 8k pages. Maybe going as far as different page sizes per database - where a database could be a file system or anything else for that matter. Interesting indeed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified front end to distict back ends. I mean, can you imagine build your own folders?? select mailfrom, subject, date, size from email_messages where mailfrom = [EMAIL PROTECTED] Or would that be: delete from email_messages where mailfrom = [EMAIL PROTECTED]... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after
RE: [ActiveDir] - reverse encryption of ad passwords
Title: Message Well, Win2k and later include the Internet Authentication Service, which IS RADIUS for Windows using AD as the database. I believe RADIUS servers can be chained (a la LDAP referrals) as well. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wilhelm, Brent [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So... of course we don't want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] Add junior admin to Local workstations admin group
Title: Message You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all tongue Firmly in Cheek Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups.
RE: [ActiveDir] Problems with too many nested group memberships
Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] - reverse encryption of ad passwords
Title: Message If you are using a non-Windows RADIUS client with IAS, or the client software only supports PAP orCHAP the passwords for the users must be stored reversibly encrypted. It's also required if a Macintosh is using remote access. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] - reverse encryption of ad passwords Well, Win2k and later include the Internet Authentication Service, which IS RADIUS for Windows using AD as the database. I believe RADIUS servers can be chained (a la LDAP referrals) as well. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wilhelm, Brent [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So... of course we don't want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely
RE: [ActiveDir] Problems with too many nested group memberships
By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] authoritative GPO restore
You should even be able to restore a single GPO without an authoritative restore of the whole database (very bad idea to do this, if you don't absolutely need to) - but your problem will be documentation: you will need the GUID of the GPO to address it's GPC in the Sytem\Policies container during the authoritative restore via NTDSutil. As you'll previously have restored the system state, you should also find the matching GPT folder back in SysVol, but you can't simply make this authoritative. So you can copy this folder to a temp-location outside of SYSVOL prior to booting the DC - and then copy it back to SYSVOL after the boot process completes (this makes the folder authoritative for FRS, which will then also re-copy it out to the other DCs. Same as what is happening with the GPC after the authoritiative restore. But although it's a nice excercise, I haven't tried it myself and I would also not go down this path for a single GPO restore. Instead you have to make sure you get your reporting and documentation for GPO management right - if you know what settings were applied within a certain GPO, it's much easier to simply recreate the GPO than to go through the described restore hassle. Related files (like application binaries) should not be stored within the GPO itself anyways; so you shouldn't loose these when you accidentally delete a GPO. Even with GPMC (obviously a good addition to GPO mgmt - however, it's not as if there weren't other similarly powerful tools available before...), although you can backup and restore GPOs rather easily, you won't get around having a good documentation (e.g. regular reports on your GPOs) as GPMC doesn't restore the GPO links themselves. You still have to know which OUs your GPO was applied to and if you use Win2003 you also still have to know which WMI filters were applied (these are also not stored as part of the GPO itself). So there is really no way around good documentation - and if you have it, you might as well leverage it to recreate an accidentally deleted GPO. /Guido -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Montag, 18. August 2003 17:24 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] authoritative GPO restore Rick, please excuse the whinge borne out of a bit of frustration i am afraid !! am needing to write procedural documents for what i would regard as a fairly simple task (and given issues we have with allowed run list policy values not unlikely either !!) ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPO not unreasonable to have had functionality equiv to GPMC in win2k ?? duly noted on GPMC - will recommend to deploy as soon as possible without GPMC, it seems there are all sorts of interdependencies on AD objects / SYSVOL file system objects which need to be got right when restoring GPO was looking to seek the views of others on the procedure for this restore say of a single GPO ?? as per my original mail; 1. DS restore mode 2. restore of what sysvol file system directories / system state to original 3. restore (what ?) to alternate location 3. ntdsutil - run authoritative restore (seems only to apply to AD objects) 4. copy certain file system directories (polices / scripts ??) to original location Thanks for your help throughout GT GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 18, 2003 2:34 PM Subject: RE: [ActiveDir] authoritative GPO restore Graham, Though I don't totally disagree, I'm not sure what part of the picture is missing to cause you to make a statement such as: Microsoft seem incapable of delivering finished products ! The GPMC *does* make it much easier - and I have been a big champion on this product, and is by far the preferred method. But, before GPMC (6 years before, in fact) we have survived quite well with Auth Restore, Systems State resore, and Data backup restores. What part of the picture am I missing that would indicate Microsoft missed the boat on restoring GPOs in your case? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Monday, August 18, 2003 3:05 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] authoritative GPO restore Darren, thanks for the very informative post reply. you seem only to confirm my views of what should be a relatively simple task is not so - although happy to see this complexity reduced with GPMC does not nothing to dispel my opinion that Microsoft seem incapable of delivering finished products ! Thanks again GT - Original Message - From: Darren Mar-Elia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 17, 2003 9:30 PM Subject: RE: [ActiveDir] authoritative GPO restore Graham- You're
[ActiveDir] SP4 question
I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server Team Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] Problems with too many nested group memberships
Thanks Joe and Guido All the groups are in the same domain. No SIDHistory with either the user account or the groups. We have tried changing the MaxTokenSize value on the member server before the join, but it doesn't appear to make any difference. The really strange thing is that the joins sometimes work and sometimes don't. This happens even when using a test machine (VMWare, bridged networking) and the same account (and same group memberships). We are going down the NetMon route now to try and see what the difference is between the working and non-working joins. Only problem is that we are in a join always works phase right now! Argghgh. Tony -- Original Message -- From: Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 27 Aug 2003 08:10:55 -0400 I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SP4 question
which one came out first chronologically? From: Jon Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 question I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
[ActiveDir] Terminal Services and domain credentials Win2k3-Win2k
Title: Terminal Services and domain credentials Win2k3-Win2k This maybe slightly off-topic but we are seeing something odd in our environment where when we try to connect via terminal service (any client) to a host in a Windows 2000 (SP4) Active Directory domain with an account from a W2003 Active directory account the domain credentials do not pass through, i.e. if we fire up mstsc, select options and put the username, password and domain name, ts will connect to the machine then try to logon locally (with the supplied account name and password) and not onto the specified domain. It is as if it is ignoring the domain name supplied only if it is a Windows 2003 domain All domains are fully trusted (2 way) and is re-producible with W2003 - W2000 only. We can reproduce in our lab as well on a test W2003 AD. However if we use NT4 domain account credentials or W2000 account credentials all is well. It is not dependent on which domain the source host is a member of, purely the domain which the accounts credentials are from. Has anyone seen this or can anyone spend 5 mins to see if they can re-produce? This is causing us real headaches a we cannot pass-through authenticate to our citrix farms - so we cannot migrate to our Windows 2003 AD until we have a solution so any help gratefully received. Logged with PSS but as yet no response. Thanks in advance Stephen Wilkinson Tel +44(0)207 4759276 Mobile +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. --
RE: [ActiveDir] SP4 question
John, Show him the statement from TruSecure. Microsoft is not going to repond to it, as they denied that it was a problem from day one. Russ so much as sadmits this and the problem is now history. If your boss will not accept Russ Cooper's retraction as stated, then I doubt that a statement from Microsoft would be authoritative either. Me, I'd prefer to have a statement from the discoverer rather than an affected party - Microsoft - who has much to loose if they are shown to have a faulty patch. Hope this helps Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 9:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question SP4 was released first. I ran a test on a few servers running SP3 that have the MS03-026 patch applied and I then installed SP4 and ran a DCOM vulnerability scanner against them and they still showed as patched, so it appears not to effect the patch. I was just looking for something from Microsoft to appease my boss, they always want something form MS to make them feel better about things Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "Hutchins, Mike" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/27/2003 09:29 AM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] SP4 question which one came out first chronologically? From: Jon Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 questionI have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] SP4 question
Rod, With all due respect, did I somehow indicate otherwise? If Imiscommunicated the message, I'd appreciate guidance on how to better answer a question of this type. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Wednesday, August 27, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question SP4 DOES NOT reintroduce the vulnerability. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 27, 2003 10:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question Given that Russ Cooper did the original study that presented the incomplete / incorrect information that Brian Livingston reported on, going back to Russ is likely the correct step. Russ has since retracted and corrected his findings. This correction can be found, as wll on NTBUGTRAQ or the TruSecure site. Regardless - SP4 does NOT negate / remove MS03-026, but please check with NTBUGTRAQ to be 100% certain. Or, better yet - do as I did when confronted with this. Conduct your own study! :-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 question I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] - reverse encryption of ad passwords
Brent, I can't even imagine why your Network Engineer would think that you need to enable Reverse Encryption for SBR to work. Your first question should be 'Do you REALLY know what you're doing?" SBR does NOT require this setting - at least the current version(s), including the past couple of years. I've implemented SBR and know this isn't necessary. How/ what is this being implemented for? PKI is available, as is EAP-TLS (specifically for the WiFi environment). SBR communicates with AD via the services that are installed. Look here for a bit more information on install, but you are 100% correct for resisting Reverse Encryption. RE is bad - very bad. http://www.funk.com/subsections/sbrtechnotes.asp Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilhelm, BrentSent: Tuesday, August 26, 2003 6:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So of course we dont want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Well isn't NTFS or really any file system really a simple database? The way it is looking to me is not so much SQL everywhere! but WinFS everywhere!. And WinFS has borrowed heavily from SQL technology. Not sure I am using WinFS right here maybe... WinFS is just the CIFS/SMB/drive letter interface to this new technology. But I am calling this new technology WinFS for now. The question to me is how will the systems really look? I mean will WinFS simply be an NTFS partition with a Database on it? That is basically a SQL database. Or will WinFS basically be a partition with no NTFS. That is a file system unto itself. Brian -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Its absolutely going to be a fun ride, that's for sure. I'm VERY interested in seeing how they choose to overcome the inherent limitations in the structured vs. unstructuctured debate. I'm starting to be of the opinion that structured data storage is going the way of the dodo - again because of increases in raw horsepower, the speed benefit provided by structured storage might no longer be worth the distiction. That being said, technically NTFS IS structured storage - I burn a cluster no matter how small the amount of data being stored. So that begs the questions of can we make everything fit into a reasonable structured storage model? (answer is obviously yes) and Can we make the structure modifiable? (I'd assume yes). The latter question is akin to saying Can we make hard drive clusters in different sizes? That's been done for 20+ years, IIRC. So maybe the future engine is SQL server with variable page sizes rather than fixed 8k pages. Maybe going as far as different page sizes per database - where a database could be a file system or anything else for that matter. Interesting indeed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified
[ActiveDir] overlapping IP space in AD sites?
Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
Sounds identical to some problems that Shell has experienced recently. John Peck Shell Information Technology International IT Infrastructure Projects (Phone) 713-245-2183 (Office) IC - 5S06 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:41 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SP4 question
:) Sorry...I only highlighted the words because that's the statement from MS, and to thumbtack the issue. It caught my eye only after your post, but I was responding to the general thread. I've seen this issue floating around due to BugTraq's report. BugTraq provides a good service, but falls short on occasion. Anything you see on BugTraq (or any other list) should be taken up first with your MS representative (TAM, SAM, MVP, etc.) -- particularly security concerns. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 27, 2003 10:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question Rod, With all due respect, did I somehow indicate otherwise? If Imiscommunicated the message, I'd appreciate guidance on how to better answer a question of this type. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Wednesday, August 27, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question SP4 DOES NOT reintroduce the vulnerability. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 27, 2003 10:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question Given that Russ Cooper did the original study that presented the incomplete / incorrect information that Brian Livingston reported on, going back to Russ is likely the correct step. Russ has since retracted and corrected his findings. This correction can be found, as wll on NTBUGTRAQ or the TruSecure site. Regardless - SP4 does NOT negate / remove MS03-026, but please check with NTBUGTRAQ to be 100% certain. Or, better yet - do as I did when confronted with this. Conduct your own study! :-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 question I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] Problems with too many nested group memberships
yeap. Which doesn't mean that you should now hurry and simply perform SID-History cleanup in your environment without doing the necessary investigations. Your environment might still heavily rely on SID-History without you realizing it... Even if you've done your re-acling on all existing fileservers and you've got nothing left of the migrated NT4 domains, it is not uncommon, that companies that have leveraged the ADC during an Ex5.5 to E2k Migration still have loads of legacy SIDs on their Public Folders and even on many of their mailboxes. You might be fine from a FileSytem point of view - but Exchange 2000/2003 (depending on how you've migrated) is a totally different story. The newer migration tools will now also tackle PF re-acling and I'm sure that someone else will come up with some other nice scripts in the near future - but you'll definitely have to watch out for this. /Guido -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:10 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] SP4 question
I agree completely. It is funny, after I sent my boss all the info I have found about the issue and performed my own tests here, which came back negative for the SP rolloing back the hotfix, they still emailed our MS TAM about the issue and here is what was sent back The patch is post-sp4 and would have to be re-installed. Theyve made it available to install on the older SPs to allow organizations at different levels to secure the environment. This is not unlike any other patch until we have a roll-up that includes 026. I told my boss that this is incorrect, but they are still insisting on re applying the hotfix after servers are upgraded to SP4. I guess this is just the typicla corporate mentality around here, what can you do. Anyone looking for a good network/security admin? Thanks, Jon Jon Hicks | KEMET Electronics Corporation | Server Team Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] Rick Kingslan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/27/2003 10:15 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] SP4 question John, Show him the statement from TruSecure. Microsoft is not going to repond to it, as they denied that it was a problem from day one. Russ so much as sadmits this and the problem is now history. If your boss will not accept Russ Cooper's retraction as stated, then I doubt that a statement from Microsoft would be authoritative either. Me, I'd prefer to have a statement from the discoverer rather than an affected party - Microsoft - who has much to loose if they are shown to have a faulty patch. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/US Sent: Wednesday, August 27, 2003 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SP4 question SP4 was released first. I ran a test on a few servers running SP3 that have the MS03-026 patch applied and I then installed SP4 and ran a DCOM vulnerability scanner against them and they still showed as patched, so it appears not to effect the patch. I was just looking for something from Microsoft to appease my boss, they always want something form MS to make them feel better about things Jon Hicks | KEMET Electronics Corporation | Server Team Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] Hutchins, Mike [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/27/2003 09:29 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] SP4 question which one came out first chronologically? From: Jon Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] SP4 question I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server Team Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] Terminal Services and domain credentials Win2k3-Win2k
Title: Message Check out this article from Paula Sharick @ Windows 2000 mag - there are a few low level security changes made in SP4 that might cause some issues, both with certain applications using SeImpersonate but also with Terminal Services: http://www.win2000mag.net/Articles/Index.cfm?ArticleID=39534 (Also liked from http://www.wiredeuclid.com/modules.php?op=modloadname=Newsfile=articlesid=9mode=threadorder=0thold=0) [1] Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, its back up, but I lost a few weeks worth of data. I'll get it back sooner or later I think. -Original Message-From: Wilkinson, Stephen [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:48 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Terminal Services and domain credentials Win2k3-Win2k This maybe slightly off-topic but we are seeing something odd in our environment where when we try to connect via terminal service (any client) to a host in a Windows 2000 (SP4) Active Directory domain with an account from a W2003 Active directory account the domain credentials do not pass through, i.e. if we fire up mstsc, select options and put the username, password and domain name, ts will connect to the machine then try to logon locally (with the supplied account name and password) and not onto the specified domain. It is as if it is ignoring the domain name supplied only if it is a Windows 2003 domain All domains are fully trusted (2 way) and is re-producible with W2003 - W2000 only. We can reproduce in our lab as well on a test W2003 AD. However if we use NT4 domain account credentials or W2000 account credentials all is well. It is not dependent on which domain the source host is a member of, purely the domain which the accounts credentials are from. Has anyone seen this or can anyone spend 5 mins to see if they can re-produce? This is causing us real headaches a we cannot pass-through authenticate to our citrix farms - so we cannot migrate to our Windows 2003 AD until we have a solution so any help gratefully received. Logged with PSS but as yet no response. Thanks in advance Stephen WilkinsonTel +44(0)207 4759276Mobile +44(0)7973 143970E-Mail: [EMAIL PROTECTED] --If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender.--
RE: [ActiveDir] Add junior admin to Local workstations admin group
That's kinda where I was going with all this - although my personal belief is that there should be 2 underlying storage schemes (which I've referred to as structured and unstructured), I can see where one makes sense. I am waiting, however, for the SQL style front end to Exchange and my file system.[1] -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] I know OLEDB provides some of this, but I'm talking seamless here. I want it all, darn it![2] [2] After all, I am the one that wants the Exchange event sink that grabs an email, generated automatically from my wireless PDA with GPS at just the right time, in order to start the coffee so its hot and fresh right when I walk in the building. -Original Message- From: Narkinsky, Brian [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well isn't NTFS or really any file system really a simple database? The way it is looking to me is not so much SQL everywhere! but WinFS everywhere!. And WinFS has borrowed heavily from SQL technology. Not sure I am using WinFS right here maybe... WinFS is just the CIFS/SMB/drive letter interface to this new technology. But I am calling this new technology WinFS for now. The question to me is how will the systems really look? I mean will WinFS simply be an NTFS partition with a Database on it? That is basically a SQL database. Or will WinFS basically be a partition with no NTFS. That is a file system unto itself. Brian -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Its absolutely going to be a fun ride, that's for sure. I'm VERY interested in seeing how they choose to overcome the inherent limitations in the structured vs. unstructuctured debate. I'm starting to be of the opinion that structured data storage is going the way of the dodo - again because of increases in raw horsepower, the speed benefit provided by structured storage might no longer be worth the distiction. That being said, technically NTFS IS structured storage - I burn a cluster no matter how small the amount of data being stored. So that begs the questions of can we make everything fit into a reasonable structured storage model? (answer is obviously yes) and Can we make the structure modifiable? (I'd assume yes). The latter question is akin to saying Can we make hard drive clusters in different sizes? That's been done for 20+ years, IIRC. So maybe the future engine is SQL server with variable page sizes rather than fixed 8k pages. Maybe going as far as different page sizes per database - where a database could be a file system or anything else for that matter. Interesting indeed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original
RE: [ActiveDir] SP4 question
Jon, if you wouldn't mind, send your TAM's nameoffline. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 11:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question I agree completely. It is funny, after I sent my boss all the info I have found about the issue and performed my own tests here, which came back negative for the SP rolloing back the hotfix, they still emailed our MS TAM about the issue and here is what was sent back The patch is post-sp4 and would have to be re-installed. Theyve made it available to install on the older SPs to allow organizations at different levels to secure the environment. This is not unlike any other patch until we have a roll-up that includes 026. I told my boss that this is incorrect, but they are still insisting on re applying the hotfix after servers are upgraded to SP4. I guess this is just the typicla corporate mentality around here, what can you do. Anyone looking for a good network/security admin?Thanks, Jon Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "Rick Kingslan" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/27/2003 10:15 AM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] SP4 question John, Show him the statement from TruSecure. Microsoft is not going to repond to it, as they denied that it was a problem from day one. Russ so much as sadmits this and the problem is now history. If your boss will not accept Russ Cooper's retraction as stated, then I doubt that a statement from Microsoft would be authoritative either. Me, I'd prefer to have a statement from the discoverer rather than an affected party - Microsoft - who has much to loose if they are shown to have a faulty patch. Hope this helps Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 9:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 questionSP4 was released first. I ran a test on a few servers running SP3 that have the MS03-026 patch applied and I then installed SP4 and ran a DCOM vulnerability scanner against them and they still showed as patched, so it appears not to effect the patch. I was just looking for something from Microsoft to appease my boss, they always want something form MS to make them feel better about things Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "Hutchins, Mike" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/27/2003 09:29 AM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] SP4 question which one came out first chronologically? From: Jon Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 questionI have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] SP4 question
NP, Rod - this is what I suspected. I only replied because if I misconstrued something, I wanted to be correct. Thanks for clearing it up for me - and hopefully for others. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Wednesday, August 27, 2003 10:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question :) Sorry...I only highlighted the words because that's the statement from MS, and to thumbtack the issue. It caught my eye only after your post, but I was responding to the general thread. I've seen this issue floating around due to BugTraq's report. BugTraq provides a good service, but falls short on occasion. Anything you see on BugTraq (or any other list) should be taken up first with your MS representative (TAM, SAM, MVP, etc.) -- particularly security concerns. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 27, 2003 10:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question Rod, With all due respect, did I somehow indicate otherwise? If Imiscommunicated the message, I'd appreciate guidance on how to better answer a question of this type. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Wednesday, August 27, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question SP4 DOES NOT reintroduce the vulnerability. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 27, 2003 10:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 question Given that Russ Cooper did the original study that presented the incomplete / incorrect information that Brian Livingston reported on, going back to Russ is likely the correct step. Russ has since retracted and corrected his findings. This correction can be found, as wll on NTBUGTRAQ or the TruSecure site. Regardless - SP4 does NOT negate / remove MS03-026, but please check with NTBUGTRAQ to be 100% certain. Or, better yet - do as I did when confronted with this. Conduct your own study! :-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Hicks/MIS/HQ/KEMET/USSent: Wednesday, August 27, 2003 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 question I have heard mixed opinions on whether or not installing Win2k SP4 breaks the MS03-026 patch. Does anyone have any links to docs form MS about this subject. NTBUGTRAQ posted some reports from people that SP4 did break the patch, but later found it to be untrue. Thanks Jon Hicks | KEMET Electronics Corporation | Server TeamPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: jhicks352[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ]
RE: [ActiveDir] - reverse encryption of ad passwords
Rick, Thanks for the info, I will look into it ASAP. Brent -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] - reverse encryption of ad passwords Brent, I can't even imagine why your Network Engineer would think that you need to enable Reverse Encryption for SBR to work. Your first question should be 'Do you REALLY know what you're doing? SBR does NOT require this setting - at least the current version(s), including the past couple of years. I've implemented SBR and know this isn't necessary. How/ what is this being implemented for? PKI is available, as is EAP-TLS (specifically for the WiFi environment). SBR communicates with AD via the services that are installed. Look here for a bit more information on install, but you are 100% correct for resisting Reverse Encryption. RE is bad - very bad. http://www.funk.com/subsections/sbrtechnotes.asp Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilhelm, Brent Sent: Tuesday, August 26, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So of course we dont want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent �
RE: [ActiveDir] Problems with too many nested group memberships
At least. If you have multiple sids in the token history you could use even more space. Say the case that you moved a group between domains multiple times, you would have a SID for every move + the final domain sid which was current. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, August 27, 2003 8:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] overlapping IP space in AD sites?
This is fine. We actually have a couple of class A subnets defined and the subdefine those to more specific sites. I.E. Class A points to an overall company site. Many 24 bit mask or 23 bit mask subnets are then defined to further refine the site the clients should use. The clients will chase through the logic and find the subnet that most closely matches it and use that site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 27, 2003 11:10 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] overlapping IP space in AD sites?
Hi It should work; based on my experience AD selects the smallest subnet that covers the IP address IP addresses 10.10.0.1 - 10.10.255.254 is site 1 except for 10.10.88.1 - 126 that is in site 2 in your example Have anybody seen any documentation about this? //Best Regards Lars -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: den 27 augusti 2003 17:10 To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
