RE: [ActiveDir] MS04-007 checking

2004-02-14 Thread William Lefkovics 



The LSASS DOS:
http://isc.sans.org/diary.html
http://www.k-otik.com/exploits/02.14.MS04-007-dos.c.php
http://linuxfromscratch.org/~devine/MS04-007-dos.c
 
William
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
DianeSent: Saturday, February 14, 2004 8:50 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-007 
checking

You have any pointers to info the 
"proof of concept"?  I'm not interested in code but would like to look at 
the info and we may want to pull the trigger at our organization.  We're 
working the rollout  for 007 but may want to deploy quicker than 
we currently have mapped out.
 
Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Saturday, February 14, 2004 6:10 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-007 
checking


In case anyone here is having 
difficulties justifying (to management) the "urgent" need patch systems 
against this new vulnerability, here's one for your ammunition:
There is now a "Proof of Concept" exploit code that exploits this 
vulnerability. The clock is now ticking in the race for another Blaster. I am 
not sure if it's OK to post URL to exploits here, so I will err on the side of 
prudence and say if you need to know where, email me.
 


 
Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday?  
-anon
 

RE: [ActiveDir] MS04-007 checking

2004-02-14 Thread Ayers, Diane 



You have any pointers to info the 
"proof of concept"?  I'm not interested in code but would like to look at 
the info and we may want to pull the trigger at our organization.  We're 
working the rollout  for 007 but may want to deploy quicker than 
we currently have mapped out.
 
Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Saturday, February 14, 2004 6:10 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-007 
checking


In case anyone here is having 
difficulties justifying (to management) the "urgent" need patch systems 
against this new vulnerability, here's one for your ammunition:
There is now a "Proof of Concept" exploit code that exploits this 
vulnerability. The clock is now ticking in the race for another Blaster. I am 
not sure if it's OK to post URL to exploits here, so I will err on the side of 
prudence and say if you need to know where, email me.
 


 
Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday?  
-anon


From: Rimmerman, RussSent: Fri 
2/13/2004 9:21 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-007 
checking

Might 
check with RetinA (http://www.eeye.com/).  We're using Patchlink to not only 
detect, but patch and deploy software as well.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  MS04-007 checkingDoes 
  anyone know of a tool to make sure that all the users have this patch applied? 
   I know Microsoft had something for the Blaster and was wondering if 
  anyone has anything that would check to make sure this patch has been 
  applied? Thanks again 
  Ryan McDonald

  
  
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Active Directory Design Issues

2004-02-14 Thread Rick Kingslan 
Title: Active Directory Design Issues



Kent,
 
Sounds to me like you already have the design set, and - 
though I'm a bit prejudiced as this is how we designed our environment - you 
already have best practice in hand.  Setting up and creating the OU's and 
the child OU's is (IIRC) in the Branch Office Deployment 
Guide.
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=9a4c7ac3-185e-4644-9e98-4876b2a477e7&DisplayLang=en
 
As to the permissions, etc, the AD Delegation guide is the 
hottest publication Microsoft has put out in the past couple of 
years.
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
 
 
However, make sure that you're keeping the DC's in the 
Domain Controller OU - unless you have some very specific reason to move them 
out.  If you do move them to the child OU's, be aware of two 
things:
1.  The Default DC Policy must be applied to the 
OU
2.  Caution with the permissions that are applied 
above, as you don't want to inadvertantly find that you Techs or the Janitor has 
permission to manage your DC's  IMHO, this applies to Member Servers as 
well - so I typically apply new permissions at the Member Server level - not all 
of my site Techs have the permissions or the need to access member 
servers.
 
One other thing that is valuable to remember: Use groups 
for Servers.  Groups are not just for users.  This will allow you to 
apply GPO to servers and more granular security to servers on a group 
basis.
 
Good luck!  It's not as daunting as it first appears, 
but map it out before diving in.  And document the crap out of it.  
You'll thank yourself later.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kent 
MaxwellSent: Saturday, February 14, 2004 12:21 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Active Directory 
Design Issues

I am working on a Windows 2003 ADS design for an 
organization with multiple locations.  We have decided to have a single 
forest with a single domain.  We are planning to create a separate OU for 
each organization to keep their computers, groups, and users in.  Each 
location needs to have administrative control over it's servers, users, groups, 
etc.  Does anyone know where I can find good planning and deployment guides 
that demonstrate best practices on how to create this type of 
scenario?
Thanks, 
Kent -This e-mail is intended 
for the use of the addressee (s) only and may contain privileged, confidential, 
or proprietary information that is exempt from disclosure under law. If you have 
received this message in error, please inform us promptly by reply e-mail, then 
delete the e-mail and destroy any printed copy. Thank you.

RE: [ActiveDir] MS04-007 checking

2004-02-14 Thread deji Agba 



In case anyone here is having difficulties justifying (to management) the "urgent" need patch systems against this new vulnerability, here's one for your ammunition:
There is now a "Proof of Concept" exploit code that exploits this vulnerability. The clock is now ticking in the race for another Blaster. I am not sure if it's OK to post URL to exploits here, so I will err on the side of prudence and say if you need to know where, email me.
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: Rimmerman, RussSent: Fri 2/13/2004 9:21 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-007 checking

Might check with RetinA (http://www.eeye.com/).  We're using Patchlink to not only detect, but patch and deploy software as well.

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] MS04-007 checkingDoes anyone know of a tool to make sure that all the users have this patch applied?  I know Microsoft had something for the Blaster and was wondering if anyone has anything that would check to make sure this patch has been applied? Thanks again Ryan McDonald



~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Active Directory Design Issues

2004-02-14 Thread deji Agba 
Title: Active Directory Design Issues



You will find most of what you need for your project planning here:
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
and here
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: Kent MaxwellSent: Sat 2/14/2004 10:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Design Issues

I am working on a Windows 2003 ADS design for an organization with multiple locations.  We have decided to have a single forest with a single domain.  We are planning to create a separate OU for each organization to keep their computers, groups, and users in.  Each location needs to have administrative control over it's servers, users, groups, etc.  Does anyone know where I can find good planning and deployment guides that demonstrate best practices on how to create this type of scenario?
Thanks, 
Kent -This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.

RE: [ActiveDir] AD Protected groups

2004-02-14 Thread deji Agba 



>>Unfortunately a decision was made to start using IBM.the service is worse than Dell's service and we didn't think it was possible to get worse service than what we got from Dell.
>>Actually had a problem last week where the response is, ok we will see you tomorrow morning. This was when the call went in at like noon. That 4 hour SLA took 24 hours to handle
 
Joe, I don't really think this is an "IMB thing" anymore. I think the litany of displeasure and horror stories can be applied to virtually most of the vendors these days. I had a particularly horrific experience with the Fiorina Cartel (you know, the "no god-given rights" company) where they could not find a certain 36Gig hard drive anywhere in the whole continental USA to service a server under their 4-hr contract. They were very effusive in their apologies, but I did not get a drive until the 6th day of placing the original call.
 
I just had a particularly dis-heartening experience with MS where an "Exchange-Down" call to PSS, placed around 4:00pm resulted first in a 90 minutes hold time before a "Duty Manager" informed me that MS was "swampped" and every call was now being handled on a "3-hour call back" basis. Then after the 3 hour had expired without anyone checking in with me, I called MS again only to be told that the "3-hour call back" had been slightly adjusted to a "6-hour call back". I did not get a call until 2:00am the following day. A "10-hour" response to a critical situation such as an "exchange-down" situation is not what I'd call acceptable.
 
This is not a defense of IBM, or an attempt to say "Live with it". It's not a knock on any particular vendor either. It's just my way of pointing out that this is not a localized incident. They are all reading from the same economic page, shedding needed manpower and cutting supports to their PAYING customers. At the end of the day, they all report some very outrageous bazillion dollars in profits and everyone smiles.


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

RE: [ActiveDir] Active Directory Design Issues

2004-02-14 Thread Coleman, Hunter 
Title: Active Directory Design Issues



Kent-
 
This has been a great reference for us: (watch for URL 
wrapping)
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
 
Hunter
 


From: Kent Maxwell 
[mailto:[EMAIL PROTECTED] Sent: Saturday, February 14, 2004 
11:21 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Active Directory Design Issues

I am working on a Windows 2003 ADS design for an 
organization with multiple locations.  We have decided to have a single 
forest with a single domain.  We are planning to create a separate OU for 
each organization to keep their computers, groups, and users in.  Each 
location needs to have administrative control over it's servers, users, groups, 
etc.  Does anyone know where I can find good planning and deployment guides 
that demonstrate best practices on how to create this type of 
scenario?
Thanks, 
Kent -This e-mail is intended 
for the use of the addressee (s) only and may contain privileged, confidential, 
or proprietary information that is exempt from disclosure under law. If you have 
received this message in error, please inform us promptly by reply e-mail, then 
delete the e-mail and destroy any printed copy. Thank you.

RE: [ActiveDir] Delegating Access to the AD Deleted Items contain er...

2004-02-14 Thread Myrick, Todd (NIH/CIT) 
Title: Message








Thanks Joe,

 

I am sure all the PSS TAMS are going to
wonder what the heck is going on…

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, February 13, 2004
10:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Delegating Access to the AD Deleted Items container...



 

I spoke with MS Alliance PSS about this
exact issue with the ADC... This is possible in W2K, however it is completely
unsupported and the directions I saw were painful and I said, NFW. The min
permissions requires are Admin, not domain admin with this. 

 

"Allegedly" MS said this would
be less painful for W2K3 but I have not checked. 

 

My solution was that the connection
agreement for the ADC back to AD is owned by me. I am the only person who knows
the password. Of course I am depending on the ADC to not do anything bad but I
couldn't get around it without doing something worse in my opinion.

 

  joe



 






 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, February 12, 2004
2:57 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Delegating
Access to the AD Deleted Items container...



I have a situation that just arose here
dealing with a third-party meta-directory product and access to our AD. 
It appears that the connection agent needs the ability to read our AD deleted
item container.  The vendor not being experienced with AD delegation
doesn’t know if there is a way to restrict access to the deleted items
container without making them domain administrator. I am in the process now of
reviewing the low level ACL’s to see if there is something I can do
without giving the service account Domain or Local Admin Privilages.  

 

Does anyone have a suggestion / experience
delegating just read access to this container.  If so are their any
gotcha’s I should be aware of.  

 

This is the MS White Paper related to
topic that I found.

http://msdn.microsoft.com/library/default.asp?url="">

 

 

Thanks,

 

Todd

RE: [ActiveDir] AD Protected groups

2004-02-14 Thread Willem Kasdorp 
Title: AD Protected groups








Hi Joe,

 

Usually I can follow what
you are saying, but now you have lost me. You don't use global groups. So what
_do_ you use, and why? U->L? Why is that any better? Or do you get by with
DL only ? 

 

 --

 

    Regards, Willem (confused…)

 

 

 









Van:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens joe
Verzonden: zaterdag 14 februari
2004 6:43
Aan: [EMAIL PROTECTED]
Onderwerp: RE: [ActiveDir] AD
Protected groups



 

I have gotten A LOT of offline responses
to this post. I am concerned at the responses however...

 

I am getting several responses of
"well you were allowed to set it up right" or "your management
is helping you" etc...

 

Folks, management isn't helping with much
at all. My direct supervisor backs me almost 100%. He realizes he pays me to be
the one who knows the right thing to do and is close enough technically to have
an understanding of the things that I am trying to protect us from. Above that,
my management is on the bad side of clueless and I fight with them just as much
as I fight with management from other teams and or divisions, etc. Our group is
for some reason under the Exchange Manager which means that anything that is
Exchange is supposed to automatically go through. I don't go this way because
usually the requests never have an answer to the question why. Not doing what
they ask puts me in an argument with my manager's manager and that seems to be
a pretty constant state of being with both good weeks and bad weeks. 

 

We have been told to rerun Forest
Prep and Domain Prep in the past because someone couldn't install
something and they busted there heads on it for a week. PSS Alliance
actually said hmm with that error Rerun Forest and Domain Prep, don't
worry it won't change anything... Right off the bat... :o) IF it won't
change anything, how the heck is it going to fix anything? My next response
was, how did you troubleshoot this? Followed by... and where is the network
trace showing the problem?

 

So I get them to do the
simple network trace (hehe) and it showed that the issue was that the DC
Exchange chose to use for its work wasn't in WINS [1] . Exchange was getting
the fully qualified name in its initial query, chopping the name down to just
the short host name, and trying to resolve it against WINS... And it couldn't
find what it needed to and threw a really bad error. Bug thankyouverymuch. I
could have easily run Forest Prep and Domain Prep but there was no way I was
going to, they couldn't explain why it was needed. Running those processes
would have fixed nothing and would have wasted my time and would have set a bad
precedent of just doing what was told even though the answer to the question WHY
was no where to be found. 

 

That isn't the only example I have with
the Exchange stuff, I have 7+ months of examples. I have to say though that now
Michigan has a couple of the best Exchange MCS guys in existence I
think, every time they came to me they had to know what they were talking
about. I would smile when I would go into the lab and see them hunched over
netmon swearing or on the phone with someone at PSS saying, umm no it doesn't
work that way and we can prove it. The fun I had with these guys and watching
them learn more and more almost has me considering going to work for MS even
though it probably means a serious pay cut. I would like to go into other
situations with them though and see what they learned and how it helps them
solve new problems that much quicker. Plus they are good guys trying to do the
right thing and will fight for it as much as they can - I respect that.
Matt/John, my hat's off to you. 

 

Outside of that I argue with every single
team that comes to us telling us we have to change to suit them. If they have a
good change, bam they can easily win the argument because they know what they
are talking about, have looked at the alternatives and it makes corporate wide
sense and bam it gets handled. However change done quickly and for small things
(i.e. not global everyone needs it) is generally bad. The people thinking up
the changes are almost always looking out only for what they need and don't
have any understanding whatsoever of the rest of the world and what needs to be
in place for them. That is why you have an AD team so they can see the big
picture and protect the infrastructure. No one consumer should ever drive you
to just start changing things unless it makes sense for everyone. This means
that the AD team should be off on its own, it shouldn't be reporting to the
management chain of ONE of the consumers of the services provided. It shouldn't
be under the file and print people, it shouldn't be under the exchange people,
it shouldn't be under the storage people, the web hosting people, the TS
people, it should, in my opinion, be under Security and should have a huge
stick. AD's primary responsibility is the stable consistent and correct
authentication and authori

RE: [ActiveDir] DFS issue?

2004-02-14 Thread Rimmerman, Russ 
Title: RE: [ActiveDir] DFS issue?



I've 
got this tool, but this is for roaming profiles, not home directories, I 
thought?

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Frederic 
  AllaertSent: Saturday, February 14, 2004 2:01 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS 
  issue?
  Try UPHClean, have a look on Google for links... 
  Works like a charm, and was exactly written for this purpose, 
  for use in a Citrix farm... 
  -Original Message- From: 
  Rimmerman, Russ [mailto:[EMAIL PROTECTED]] 
  Sent: zaterdag 14 februari 2004 3:47 To: '[EMAIL PROTECTED]' Subject: 
  [ActiveDir] DFS issue? 
  I'm having a problem with some INI files located in users 
  terminal server home directories, which are stored on 
  a DFS share not unlocking when the users log off my 
  Citrix servers.  Has anyone seen anything like this?  The 
  next time the user logs on, their INI file is still locked 
  open, and their application is broken.  The 
  application is the SAP GUI.  Whenever I run utilities like "WhoLockMe" it always shows "SYSTEM" has the file 
  locked. I'm thinking it could be a DFS issue of some 
  sort, but if I could just figure out a way to have the 
  files unlock properly when the users log off, my job 
  would become 99% less stressful!!! 
  ~~ 
  This e-mail is confidential, may contain proprietary 
  information of the Cooper Cameron Corporation and its 
  operating Divisions and may be confidential or 
  privileged. 
  This e-mail should be read, copied, disseminated and/or used 
  only by the addressee. If you have received this 
  message in error please delete it, together with any 
  attachments, from your system. ~~ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] Active Directory Design Issues

2004-02-14 Thread Kent Maxwell 
Title: Active Directory Design Issues





I am working on a Windows 2003 ADS design for an organization with multiple locations.  We have decided to have a single forest with a single domain.  We are planning to create a separate OU for each organization to keep their computers, groups, and users in.  Each location needs to have administrative control over it's servers, users, groups, etc.  Does anyone know where I can find good planning and deployment guides that demonstrate best practices on how to create this type of scenario?

Thanks,


Kent



-
This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law.  If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy.  Thank you.

RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

2004-02-14 Thread Roger Seielstad 
Oh, wait. You're correct.

The issue with the gold code that I'm thinking of was that Win2k in an NT4
domain would ONLY authenticate against the PDC - it wouldn't talk to BDC's.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Willem Kasdorp [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, February 14, 2004 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] W2K not authenticated by NT4 BDC 
> when DC is down.
> 
> 
> I'm not so sure. Once a W2000+ machine finds a DC talking 
> Kerberos it will
> always want to talk Kerberos, for security reasons probably. 
> The telling
> symptom is that the primary DNS suffix of the machine gets 
> set to the FQDN
> of its domain (ipconfig /all). The only way I know to fix 
> that is to rejoin
> the member to the NT4 domain.
> 
> If you don't want to have the Kerberos lock-in happening, 
> check out the 
> 
> NT4Emulator registry value. Not without its pitfalls, but may 
> come in handy.
> 
> 
> -- 
>Regards, Willem 
> 
> 
> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Namens Roger Seielstad
> Verzonden: zaterdag 14 februari 2004 17:32
> Aan: '[EMAIL PROTECTED]'
> Onderwerp: RE: [ActiveDir] W2K not authenticated by NT4 BDC 
> when DC is down.
> 
> That was indeed an issue with gold code, but I beleve SP1 fixed that.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED] 
> > Sent: Friday, February 13, 2004 9:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] W2K not authenticated by NT4 BDC 
> > when DC is down.
> > 
> > 
> > It has been several years since I have played with NT and 2K 
> > DCs side by
> > side but I seem to recall that once a W2K client finds a W2K 
> > Server it won't
> > go back and use an NT4 server. I.E. No failback. That may not 
> > be the case
> > anymore with the various SP's as my experiences were SP0 but 
> > worth checking.
> > 
> > Also I would verify DNS, W2K prefers to use DNS to find DCs 
> > and the NT4 BDC
> > would not have the proper records registered.
> > 
> > You could have a really great idea of what was happening with 
> > a network
> > trace. 
> > 
> >joe
> > 
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Niklas Wikander
> > Sent: Friday, February 13, 2004 1:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] W2K not authenticated by NT4 BDC when 
> DC is down.
> > 
> > I'm preparing an upgrade of a NT domain to a W2k domain.
> >  
> > The scenario:
> >  
> > I have one NT PDC and one NT BDC in my domain TEST.
> > In the TEST domain I have one W2kclient. Everything works great.
> >  
> > I upgrade the PDC to W2k DC and with the upgrade I also 
> > install DNS on the
> > DC and name the domain TEST.LOCAL Everything works great and 
> > I can login to
> > TEST.LOCAL with the W2kclient.
> >  
> > But,
> > When the DC is down and only the old NT BDC is up, I cannot 
> > login to the
> > domain.
> > I get the classic error:
> > The system cannot log you on to this domain because the 
> > system's computer
> > account in its primary domain is missing or the password on 
> > that account is
> > incorecct.
> >  
> > When I look in the event viewer the synchronization works 
> > between the DC and
> > the BDC.
> > With both DC and BDC I can see the W2kclient computer account 
> > in server
> > manager.
> > But with the DC down I only see the two servers in server manager.
> >  
> > Why is the account missing when the DC is down?
> > Probably I have missed something in the upgrade process but I 
> > cannot figure
> > out what.
> > I have tried this twice now with the same result.
> >  
> > Any suggestions?
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> > 
> > List info   : 
> > http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

2004-02-14 Thread Willem Kasdorp 
I'm not so sure. Once a W2000+ machine finds a DC talking Kerberos it will
always want to talk Kerberos, for security reasons probably. The telling
symptom is that the primary DNS suffix of the machine gets set to the FQDN
of its domain (ipconfig /all). The only way I know to fix that is to rejoin
the member to the NT4 domain.

If you don't want to have the Kerberos lock-in happening, check out the 

NT4Emulator registry value. Not without its pitfalls, but may come in handy.


-- 
   Regards, Willem 


-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Roger Seielstad
Verzonden: zaterdag 14 februari 2004 17:32
Aan: '[EMAIL PROTECTED]'
Onderwerp: RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

That was indeed an issue with gold code, but I beleve SP1 fixed that.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Friday, February 13, 2004 9:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] W2K not authenticated by NT4 BDC 
> when DC is down.
> 
> 
> It has been several years since I have played with NT and 2K 
> DCs side by
> side but I seem to recall that once a W2K client finds a W2K 
> Server it won't
> go back and use an NT4 server. I.E. No failback. That may not 
> be the case
> anymore with the various SP's as my experiences were SP0 but 
> worth checking.
> 
> Also I would verify DNS, W2K prefers to use DNS to find DCs 
> and the NT4 BDC
> would not have the proper records registered.
> 
> You could have a really great idea of what was happening with 
> a network
> trace. 
> 
>joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Niklas Wikander
> Sent: Friday, February 13, 2004 1:11 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.
> 
> I'm preparing an upgrade of a NT domain to a W2k domain.
>  
> The scenario:
>  
> I have one NT PDC and one NT BDC in my domain TEST.
> In the TEST domain I have one W2kclient. Everything works great.
>  
> I upgrade the PDC to W2k DC and with the upgrade I also 
> install DNS on the
> DC and name the domain TEST.LOCAL Everything works great and 
> I can login to
> TEST.LOCAL with the W2kclient.
>  
> But,
> When the DC is down and only the old NT BDC is up, I cannot 
> login to the
> domain.
> I get the classic error:
> The system cannot log you on to this domain because the 
> system's computer
> account in its primary domain is missing or the password on 
> that account is
> incorecct.
>  
> When I look in the event viewer the synchronization works 
> between the DC and
> the BDC.
> With both DC and BDC I can see the W2kclient computer account 
> in server
> manager.
> But with the DC down I only see the two servers in server manager.
>  
> Why is the account missing when the DC is down?
> Probably I have missed something in the upgrade process but I 
> cannot figure
> out what.
> I have tried this twice now with the same result.
>  
> Any suggestions?
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DCPromo

2004-02-14 Thread Guy Teverovsky 

The machine in question was the first DC in site C (which was already 
pre-configured in Sites and Services). The dcpromo.log confirms that it
properly recognized it's site.

I saw the LDAP session to PDCE (site A) when initiating the dcpromo by
running netstat (a saw a new LDAP session). The replication was
performed from a DC in site B (Infrastructure Master).
dcpromo.log and dcpromogui.log do not show initial query to PDCE.
All the machines are W2K3. Domain and forest functional levels are 2003.
What is interesting is that the DC the replication was performed from is
actually much closer from the network and latency point of view. It
would be pretty smart of W2K3 to replicate from the nearest partner...

Guy

On Sat, 2004-02-14 at 04:37, joe wrote:
> What site was the machine that was being promoted to in?
> 
> I would expect it was in site B. The change should be done on the machine
> that it did its initial replication with. How do you know that it did that
> replication with the PDC? Is this info from the dcpromo log?
> 
>   joe
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Friday, February 13, 2004 10:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DCPromo
> 
> 
> Yesterday, while dcpromoing a machine (which was already domain member), I
> have noticed that while the LDAP session was initiated against PDCE in site
> A, the computer account move to "Domain Controllers" OU was performed on a
> DC in site B. Although after the replication everything was nice and dandy,
> but any insight on at which DC the changes should take place during the
> dcpromo process is more than welcome.
> 
> Thanks,
> Guy
> 
> - - -
> Smith & Wesson - the original point and click interface
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 


- - - 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

2004-02-14 Thread Rick Kingslan 
I can second that it's not going to work.  I ran into the same thing with
one of our remote offices (actually, an acquisition) in which I did the
upgrade of their NT 4.0 domain to a new tree in our forest (namespace
requirement - otherwise I'd have put them in our corporate domain).  Well,
the dumba$$ admin down there took both of the 2K DCs offline after I had
left "to clean up some issues..." (This is a prime example of why you NEVER
let anyone except the most trusted have the keys to the DCsas to WHAT
issues...never have gotten a good explanation).
 
The only DC left was the one BDC that we had left for 'emergency purposes'
and was due to be retired within 48 hrs.
 
Well, guess what?  No one could authenticate - except for the Windows NT 4.0
and other legacy clients that they still had.  All 2K and up - fo' get about
it.
 
So, to that - I agree with Joe.  Forget the BDC and do a clean install for a
second 2k DC.
 
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
  


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, February 14, 2004 10:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.


Me neither, spin up a secondary DC.
 
  joe

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Saturday, February 14, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: SV: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.


Joe,
With several tests with logons I have came to the conclusion that you
described.
Once the W2kclient was authenticated by the DC, it doesn't try to look for
the BDC.
I will try to install a DNS on the BDC as a secondary server but I don't
think that'll work.

-Ursprungligt meddelande- 
Från: joe [mailto:[EMAIL PROTECTED] 
Skickat: lö 2004-02-14 03:09 
Till: [EMAIL PROTECTED] 
Kopia: 
Ämne: RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.



It has been several years since I have played with NT and 2K DCs side by
side but I seem to recall that once a W2K client finds a W2K Server it won't
go back and use an NT4 server. I.E. No failback. That may not be the case
anymore with the various SP's as my experiences were SP0 but worth checking.

Also I would verify DNS, W2K prefers to use DNS to find DCs and the NT4 BDC
would not have the proper records registered.

You could have a really great idea of what was happening with a network
trace.

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Friday, February 13, 2004 1:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

I'm preparing an upgrade of a NT domain to a W2k domain.

The scenario:

I have one NT PDC and one NT BDC in my domain TEST.
In the TEST domain I have one W2kclient. Everything works great.

I upgrade the PDC to W2k DC and with the upgrade I also install DNS on the
DC and name the domain TEST.LOCAL Everything works great and I can login to
TEST.LOCAL with the W2kclient.

But,
When the DC is down and only the old NT BDC is up, I cannot login to the
domain.
I get the classic error:
The system cannot log you on to this domain because the system's computer
account in its primary domain is missing or the password on that account is
incorecct.

When I look in the event viewer the synchronization works between the DC and
the BDC.
With both DC and BDC I can see the W2kclient computer account in server
manager.
But with the DC down I only see the two servers in server manager.

Why is the account missing when the DC is down?
Probably I have missed something in the upgrade process but I cannot figure
out what.
I have tried this twice now with the same result.

Any suggestions?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

2004-02-14 Thread Roger Seielstad 
That was indeed an issue with gold code, but I beleve SP1 fixed that.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Friday, February 13, 2004 9:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] W2K not authenticated by NT4 BDC 
> when DC is down.
> 
> 
> It has been several years since I have played with NT and 2K 
> DCs side by
> side but I seem to recall that once a W2K client finds a W2K 
> Server it won't
> go back and use an NT4 server. I.E. No failback. That may not 
> be the case
> anymore with the various SP's as my experiences were SP0 but 
> worth checking.
> 
> Also I would verify DNS, W2K prefers to use DNS to find DCs 
> and the NT4 BDC
> would not have the proper records registered.
> 
> You could have a really great idea of what was happening with 
> a network
> trace. 
> 
>joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Niklas Wikander
> Sent: Friday, February 13, 2004 1:11 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.
> 
> I'm preparing an upgrade of a NT domain to a W2k domain.
>  
> The scenario:
>  
> I have one NT PDC and one NT BDC in my domain TEST.
> In the TEST domain I have one W2kclient. Everything works great.
>  
> I upgrade the PDC to W2k DC and with the upgrade I also 
> install DNS on the
> DC and name the domain TEST.LOCAL Everything works great and 
> I can login to
> TEST.LOCAL with the W2kclient.
>  
> But,
> When the DC is down and only the old NT BDC is up, I cannot 
> login to the
> domain.
> I get the classic error:
> The system cannot log you on to this domain because the 
> system's computer
> account in its primary domain is missing or the password on 
> that account is
> incorecct.
>  
> When I look in the event viewer the synchronization works 
> between the DC and
> the BDC.
> With both DC and BDC I can see the W2kclient computer account 
> in server
> manager.
> But with the DC down I only see the two servers in server manager.
>  
> Why is the account missing when the DC is down?
> Probably I have missed something in the upgrade process but I 
> cannot figure
> out what.
> I have tried this twice now with the same result.
>  
> Any suggestions?
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Naming Server FSOM

2004-02-14 Thread joe 
Yes, once traffic is encrypted things are messy as well as any RPC traffic.

Kerberos and DNS and LDAP calls which should comprise the majority of the
troubleshooting around DCs are all relatively nice and "easy" to
troubleshoot with Network traces.

Once you have narrowed the scope of the problem, then a dive into KBs could
very well be required. But at least the scope of the search has been so
reduced that you don't start with "it could be anything". 

If MS would release a nice RPC parser for netmon that would be a great thing
to have as then almost everything you do off of a machine that wasn't
otherwise be encrypted could fairly easily be translated and worked out. 

Quite seriously, we use netmon traces at least once every two weeks to knock
down an issue. It usually ends up finding configuration issues or DNS/DHCP
servers not responding properly (again generally configuration issues), etc.
Sometimes it discovers that a problem isn't really a problem, it is some
worm/virus that we didn't previously know about and the scanners aren't
catching. 

Also in general network traces are a good thing to do to gauge the health of
your network as most networks are wide open and people can set up anything
they want. I have seen sites running IPX for instance and when I reported it
to them to ask why they end up finding people running gaming systems that
were eating up considerable bandwidth. You find network devices that
misbehave and for some reason keep sending out broadcasts or multicasts or
arping a lot. You can find machines that have malware installed on them as
the machines broadcast to resolve various names they shouldn't be trying to
resolve. 

It is good to watch your network packets occasionally because that is one of
the first places a bad guy is going to go look as well. What secrets are you
giving away unknowingly?

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Saturday, February 14, 2004 3:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Naming Server FSOM

It's certainly a good suggestion, Joe.  The only thing I would say is that
network traces are not (at least in my experience) self-evident.  Generally
you can work out part of the picture, but much of it involves referring to
KBs and Whitepapers and some of it is just plain guess work.  It gets even
further complicated the more applications you have accessing AD.  And then
there's encrypted traffic to take into consideration.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Samstag, 14. Februar 2004 03:33
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Naming Server FSOM

This is an excellent case to do a network trace. People may be getting sick
of me saying this but it cuts out all of the guesswork of the other 15 or so
posts. Slap the server on a shared hub or plug into your mirror port and do
a trace of the logon while the other DC is down or rebooting or whatever
case you find causes the slowness. You will most likely see requests
directed to this server and you have to then just figure out what kind of
requests they are and why they would be going to that server. Much better
than trying to guess around what kind of configuration you have. You could
possibly find it with this guessing but generally that involves changing
things until it works which is always bad news. 

Get a trace, tell us what kind of traffic is going to that rebooting box and
not being responded to. 

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, February 11, 2004 1:14 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Domain Naming Server FSOM

I have noticed that logons take an enourmous amount of time on non DC
Windows 2000 Servers if the Server running the Domain Naming Master is
rebooting.  Why is this?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]  

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

2004-02-14 Thread joe 
Me neither, spin up a secondary DC.
 
  joe

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Saturday, February 14, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: SV: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.


Joe,
With several tests with logons I have came to the conclusion that you
described.
Once the W2kclient was authenticated by the DC, it doesn't try to look for
the BDC.
I will try to install a DNS on the BDC as a secondary server but I don't
think that'll work.

-Ursprungligt meddelande- 
Från: joe [mailto:[EMAIL PROTECTED] 
Skickat: lö 2004-02-14 03:09 
Till: [EMAIL PROTECTED] 
Kopia: 
Ämne: RE: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.



It has been several years since I have played with NT and 2K DCs side by
side but I seem to recall that once a W2K client finds a W2K Server it won't
go back and use an NT4 server. I.E. No failback. That may not be the case
anymore with the various SP's as my experiences were SP0 but worth checking.

Also I would verify DNS, W2K prefers to use DNS to find DCs and the NT4 BDC
would not have the proper records registered.

You could have a really great idea of what was happening with a network
trace.

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Friday, February 13, 2004 1:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K not authenticated by NT4 BDC when DC is down.

I'm preparing an upgrade of a NT domain to a W2k domain.

The scenario:

I have one NT PDC and one NT BDC in my domain TEST.
In the TEST domain I have one W2kclient. Everything works great.

I upgrade the PDC to W2k DC and with the upgrade I also install DNS on the
DC and name the domain TEST.LOCAL Everything works great and I can login to
TEST.LOCAL with the W2kclient.

But,
When the DC is down and only the old NT BDC is up, I cannot login to the
domain.
I get the classic error:
The system cannot log you on to this domain because the system's computer
account in its primary domain is missing or the password on that account is
incorecct.

When I look in the event viewer the synchronization works between the DC and
the BDC.
With both DC and BDC I can see the W2kclient computer account in server
manager.
But with the DC down I only see the two servers in server manager.

Why is the account missing when the DC is down?
Probably I have missed something in the upgrade process but I cannot figure
out what.
I have tried this twice now with the same result.

Any suggestions?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>