RE: [ActiveDir] Syskey and AD

2004-11-17 Thread Grillenmeier, Guido 



fully agree
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
Contr InDyne/Enterprise ITSent: Thursday, November 18, 2004 1:05 
AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Syskey and AD


Sorry, but except for 
a backup during a migration or the like, of what use is a DC if it's not 
running?  ;)  I had an NT4.0 domain with SYSKEY enabled.  When 
our network security folks needed to test accounts for password strength using 
l0phtcrack we had to use rdisk to provide them a copy of the unencrypted sam 
that they could then run l0phtcrack against.  That led me to believe that 
just because the DC is running, the sam isn't automatically 
decrypted.
 
I'm not saying that 
encrypting the sam isn't a good idea.  I'm saying that it isn't the end all 
be all of security.  As you said, Guido, reboot to an alternate OS like 
Nordahl's disk does.  Or string together one of the myriad of 
vulnerabilities of the Windows platform to gain access to an admin session or 
use an elevated privileges attack from a client and then use rdisk remotely in 
an NT 4.0 environment, take the unencrypted sam offline and crack it at will and 
come back in with a legitimate account.  Heck, if it's an NT4.0 
environment, Exchange 5.5 is probably used and Exchange is nice enough to cache 
the Exchange Service account and password unencrypted in the registry of systems 
with the Exchange Console installed.  And if anyone doubts either, I had a 
white hat team do both to me.
 
I think everyone 
realizes that security now a days isn't a case of keeping someone determined out 
indefinitely, but out long enough to find out they are there and catch/stop 
them.
 
 
Dave

David 
J. PerdueNetwork Security 
Engineer, InDyne Inc Comm: (805) 606-4597    DSN: 
276-4597 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Wednesday, November 
17, 2004 2:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Syskey and 
AD
 

 
that's only valid 
when the machine is running (and thus the SAM is decrypted) and you already have 
admin access to it.  In the case of "only" having physical access but no 
account, you'd not have this option and thus you'd reboot the machine to startup 
another OS or do something similar to get at the SAM - in this case it would be 
still be encrypted with the locally stored key.  Storing that key offline 
would add your extra protection with all the hassles involved with mgmt of that 
offline key and handling the boot-process.  
 
For companies with 
very high security requirements that still need to put DCs in "unsafe" locations 
for various reasons, storing the key offline may be a valid option to further 
secure the DC (or any other server as a matter of fact). If you have the right 
server-HW, you should be able to create disk-images for each machine 
containing that key and if the server has something linke an ILO board you can 
remotely mount that image during boot-time.  Still a lot of stuff to 
manage, but all possible remotely.
 
/Guido
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Perdue David J Contr 
InDyne/Enterprise ITSent: 
Wednesday, November 17, 2004 4:57 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Syskey and 
AD
Even with SYSKEY 
enabled on a NT DC the sam can still be cracked with l0phtcrack or the other 
tools.  Just make a recovery disk with the /r (I believe) option would 
export a readable copy of the sam.  We would have to do it for our security 
folks to test password strength every so often.
Honestly, I don't 
believe it matters what version of the Windows OS you use.  If you have 
physical access to the system, you win.
 
Dave 

 

David 
J. PerdueNetwork Security 
Engineer, InDyne Inc Comm: (805) 606-4597    DSN: 
276-4597 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Geary, Simon 
(Computer People)Sent: 
Wednesday, November 17, 2004 12:15 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Syskey and 
AD
 
I would suggest the 
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted 
with a locally stored key by default. The Syskey process allows you to store 
that key on a separate floppy disk, thus adding an extra layer of security. In 
the NT SAM, the encryption is not on by default but can be added with Syskey as 
an optional extra so I reckon this makes the 2003 SAM more secure. 

If you have ever used 
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all 
your passwords (even if it does require an admin account to 
run).
 
I accept that one of 
the golden rules of security is that if the bad guy has physical access to your 
machine it's not your machine any more but a 128bit encryption key will take 
some time to cra

RE: [ActiveDir] Master Browser

2004-11-17 Thread Charlie Kaiser 
The attorney is usually the cheapest part of the deal... Spoken from
experience... :-)
Get them to pay the settlement instead. 

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, November 17, 2004 8:58 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> The next corporate relocation requires my employer to include 
> payment for a
> divorce attorney.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Charlie Kaiser
> > Sent: Wednesday, November 17, 2004 8:52 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > I dunno; one more move and Allison might have put out a 
> > contract on you...
> > :-)
> > 
> > **
> > Charlie Kaiser
> > MCSE, CCNA
> > Systems Engineer
> > Essex Credit / Brickwalk
> > 510 595 5083
> > **
> >  
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Wednesday, November 17, 2004 8:45 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > As opposed to my previous employer. I'm done moving for a 
> > while. The 
> > > last 5 months made me feel like I was in the witness protection 
> > > program, minus the mob.
> > > 
> > > 
> > > Roger Seielstad
> > > E-mail Geek & MS-MVP
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > > > Sent: Wednesday, November 17, 2004 7:38 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > Your current employer? That makes it sound like you are 
> ready to 
> > > > jump to some other employer Rog.
> > > > 
> > > >   joe
> > > > 
> > > >  
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > > Seielstad
> > > > Sent: Wednesday, November 17, 2004 12:23 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > You are correct - its all about enumerating NetBIOS shares.
> > > > 
> > > > My current employer rather likes personal shares - rather 
> > there's no 
> > > > resistence to having them.
> > > > 
> > > > 
> > > > Roger Seielstad
> > > > E-mail Geek & MS-MVP
> > > > 
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Noah Eiger
> > > > > Sent: Monday, November 15, 2004 11:00 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] Master Browser
> > > > > 
> > > > > So, really the only thing this service does is allow
> > > users to click
> > > > > through the Network Neighborhood (or its successors).
> > > > > Is it correct that it does not prevent users from finding
> > > > devices from
> > > > > the run line or (obviously) from mapped drives?
> > > > > 
> > > > > As for publishing shares from workstations ... (zoinks!)
> > > > you may have
> > > > > bigger fish to fry!  ;-)
> > > > > 
> > > > > -- nme
> > > > > 
> > > > > -Original Message-
> > > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, November 15, 2004 10:13 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] Master Browser
> > > > > 
> > > > > I personally favor disabling it on all workstation machines. 
> > > > > There's little harm in leaving it running on servers,
> > > even non DC's.
> > > > > 
> > > > > The big question is whether or not its needed - are the
> > > browse list
> > > > > issues relevant enough to fix. In other words, is there a
> > > > minor change
> > > > > to usage that would eliminate the issue entirely? The
> > > biggest place
> > > > > I'd expect to see this is if users are publishing shares
> > > from their
> > > > > own machines.
> > > > > 
> > > > > 
> > > > > Roger Seielstad
> > > > > E-mail Geek & MS-MVP
> > > > > 
> > > > > > -Original Message-
> > > > > > From: [EMAIL PROTECTED]
> > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > > > Tyson Leslie
> > > > > > Sent: Monday, November 15, 2004 4:47 PM
> > > > > > To: [EMAIL PROTECTED]
> > > > > > Subject: RE: [ActiveDir] Master Browser
> > > > > > 
> > > > > > Do you still suggest turning it off on all servers and
> > > > workstations
> > > > > > (as per
> > > > > > your KB article), even in an all W2K or better 
> environment?   
> > > > > > We have done
> > > > > > so (via group policy) for quite some time, but recently
> > > ended up
> > > > > > having to defend this decision to an admin in one of 
> > our other 
> > > > > > offices, because he was enco

RE: [ActiveDir] Master Browser

2004-11-17 Thread Roger Seielstad 
The next corporate relocation requires my employer to include payment for a
divorce attorney.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Wednesday, November 17, 2004 8:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> I dunno; one more move and Allison might have put out a 
> contract on you...
> :-)
> 
> **
> Charlie Kaiser
> MCSE, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Wednesday, November 17, 2004 8:45 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > As opposed to my previous employer. I'm done moving for a 
> while. The 
> > last 5 months made me feel like I was in the witness protection 
> > program, minus the mob.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > > Sent: Wednesday, November 17, 2004 7:38 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > Your current employer? That makes it sound like you are ready to 
> > > jump to some other employer Rog.
> > > 
> > >   joe
> > > 
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Wednesday, November 17, 2004 12:23 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > You are correct - its all about enumerating NetBIOS shares.
> > > 
> > > My current employer rather likes personal shares - rather 
> there's no 
> > > resistence to having them.
> > > 
> > > 
> > > Roger Seielstad
> > > E-mail Geek & MS-MVP
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Noah Eiger
> > > > Sent: Monday, November 15, 2004 11:00 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > So, really the only thing this service does is allow
> > users to click
> > > > through the Network Neighborhood (or its successors).
> > > > Is it correct that it does not prevent users from finding
> > > devices from
> > > > the run line or (obviously) from mapped drives?
> > > > 
> > > > As for publishing shares from workstations ... (zoinks!)
> > > you may have
> > > > bigger fish to fry!  ;-)
> > > > 
> > > > -- nme
> > > > 
> > > > -Original Message-
> > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, November 15, 2004 10:13 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > I personally favor disabling it on all workstation machines. 
> > > > There's little harm in leaving it running on servers,
> > even non DC's.
> > > > 
> > > > The big question is whether or not its needed - are the
> > browse list
> > > > issues relevant enough to fix. In other words, is there a
> > > minor change
> > > > to usage that would eliminate the issue entirely? The
> > biggest place
> > > > I'd expect to see this is if users are publishing shares
> > from their
> > > > own machines.
> > > > 
> > > > 
> > > > Roger Seielstad
> > > > E-mail Geek & MS-MVP
> > > > 
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > > Tyson Leslie
> > > > > Sent: Monday, November 15, 2004 4:47 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] Master Browser
> > > > > 
> > > > > Do you still suggest turning it off on all servers and
> > > workstations
> > > > > (as per
> > > > > your KB article), even in an all W2K or better environment?   
> > > > > We have done
> > > > > so (via group policy) for quite some time, but recently
> > ended up
> > > > > having to defend this decision to an admin in one of 
> our other 
> > > > > offices, because he was encountering browse list issues in
> > > > his domain.  
> > > > > (We have left it running on the Domain Controllers only.)
> > > > > 
> > > > >   Tyson.
> > > > > 
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of ASB
> > > > > Sent: Monday, November 15, 2004 10:46 AM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: Re: [ActiveDir] Master Browser
> > > > > 
> > > > > Turning off the service is a *much* better approach 
> and doesn't 
> > > > > generate any errors in the EventLog.
> > > > > 
> > > > > 
> > > > > 
> > > > > - ASB
> > > > >   Cheap, Fast, Secure -- Pick Any TWO.
> > > > >   http://www.ultratech-llc.com/KB/
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > On Mon, 15 Nov 2004 1

RE: [ActiveDir] Master Browser

2004-11-17 Thread Charlie Kaiser 
I dunno; one more move and Allison might have put out a contract on
you...
:-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, November 17, 2004 8:45 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> As opposed to my previous employer. I'm done moving for a 
> while. The last 5
> months made me feel like I was in the witness protection 
> program, minus the
> mob.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Wednesday, November 17, 2004 7:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > Your current employer? That makes it sound like you are ready 
> > to jump to some other employer Rog. 
> > 
> >   joe
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Roger Seielstad
> > Sent: Wednesday, November 17, 2004 12:23 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > You are correct - its all about enumerating NetBIOS shares.
> > 
> > My current employer rather likes personal shares - rather 
> > there's no resistence to having them. 
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP  
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Noah Eiger
> > > Sent: Monday, November 15, 2004 11:00 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > So, really the only thing this service does is allow 
> users to click 
> > > through the Network Neighborhood (or its successors).
> > > Is it correct that it does not prevent users from finding 
> > devices from 
> > > the run line or (obviously) from mapped drives?
> > > 
> > > As for publishing shares from workstations ... (zoinks!) 
> > you may have 
> > > bigger fish to fry!  ;-)
> > > 
> > > -- nme
> > > 
> > > -Original Message-
> > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, November 15, 2004 10:13 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > I personally favor disabling it on all workstation machines. 
> > > There's little harm in leaving it running on servers, 
> even non DC's.
> > > 
> > > The big question is whether or not its needed - are the 
> browse list 
> > > issues relevant enough to fix. In other words, is there a 
> > minor change 
> > > to usage that would eliminate the issue entirely? The 
> biggest place 
> > > I'd expect to see this is if users are publishing shares 
> from their 
> > > own machines.
> > > 
> > > 
> > > Roger Seielstad
> > > E-mail Geek & MS-MVP
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Tyson Leslie
> > > > Sent: Monday, November 15, 2004 4:47 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > Do you still suggest turning it off on all servers and 
> > workstations 
> > > > (as per
> > > > your KB article), even in an all W2K or better environment?   
> > > > We have done
> > > > so (via group policy) for quite some time, but recently 
> ended up 
> > > > having to defend this decision to an admin in one of our other 
> > > > offices, because he was encountering browse list issues in
> > > his domain.  
> > > > (We have left it running on the Domain Controllers only.)
> > > > 
> > > > Tyson.
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of ASB
> > > > Sent: Monday, November 15, 2004 10:46 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: [ActiveDir] Master Browser
> > > > 
> > > > Turning off the service is a *much* better approach and doesn't 
> > > > generate any errors in the EventLog.
> > > > 
> > > > 
> > > > 
> > > > - ASB
> > > >   Cheap, Fast, Secure -- Pick Any TWO.
> > > >   http://www.ultratech-llc.com/KB/
> > > > 
> > > >  
> > > > 
> > > > 
> > > > On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino 
> > <[EMAIL PROTECTED]>
> > > > wrote:
> > > > > 
> > > > > 
> > > > > 
> > > > > I wouldn't turn of the service - -I would ( and do) 
> go into the 
> > > > > registry and tell the box it is NOT a Master Browser 
> and NOT to 
> > > > > maintain a list
> > > > > 
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf 
> Of Adams, 
> > > > > Kenneth W
> > > > > (Ken)
> > > > > Sent: Monday, November 15, 2004 12:16 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] Master Browser
>

RE: [ActiveDir] Master Browser

2004-11-17 Thread Roger Seielstad 
As opposed to my previous employer. I'm done moving for a while. The last 5
months made me feel like I was in the witness protection program, minus the
mob.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, November 17, 2004 7:38 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> Your current employer? That makes it sound like you are ready 
> to jump to some other employer Rog. 
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, November 17, 2004 12:23 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> You are correct - its all about enumerating NetBIOS shares.
> 
> My current employer rather likes personal shares - rather 
> there's no resistence to having them. 
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> > Sent: Monday, November 15, 2004 11:00 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > So, really the only thing this service does is allow users to click 
> > through the Network Neighborhood (or its successors).
> > Is it correct that it does not prevent users from finding 
> devices from 
> > the run line or (obviously) from mapped drives?
> > 
> > As for publishing shares from workstations ... (zoinks!) 
> you may have 
> > bigger fish to fry!  ;-)
> > 
> > -- nme
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 15, 2004 10:13 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > I personally favor disabling it on all workstation machines. 
> > There's little harm in leaving it running on servers, even non DC's.
> > 
> > The big question is whether or not its needed - are the browse list 
> > issues relevant enough to fix. In other words, is there a 
> minor change 
> > to usage that would eliminate the issue entirely? The biggest place 
> > I'd expect to see this is if users are publishing shares from their 
> > own machines.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Tyson Leslie
> > > Sent: Monday, November 15, 2004 4:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > Do you still suggest turning it off on all servers and 
> workstations 
> > > (as per
> > > your KB article), even in an all W2K or better environment?   
> > > We have done
> > > so (via group policy) for quite some time, but recently ended up 
> > > having to defend this decision to an admin in one of our other 
> > > offices, because he was encountering browse list issues in
> > his domain.  
> > > (We have left it running on the Domain Controllers only.)
> > > 
> > >   Tyson.
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of ASB
> > > Sent: Monday, November 15, 2004 10:46 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] Master Browser
> > > 
> > > Turning off the service is a *much* better approach and doesn't 
> > > generate any errors in the EventLog.
> > > 
> > > 
> > > 
> > > - ASB
> > >   Cheap, Fast, Secure -- Pick Any TWO.
> > >   http://www.ultratech-llc.com/KB/
> > > 
> > >  
> > > 
> > > 
> > > On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino 
> <[EMAIL PROTECTED]>
> > > wrote:
> > > > 
> > > > 
> > > > 
> > > > I wouldn't turn of the service - -I would ( and do) go into the 
> > > > registry and tell the box it is NOT a Master Browser and NOT to 
> > > > maintain a list
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Adams, 
> > > > Kenneth W
> > > > (Ken)
> > > > Sent: Monday, November 15, 2004 12:16 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > To stop this error message, you will need to turn off the
> > Computer
> > > > Browser service.  The error message is actually an 
> informational 
> > > > message telling you about the browser status of computer CCDC01.
> > > > 
> > > > Ken Adams
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Jacob Stabl
> > > > Sent: Monday, November 15, 2004 12:01 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [ActiveDir] Master Browser
> > > > 
> > > > One of my DC's is returning the following error and I'm not
> > > sure what
> > > > to
> > > do:
> > > > 
> > > >  
> > > > 
> > > > The browser has received a server announ

RE: [ActiveDir] AD integrated DNS

2004-11-17 Thread Roger Seielstad 
I think they're dependent more on the existance of and the rate of change of
dynamic registrations. In my previous company, we were about 80% laptops, so
I ran short DHCP leases, short DNS TTLs and scavenged daily. In a more
static environment I'd lengthen those significantly.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Douglas M. Long
> Sent: Wednesday, November 17, 2004 7:10 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] AD integrated DNS
> 
> What settings are recommended for 2003 AD integrated DNS?
> 
>   Automatic scavenging? If so, how frequently?
>   Is there a way to automatically clear the cache on the 
> server every night, or do you just have to add a task to task 
> scheduler to do it? Would there be anything wrong with 
> clearing the cache every night?
> The reason I ask is because nslookups were timing out for 
> cnn.com today, and clearing the cache on the DNS server fixed it. 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Issues

2004-11-17 Thread Roger Seielstad 
By default, DNS queries are done over UDP. UDP is stateless - and therefore
there is no automatic reverse allow created by firewalls. So what's
happening is that you're probably failing the UDP request because the
response can't come back in to the DNS server, at which point your DNS
servers fail over to TCP and more often than not are able to complete the
lookups.

Now - I also know some people block all TCP traffic to their DNS servers so
if you're DNS servers can't do UDP, you can't resolve from their servers.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Rimmerman, Russ
> Sent: Wednesday, November 17, 2004 5:53 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> 
> Our Win2k DNS servers are on our internal network.  I have a 
> rule allowing
> 53 tcp and 53 udp outbound to the Internet.  I don't have any 
> other rules for DNS.  Why do I need to create an inbound 
> rule?  Aren't the DNS servers doing all the lookups outbound? 
>  What would initiate a connection inbound to our DNS servers 
> from the outside? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Tuesday, November 16, 2004 11:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> TCP shouldn't be an issue - since most firewalls will do some 
> sort of state management for those connects.
> 
> My money's on the fact there ISN'T an an inbound firewall 
> rule allowing
> UDP/53 to his DNS servers and tangental to that the fact that 
> there is no static NAT enabled for the DNS servers internally.
> 
> In other words, create a static NAT rule for the DNS servers 
> with root hints enabled, and enable UDP/53 inbound to those 
> hosts. DNS starts working again
> - this time consistently.
> 
> The reason for inconsistency is most likely caused by the 
> fact some resolutions will fall over to TCP, due to response 
> size and some less regular occurances.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> > Sent: Tuesday, November 16, 2004 7:41 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > TCP or UDP through the firewall?
> > 
> > What have you done to troubleshoot?  Logs?  ?? 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> > Russ
> > Sent: Tuesday, November 16, 2004 8:58 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > Yes, all DNS is working fine except for some rare instances of 
> > hostnames we've run into.  Last week we couldn't get to ftp.nai.com 
> > but now we can.
> > All our workstations are pointed to our child DCs for DNS.  
> > They are set to forward to our empty root DCs, and the 
> empty root DCs 
> > have the root-hints, and the firewall allows them out port 53.
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Robert 
> > Rutherford
> > Sent: Tuesday, November 16, 2004 7:53 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > 
> > 
> > I'd advise using forwarding for the functions you require.
> > 
> >  
> > 
> > It may seem stupid... but I take it the DNS server/s have 
> appropriate 
> > rules in your firewall/s?
> > 
> >  
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> > Russ
> > Sent: 16 November 2004 13:48
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] DNS Issues
> > 
> >  
> > 
> > Since changing our DNS design from forwarding to our old firewall 
> > which had root-hints built into it, to forwarding our DNS 
> to our empty 
> > forest root domain controllers with the root-hints on them, 
> we are not 
> > getting all our DNS lookups.
> > 
> >  
> > 
> > For example, http://www.volksbanksalzburg.at right now is not 
> > resolving for us.  Yet if we RDP into one of our home PCs, 
> it resolves 
> > fine.  So my question is, is there anything weird about 
> Windows 2000 
> > root-hints or DNS servers that would cause us to not be 
> able to look 
> > up some hostnames properly in DNS?
> > Or what would cause this issue?
> > 
> > 
> > ==
> > =
> > Scanned for virus infection by Messagelabs 
> > ==
> > =
> > 
> > ~~
> > This e-mail is confidential, may contain proprietary information of 
> > the Cooper Cameron Corporation and its operating Divisions 
> and may be 
> > confidential or privileged.
> > 
> > This e-mail should be read, copied, disseminated and/or 
> used only by 
> > the addressee. If yo

RE: [ActiveDir] Terminal Services licenses

2004-11-17 Thread Rick Kingslan 
Yeah, it seems that the current cycle that they're on is either 15 minutes
or 6 months.  In fact, I'm surprised that you've even heard of Longhorn,
Roger

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, November 16, 2004 11:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services licenses

I haven't heard that in at least a week! Then again, the Product Group I
most often work with these days has much shorter release cycles...


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, 
> Rick T.
> Sent: Tuesday, November 16, 2004 8:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Terminal Services licenses
> 
> Yep.  Contact the Microsoft Clearinghouse.  
> 
> Annoying is the least severe term that I'd use, but I try to hold 
> those words...  Mom said it wasn't nice.
> 
> It has caused such a ruckus that MS is looking to change the 
> functionality, but the only question is when and how.
> 
> Seems everything these days is "In the Longhorn timeframe needed function here>"
> 
> Rick
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > [EMAIL PROTECTED] On Behalf Of Chakravarty, Sakti
> > Sent: Monday, November 15, 2004 11:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Terminal Services licenses
> > 
> > Hi all,
> > 
> > We have a number of "per device" licenses that are dished out to 
> > computers that connect to our Terminal Servers.  As you may
> know they
> > have this annoying "feature" that the license is taken from the pool
> and
> > assigned to a particular device for a random number of days
> between 52
> -
> > 89.
> > 
> > Does anyone know of a way to forcefully revoke these licenses?
> > 
> > Thanks
> > Sakti
> > 
> **
> > This message is intended for the addressee named and may contain 
> > privileged information or confidential information or both.
> If you are
> > not the intended recipient please delete it and notify the sender.
> > 
> **
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal Services licenses

2004-11-17 Thread Rick Kingslan 
You know, I think you *could* get that job with Microsoft.  Until I saw this
response, I doubted it - but you've proven me wrong once again, joe. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 16, 2004 11:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services licenses

Thank you. We appreciate your feedback. These are great ideas. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Tuesday, November 16, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services licenses

Yep.  Contact the Microsoft Clearinghouse.  

Annoying is the least severe term that I'd use, but I try to hold those
words...  Mom said it wasn't nice.

It has caused such a ruckus that MS is looking to change the functionality,
but the only question is when and how.

Seems everything these days is "In the Longhorn timeframe"

Rick

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of Chakravarty, Sakti
> Sent: Monday, November 15, 2004 11:32 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Terminal Services licenses
> 
> Hi all,
> 
> We have a number of "per device" licenses that are dished out to 
> computers that connect to our Terminal Servers.  As you may know they 
> have this annoying "feature" that the license is taken from the pool
and
> assigned to a particular device for a random number of days between 52
-
> 89.
> 
> Does anyone know of a way to forcefully revoke these licenses?
> 
> Thanks
> Sakti
> **
> This message is intended for the addressee named and may contain 
> privileged information or confidential information or both. If you are 
> not the intended recipient please delete it and notify the sender.
> **
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD integrated DNS

2004-11-17 Thread Douglas M. Long 
That is the same thing I thought, but I decided to clear the cache before 
restarting the DNS server service just for kicks, and it remedied the problem. 
Why would a DNS request timeout for cnn.com when it was working on other DNS 
servers? I could uderstand if it was just returning the wrong address but not 
timing out. And clearing the cache fixed it how? Do DNS records somehow get 
corrupt (in which case clearing the cache fixes the problem by querying 
something farther up the chain again)? Any insight is appreciated, I just hate 
not knowing the cause of a problem. 



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Wed 11/17/2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD integrated DNS



one way of clearing the cache is to restart the DNS service - not sure
if that's really your problem though. Shouldn't really have to remove
records from the cache unless the target ip-address has changed.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, November 17, 2004 4:10 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD integrated DNS

What settings are recommended for 2003 AD integrated DNS?

Automatic scavenging? If so, how frequently?
Is there a way to automatically clear the cache on the server
every night, or do you just have to add a task to task scheduler to do
it? Would there be anything wrong with clearing the cache every night?
The reason I ask is because nslookups were timing out for cnn.com today,
and clearing the cache on the DNS server fixed it.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



<>

[ActiveDir] Forcing SYSVOL from authenticating DC

2004-11-17 Thread David Adner 
I remember there's a way (hotfix and/or reg key) to
make clients use the SYSVOL of the authenticating DC
instead of possibly getting a different SYSVOL due to
the behavior of DFS.  I can't find how to do this on
MS's site.  Can anyone point me at the information? 
This is for 2003.

TTIA

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Syskey and AD

2004-11-17 Thread joe 



All you need to do is boot up in a disk to reset a password 
with admin rights and then boot the machine and dump the hashes out of memory 
with pwdump3. If you have configured it so you have to enter the password on 
boot then this specific attack is defeated. However it isn't feasible in a 
large distributed environment. 
 
How many people monitor their admin IDs to find out when 
they have been changed and whether it was a valid change or not? If you minimize 
the number of IDs to just a few people and don't allow the builtin admin IDs to 
be used this is pretty easy. Most companies don't seem to follow the idea of 
having just a few admins though.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Wednesday, November 17, 2004 5:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Syskey and 
AD


 
that's only valid when the machine is running (and thus the 
SAM is decrypted) and you already have admin access to it.  In the case of 
"only" having physical access but no account, you'd not have this option and 
thus you'd reboot the machine to startup another OS or do something similar to 
get at the SAM - in this case it would be still be encrypted with the locally 
stored key.  Storing that key offline would add your extra protection with 
all the hassles involved with mgmt of that offline key and handling the 
boot-process.  
 
For companies with very high security requirements that 
still need to put DCs in "unsafe" locations for various reasons, storing the key 
offline may be a valid option to further secure the DC (or any other server as a 
matter of fact). If you have the right server-HW, you should be able to 
create disk-images for each machine containing that key and if the server has 
something linke an ILO board you can remotely mount that image during 
boot-time.  Still a lot of stuff to manage, but all possible 
remotely.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
Contr InDyne/Enterprise ITSent: Wednesday, November 17, 2004 4:57 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Syskey and AD


Even with SYSKEY 
enabled on a NT DC the sam can still be cracked with l0phtcrack or the other 
tools.  Just make a recovery disk with the /r (I believe) option would 
export a readable copy of the sam.  We would have to do it for our security 
folks to test password strength every so often.
Honestly, I don't 
believe it matters what version of the Windows OS you use.  If you have 
physical access to the system, you win.
 
Dave 

 

David 
J. PerdueNetwork Security 
Engineer, InDyne Inc Comm: (805) 606-4597    DSN: 
276-4597 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Geary, Simon 
(Computer People)Sent: 
Wednesday, November 17, 2004 12:15 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Syskey and 
AD
 
I would suggest the 
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted 
with a locally stored key by default. The Syskey process allows you to store 
that key on a separate floppy disk, thus adding an extra layer of security. In 
the NT SAM, the encryption is not on by default but can be added with Syskey as 
an optional extra so I reckon this makes the 2003 SAM more secure. 

If you have ever used 
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all 
your passwords (even if it does require an admin account to 
run).
 
I accept that one of 
the golden rules of security is that if the bad guy has physical access to your 
machine it's not your machine any more but a 128bit encryption key will take 
some time to crack, giving some breathing space to take action. Especially as 
the Syskey password needs at least 12 characters and should contain all sort of 
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to 
crack that would probably be many terabytes in 
size.
 
Having said all that, I 
wouldn't bother using Syskey on my DCs or any other server due to the hassles 
you mention. The best idea is just to keep them in a physically secure location 
in the first place.
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 16 November 2004 17:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Syskey and 
AD
 
I don't think I would 
say that the SAM is more secure than it is with NT. 
 
The issue of being 
hacked is still there and still fairly trivial. The syskey can maybe help 
depending on the tools used to crack the server and whether it is an attempt to 
brute force passwords (or Rainbow crack) or gain access to the box. I don't want 
to get very deep into this but if someone has physical access to the machine, 
they can own the machine if they so desire - period. Using a user generated 
password or floppy (and not keeping the floppy with the machine) with SysKey is 
safer but not tre

FW: [ActiveDir] AD and Exchange 5.5?

2004-11-17 Thread Jorge de Almeida Pinto 
Is the W2K DC with E55 also a GC? Do you have other DCs in your
environment? If you answer YES to both then check the following:
http://support.microsoft.com/kb/q275127/

Regards,
Jorge

-Original Message-
From: vex
To: Jorge de Almeida Pinto
Sent: 11/18/2004 1:12 AM
Subject: Re: [ActiveDir] AD and Exchange 5.5?


- Original Message - 
From: "Jorge de Almeida Pinto"

> I presume it worked before?
> On what type of server is E55 running? W2K DC or member
server. Can you
> recall what chaged between the time it worked and the time
it didn't work?
> What are the errors you receive directly or through the
event log?


Yes, it worked up until August. I just found out about it
today, and haven't seen any event log errors that would have
led me to believe anything was wrong. E5.5 is running on a
W2K DC. I enabled error logging for the LDAP protocol today
to ferret out any information that Exchange Server may or
may not be sending to the AD. As far as I know, I've changed
nothing on that server for well over a year.


  --Brett

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Syskey and AD

2004-11-17 Thread Perdue David J Contr InDyne/Enterprise IT 








Sorry, but except for a backup during a
migration or the like, of what use is a DC if it's not running?  ;) 
I had an NT4.0 domain with SYSKEY enabled.  When our network security
folks needed to test accounts for password strength using l0phtcrack we had to use
rdisk to provide them a copy of the unencrypted sam that they could then run
l0phtcrack against.  That led me to believe that just because the DC is
running, the sam isn't automatically decrypted.

 

I'm not saying that encrypting the
sam isn't a good idea.  I'm saying that it isn't the end
all be all of security.  As you said, Guido, reboot to an alternate OS
like Nordahl's disk does.  Or string together one of the myriad of
vulnerabilities of the Windows platform to gain access to an admin session or
use an elevated privileges attack from a client and then use rdisk remotely in
an NT 4.0 environment, take the unencrypted sam offline and crack it at will
and come back in with a legitimate account.  Heck, if it's an NT4.0
environment, Exchange 5.5 is probably used and Exchange is nice enough to cache
the Exchange Service account and password unencrypted in the registry of
systems with the Exchange Console installed.  And if anyone doubts either,
I had a white hat team do both to me.

 

I think everyone realizes that security
now a days isn't a case of keeping someone determined out indefinitely,
but out long enough to find out they are there and catch/stop them.

 

 

Dave




David J. Perdue
Network Security Engineer, InDyne
Inc 
Comm: (805) 606-4597    DSN: 276-4597 












From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, November 17, 2004
2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Syskey
and AD



 



 

that's only valid when the machine is running
(and thus the SAM is decrypted) and you already have admin access to it. 
In the case of "only" having physical access but no account, you'd
not have this option and thus you'd reboot the machine to startup another OS or
do something similar to get at the SAM - in this case it would be still be
encrypted with the locally stored key.  Storing that key offline would add
your extra protection with all the hassles involved with mgmt of that offline
key and handling the boot-process.  

 

For companies with very high security
requirements that still need to put DCs in "unsafe" locations for
various reasons, storing the key offline may be a valid option to further
secure the DC (or any other server as a matter of fact). If you have the right
server-HW, you should be able to create disk-images for each machine
containing that key and if the server has something linke an ILO board you can
remotely mount that image during boot-time.  Still a lot of stuff to
manage, but all possible remotely.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT
Sent: Wednesday, November 17, 2004
4:57 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD

Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools.  Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam.  We would have to do it for our security folks to test password
strength every so often.

Honestly, I don't believe it matters
what version of the Windows OS you use.  If you have physical access to
the system, you win.

 

Dave 

 




David J. Perdue
Network Security Engineer, InDyne
Inc 
Comm: (805) 606-4597    DSN: 276-4597 












From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People)
Sent: Wednesday, November 17, 2004
12:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD



 

I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure. 

If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to run).

 

I accept that one of the
golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would pro

RE: [ActiveDir] AD and Exchange 5.5?

2004-11-17 Thread Jorge de Almeida Pinto 
Hi

I presume it worked before?
On what type of server is E55 running? W2K DC or member server. Can you
recall what chaged between the time it worked and the time it didn't work?
What are the errors you receive directly or through the event log?
regards,
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 11/18/2004 12:38 AM
Subject: [ActiveDir] AD and Exchange 5.5?

Greetings,
  I'm currently having an issue with my Exchange Server (5.5SP4) running
on
Win2kSP4.
 
I can create new user accounts just fine but when I attempt to create
their
mailbox, the Exchange information isn't being applied to the AD. Any
ideas?
Heck, I don't even know where to start, I've never had this problem
before...
 
 
 
 
  --Brett
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD and Exchange 5.5?

2004-11-17 Thread vex 
Greetings,
  I'm currently having an issue with my Exchange Server (5.5SP4) running on
Win2kSP4.
 
I can create new user accounts just fine but when I attempt to create their
mailbox, the Exchange information isn't being applied to the AD. Any ideas?
Heck, I don't even know where to start, I've never had this problem
before...
 
 
 
 
  --Brett
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD integrated DNS

2004-11-17 Thread Grillenmeier, Guido 
one way of clearing the cache is to restart the DNS service - not sure
if that's really your problem though. Shouldn't really have to remove
records from the cache unless the target ip-address has changed.

/Guido 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, November 17, 2004 4:10 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD integrated DNS

What settings are recommended for 2003 AD integrated DNS?

Automatic scavenging? If so, how frequently?
Is there a way to automatically clear the cache on the server
every night, or do you just have to add a task to task scheduler to do
it? Would there be anything wrong with clearing the cache every night?
The reason I ask is because nslookups were timing out for cnn.com today,
and clearing the cache on the DNS server fixed it. 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Syskey and AD

2004-11-17 Thread Grillenmeier, Guido 




 
that's only valid when the machine is running (and thus the 
SAM is decrypted) and you already have admin access to it.  In the case of 
"only" having physical access but no account, you'd not have this option and 
thus you'd reboot the machine to startup another OS or do something similar to 
get at the SAM - in this case it would be still be encrypted with the locally 
stored key.  Storing that key offline would add your extra protection with 
all the hassles involved with mgmt of that offline key and handling the 
boot-process.  
 
For companies with very high security requirements that 
still need to put DCs in "unsafe" locations for various reasons, storing the key 
offline may be a valid option to further secure the DC (or any other server as a 
matter of fact). If you have the right server-HW, you should be able to 
create disk-images for each machine containing that key and if the server has 
something linke an ILO board you can remotely mount that image during 
boot-time.  Still a lot of stuff to manage, but all possible 
remotely.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
Contr InDyne/Enterprise ITSent: Wednesday, November 17, 2004 4:57 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Syskey and AD


Even with SYSKEY 
enabled on a NT DC the sam can still be cracked with l0phtcrack or the other 
tools.  Just make a recovery disk with the /r (I believe) option would 
export a readable copy of the sam.  We would have to do it for our security 
folks to test password strength every so often.
Honestly, I don't 
believe it matters what version of the Windows OS you use.  If you have 
physical access to the system, you win.
 
Dave 

 

David 
J. PerdueNetwork Security 
Engineer, InDyne Inc Comm: (805) 606-4597    DSN: 
276-4597 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Geary, Simon 
(Computer People)Sent: 
Wednesday, November 17, 2004 12:15 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Syskey and 
AD
 
I would suggest the 
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted 
with a locally stored key by default. The Syskey process allows you to store 
that key on a separate floppy disk, thus adding an extra layer of security. In 
the NT SAM, the encryption is not on by default but can be added with Syskey as 
an optional extra so I reckon this makes the 2003 SAM more secure. 

If you have ever used 
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all 
your passwords (even if it does require an admin account to 
run).
 
I accept that one of 
the golden rules of security is that if the bad guy has physical access to your 
machine it's not your machine any more but a 128bit encryption key will take 
some time to crack, giving some breathing space to take action. Especially as 
the Syskey password needs at least 12 characters and should contain all sort of 
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to 
crack that would probably be many terabytes in 
size.
 
Having said all that, I 
wouldn't bother using Syskey on my DCs or any other server due to the hassles 
you mention. The best idea is just to keep them in a physically secure location 
in the first place.
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 16 November 2004 17:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Syskey and 
AD
 
I don't think I would 
say that the SAM is more secure than it is with NT. 
 
The issue of being 
hacked is still there and still fairly trivial. The syskey can maybe help 
depending on the tools used to crack the server and whether it is an attempt to 
brute force passwords (or Rainbow crack) or gain access to the box. I don't want 
to get very deep into this but if someone has physical access to the machine, 
they can own the machine if they so desire - period. Using a user generated 
password or floppy (and not keeping the floppy with the machine) with SysKey is 
safer but not tremendously so and again, only for someone trying to steal the 
password database. Mostly it just adds considerable heartache to management 
since you have to be in front of the machine (or using some low level IO 
card to redirect console) to start it. Once the local SAM is cracked, it is 
one reboot and one more tool away from the DIT being 
cracked. 
 
Basically if my goal is 
to steal your passwords in a quiet way, syskey will help a little as it 
adds another 128 bit encryption piece in front of the hashes. If my goal is to 
take over your server or domain or forest, syskey doesn't hamper 
that.
 
  
joe
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Geary, Simon 
(Computer People)Sent: 
Tuesday, November 16, 2004 4:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Syskey and 
AD
It's still possible, 
but whether or n

RE: [ActiveDir] Cross-domain authentication problem?

2004-11-17 Thread Grillenmeier, Guido 
can the user connect to a non-Samba resource in org.company.com?

if so, I'd focus on analysing the Network traffic between the
Samba-Server and the Client and go from there. Likely something missing
on the Samba side.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Happy
Sent: Wednesday, November 17, 2004 6:15 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Cross-domain authentication problem?

Dear ActiveDir colleagues:

I am connected to the network hosting the org.company.com domain. 
org.domain.com is the root of a Windows 2000 forest.  There is a one-way
trust from org.domain.com to domain.com.

I have a workstation in the company.com domain and am logged in as a
user in the company.com domain.  Company.com is the root of a distinct
Windows Server 2003 forest.

When I attempt to connect from that workstation to a Samba server which
is a member of the org.company.com domain using an org.company.com user
account's credentials, several things happen:

(1) the org.company.com domain controller returns
NT_STATUS_WRONG_PASSWORD to the Samba server for the org.company.com
user
(2) my company.com account (frequently) becomes locked out after
multiple attempts

What is happening?  Why?  If it's unclear, how should I diagnose the
problem further.  If it's a "no-brainer," how can I correct the problem?

Warmly,

--Pete Thomas

--
Pete 'Happy' Thomas ([EMAIL PROTECTED]) Web Site:
https://www.painless-computing.com/peteandpam
Blog: http://happypete.livejournal.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome

2004-11-17 Thread Grillenmeier, Guido 
Darren - if I understand Joe correctly, he doesn't mean that the policy
values are replicated. It's the fact that DCs may have different
thresholds for acct. lockout (due to the described setup) that the bad
logon count which is passed on from one DC to another would trigger a
lockout at a different threshold on the different DCs and you'd never be
sure which would apply. 
However, I doubt we'd have replication back and forth: if a DC with a
threshold of 10 passes on the bad logon attempt to the PDCE with a
theshold of 5, the PDCE would pontentially set the user-account to
locked while the other DC would still be fine with 5 more logon
attempts. But if this change of the user-account is then replicated out
to the other DC, I'm pretty sure that the DC set to 10 attempts doesn't
then unlock the account (and causes further replication).  

So Joe, you may want to elaborate on that.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, November 17, 2004 6:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

Joe-
Are you sure data like that is stored in AD? I thought, actually, that
security policy like this was still stored in the security hive of the
registry (i.e. the SAM) for each machine and thus not replicated.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 16, 2004 10:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

This would be extremely unstable. 

Not only is the policy being changed by the GPO replicated through FRS,
it is also being changed by the values replicating around for the Domain
NC head though AD replication. I.E. The machine that got say a value of
10 for bad hits for lockout would replicate to the machine that had a
value of say 5. Then the second would be changed back by policy and try
to replicate to the first and back and forth. 

What I am trying to say is instead of having one policy on one machine
and another on another machine, you would have no idea at any given
point what the policy was because it would be constantly changing on all
DCs as they duked it out.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 16, 2004 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

Rick,

That's correct. In fact we once tried having two policies at the domain
level with different values for the password length. We then changed
filtering so that one Domain controller got one policy and an other
Domain controller got a different policy.

We then tested how each behaved when processing password changes and
each was using the different values.

A cute setup, but of no practical use that I can think of.

Alan Cuthbertson

- Original Message -
From: "Kingslan, Rick T." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 3:17 AM
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome


> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.

Can you elaborate on this?  I've only had one coffee this morning, and I
don't think I follow what you're saying

Are you saying that a GPO identified by a GUID other than the Default
Domain Policy can apply Paasword, Kerb, Lockout, etc?

Rick

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of ASB
> Sent: Tuesday, November 16, 2004 7:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] How to Enable a Warning Message During
Windows
> Logon Welcome
>
> > The Default Domain Policy is the *only* affective policy for those
> settings.
>
> That's not an accurate statement...
>
> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.
>
> -ASB
>
>
> On Sun, 7 Nov 2004 12:58:57 -0600, Brian Desmond 
> <[EMAIL PROTECTED]> wrote:
> > The Default Domain Policy is the *only* affective policy for those
> settings.
> >
> >
> >
> > Thanks.
> >
> > --Brian Desmond
> > [EMAIL PROTECTED]
> > Payton on the web! www.wpcp.org
> >
> > v - 773.534.0034 x135
> > f - 773.534.8101
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > > [EMAIL PROTECTED] On Behalf Of ASB
> > > Sent: Sunday, November 07, 2004 11:32 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] How to Enable a Warning Message During
> Windows
> > > Logon Welcome
> > >
> > > You would seem to be suggesting that multiple policies cannot be 
> > > applied...
> > >
> > > -ASB
> > >
> > > On Fri, 5 Nov 2004 21:19:38 -0600, Brian

RE: [ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Rimmerman, Russ 



I have all my zones in the child domain DNS servers and on 
those Child DCs I have a foward lookup zone for the root domain 
(company.com) with a delegation for the child domain (abc).  I also have 
another foward lookup zone for the child domain (abc.company.com).  Then 
the root domain controllers register with the DNS servers in the child 
domain.  So all internal DNS registers with the child DNS/DCs and all 
unknown lookups get forwarded back to the root DNS/DCs for root-hints 
lookups.  Is that not right?  It is working, except for those 
occasional external hostnames that don't resolve (2 in the last 
month).


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Wednesday, November 17, 2004 3:06 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Empty root DNS 
vs Child DNS


Also, you should have 
your child domains forwarding all traffic to your root DNS Servers and then 
configure your DNS servers at the root to have delegated zones for those in the 
child domains.  Point your Root DNS servers to each other and not the child 
domains.  All will work better.
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Salandra, Justin 
A.Sent: Wednesday, November 
17, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Empty root DNS vs 
Child DNS
 
Does your 
ISP know how to get back to you?
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, November 
17, 2004 2:27 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Empty root DNS vs 
Child DNS
 

We have an empty root domain that is 
just a placeholder (and we forward our child DNS domain queries to) and a child 
domain that we all log into.

 

What should the DNS properties be on 
the Root domain controllers network adapter properties?  We currently have 
the Root DCs pointed at our primary and secondary DNS servers in the child 
domain.  The child domain DNS servers all have forwarders to the root 
DNS/DC servers.  The root DC/DNS servers have root hints and are doing the 
external lookups.  We're running Win2k3.

 

Why I ask is - I just changed our 
root DNS/DC servers to forward to our ISP for DNS.  Once I did that, 
I'm having terrible problems with not resolving external hostnames.  I 
can't even get to www.yahoo.com.  Some work OK 
though.  I put it back to not forwarding (using root hints instead) 
and it seems to start working OK 
again.   

 

Any 
ideas? 

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Salandra, Justin A. 









Also, you should have your child domains
forwarding all traffic to your root DNS Servers and then configure your DNS
servers at the root to have delegated zones for those in the child domains. 
Point your Root DNS servers to each other and not the child domains.  All will
work better.

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Wednesday, November 17, 2004
3:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Empty
root DNS vs Child DNS

 

Does your ISP know how to
get back to you?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
2:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Empty root
DNS vs Child DNS

 



We have an empty root domain that is
just a placeholder (and we forward our child DNS domain queries to) and a child
domain that we all log into.





 





What should the DNS properties be on
the Root domain controllers network adapter properties?  We currently have
the Root DCs pointed at our primary and secondary DNS servers in the child
domain.  The child domain DNS servers all have forwarders to the root
DNS/DC servers.  The root DC/DNS servers have root hints and are doing the
external lookups.  We're running Win2k3.





 





Why I ask is - I just changed our
root DNS/DC servers to forward to our ISP for DNS.  Once I did that,
I'm having terrible problems with not resolving external hostnames. 
I can't even get to www.yahoo.com.  Some
work OK though.  I put it back to not forwarding (using root hints
instead) and it seems to start working OK again.   





 





Any ideas? 








~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Salandra, Justin A. 









If your ISP doesn’t know where to
find you then that will not work.  Why not just stick with the root hints,
wouldn’t that work best for you?

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
3:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Empty
root DNS vs Child DNS

 

Don't know.  Our
root DC/DNS servers are on our internal private network.  I guess I'd have
to set them up a NATted address or something?

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Salandra, Justin A.
Sent: Wednesday, November 17, 2004
2:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Empty
root DNS vs Child DNS

Does your ISP know how to
get back to you?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
2:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Empty root
DNS vs Child DNS

 



We have an empty root domain that is
just a placeholder (and we forward our child DNS domain queries to) and a child
domain that we all log into.





 





What should the DNS properties be on
the Root domain controllers network adapter properties?  We currently have
the Root DCs pointed at our primary and secondary DNS servers in the child
domain.  The child domain DNS servers all have forwarders to the root
DNS/DC servers.  The root DC/DNS servers have root hints and are doing the
external lookups.  We're running Win2k3.





 





Why I ask is - I just changed our
root DNS/DC servers to forward to our ISP for DNS.  Once I did that,
I'm having terrible problems with not resolving external hostnames. 
I can't even get to www.yahoo.com.  Some
work OK though.  I put it back to not forwarding (using root hints
instead) and it seems to start working OK again.   





 





Any ideas? 




 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 


 






~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Rimmerman, Russ 



Don't know.  Our root DC/DNS servers are on our 
internal private network.  I guess I'd have to set them up a NATted address 
or something?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Wednesday, November 17, 2004 2:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Empty root DNS 
vs Child DNS


Does your ISP know how 
to get back to you?
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, November 
17, 2004 2:27 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Empty root DNS vs 
Child DNS
 

We have an empty root domain that is 
just a placeholder (and we forward our child DNS domain queries to) and a child 
domain that we all log into.

 

What should the DNS properties be on 
the Root domain controllers network adapter properties?  We currently have 
the Root DCs pointed at our primary and secondary DNS servers in the child 
domain.  The child domain DNS servers all have forwarders to the root 
DNS/DC servers.  The root DC/DNS servers have root hints and are doing the 
external lookups.  We're running Win2k3.

 

Why I ask is - I just changed our 
root DNS/DC servers to forward to our ISP for DNS.  Once I did that, 
I'm having terrible problems with not resolving external hostnames.  I 
can't even get to www.yahoo.com.  Some work OK 
though.  I put it back to not forwarding (using root hints instead) 
and it seems to start working OK 
again.   

 

Any 
ideas? 

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] DNS Issues

2004-11-17 Thread Rimmerman, Russ 

This is the only abnormal thing I'm seeing in the eventlogs:

The DNS server has encountered numerous run-time events. To determine the
initial cause of these run-time events, examine the DNS server event log
entries that precede this event. To prevent the DNS server from filling the
event log too quickly, subsequent events with Event IDs higher than 3000
will be suppressed until events are no longer being generated at a high
rate. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, November 16, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Issues

TCP or UDP through the firewall?

What have you done to troubleshoot?  Logs?  ?? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, November 16, 2004 8:58 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Issues

Yes, all DNS is working fine except for some rare instances of hostnames
we've run into.  Last week we couldn't get to ftp.nai.com but now we can.
All our workstations are pointed to our child DCs for DNS.  They are set to
forward to our empty root DCs, and the empty root DCs have the root-hints,
and the firewall allows them out port 53.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, November 16, 2004 7:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Issues



I'd advise using forwarding for the functions you require.

 

It may seem stupid... but I take it the DNS server/s have appropriate rules
in your firewall/s?

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 16 November 2004 13:48
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DNS Issues

 

Since changing our DNS design from forwarding to our old firewall which had
root-hints built into it, to forwarding our DNS to our empty forest root
domain controllers with the root-hints on them, we are not getting all our
DNS lookups.

 

For example, http://www.volksbanksalzburg.at right now is not resolving for
us.  Yet if we RDP into one of our home PCs, it resolves fine.  So my
question is, is there anything weird about Windows 2000 root-hints or DNS
servers that would cause us to not be able to look up some hostnames
properly in DNS?  Or what would cause this issue?


===
Scanned for virus infection by Messagelabs
===

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Salandra, Justin A. 









Does your ISP know how to get back to you?

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 17, 2004
2:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Empty root
DNS vs Child DNS

 



We have an empty root domain that is
just a placeholder (and we forward our child DNS domain queries to) and a child
domain that we all log into.





 





What should the DNS properties be on
the Root domain controllers network adapter properties?  We currently have
the Root DCs pointed at our primary and secondary DNS servers in the child
domain.  The child domain DNS servers all have forwarders to the root
DNS/DC servers.  The root DC/DNS servers have root hints and are doing the
external lookups.  We're running Win2k3.





 





Why I ask is - I just changed our
root DNS/DC servers to forward to our ISP for DNS.  Once I did that,
I'm having terrible problems with not resolving external hostnames. 
I can't even get to www.yahoo.com.  Some
work OK though.  I put it back to not forwarding (using root hints
instead) and it seems to start working OK again.   





 





Any ideas? 








~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] DNS Issues

2004-11-17 Thread Rosales, Mario 
Title: RE: [ActiveDir] DNS Issues



I saw something similar with checkpoint firewalls.  In 
particular the NG Versions


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kim Kruse 
HansenSent: Wednesday, November 17, 2004 1:09 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS 
Issues

We experienced the same exact problem , when we upgraded to W3K 
DNS. Check out kb828731. It deals with Extension Mechanisms for DNS (EDNS0) . 

-Original Message- From: 
Mulnick, Al [mailto:[EMAIL PROTECTED]] 
Sent: 16. november 2004 16:41 To: [EMAIL PROTECTED] Subject: RE: 
[ActiveDir] DNS Issues 
TCP or UDP through the firewall? 
What have you done to troubleshoot?  Logs?  ?? 

-Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Rimmerman, Russ Sent: Tuesday, November 16, 
2004 8:58 AM To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] DNS Issues 
Yes, all DNS is working fine except for some rare instances of 
hostnames we've run into.  Last week we couldn't 
get to ftp.nai.com but now we can. All our workstations 
are pointed to our child DCs for DNS.  They are set to forward to our empty root DCs, and the empty root DCs have the 
root-hints, and the firewall allows them out port 
53. 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Robert Rutherford Sent: Tuesday, November 
16, 2004 7:53 AM To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] DNS Issues 
I'd advise using forwarding for the functions you 
require. 
 
It may seem stupid... but I take it the DNS server/s have 
appropriate rules in your firewall/s? 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Rimmerman, Russ Sent: 16 November 2004 
13:48 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issues 
 
Since changing our DNS design from forwarding to our old 
firewall which had root-hints built into it, to 
forwarding our DNS to our empty forest root domain 
controllers with the root-hints on them, we are not getting all our 
DNS lookups. 
 
For example, http://www.volksbanksalzburg.at right now is not resolving 
for us.  Yet if we RDP into one of our home PCs, it 
resolves fine.  So my question is, is there 
anything weird about Windows 2000 root-hints or DNS servers that would cause us to not be able to look up some 
hostnames properly in DNS?  Or what would cause 
this issue? 
=== 
Scanned for virus infection by Messagelabs === 

~~ 
This e-mail is confidential, may contain proprietary 
information of the Cooper Cameron Corporation and its 
operating Divisions and may be confidential or 
privileged. 
This e-mail should be read, copied, disseminated and/or used 
only by the addressee. If you have received this message 
in error please delete it, together with any 
attachments, from your system. ~~ 
    ~~ This e-mail is confidential, may contain proprietary information of 
the Cooper Cameron Corporation and its operating 
Divisions and may be confidential or privileged. 

This e-mail should be read, copied, disseminated and/or used 
only by the addressee. If you have received this message 
in error please delete it, together with any 
attachments, from your system. ~~ 
    List 
info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info : http://www.activedir.org/mail_list.htm List FAQ : 
http://www.activedir.org/list_faq.htm List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



*** 

 The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender.  Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it.  

***

[ActiveDir] Empty root DNS vs Child DNS

2004-11-17 Thread Rimmerman, Russ 



We have an empty 
root domain that is just a placeholder (and we forward our child DNS domain 
queries to) and a child domain that we all log into.
 
What should the DNS 
properties be on the Root domain controllers network adapter properties?  
We currently have the Root DCs pointed at our primary and secondary DNS servers 
in the child domain.  The child domain DNS servers all have forwarders to 
the root DNS/DC servers.  The root DC/DNS servers have root hints and are 
doing the external lookups.  We're running Win2k3.
 
Why I ask is - I 
just changed our root DNS/DC servers to forward to our ISP for 
DNS.  Once I did that, I'm having terrible problems with not 
resolving external hostnames.  I can't even get to www.yahoo.com.  Some work OK 
though.  I put it back to not forwarding (using root hints instead) 
and it seems to start working OK 
again.   
 
Any 
ideas? 

~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] How to Enable a Warning Message During Windows Lo gon Welcome

2004-11-17 Thread Jorge de Almeida Pinto 
Yep,

The domain NC has attributes that correspond to the settings in the password
policy and the  account lockout policy (just checked it with ADSIedit).
Regards,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: woensdag 17 november 2004 18:25
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

Joe-
Are you sure data like that is stored in AD? I thought, actually, that
security policy like this was still stored in the security hive of the
registry (i.e. the SAM) for each machine and thus not replicated.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 16, 2004 10:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

This would be extremely unstable. 

Not only is the policy being changed by the GPO replicated through FRS, it
is also being changed by the values replicating around for the Domain NC
head though AD replication. I.E. The machine that got say a value of 10 for
bad hits for lockout would replicate to the machine that had a value of say
5. Then the second would be changed back by policy and try to replicate to
the first and back and forth. 

What I am trying to say is instead of having one policy on one machine and
another on another machine, you would have no idea at any given point what
the policy was because it would be constantly changing on all DCs as they
duked it out.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 16, 2004 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

Rick,

That's correct. In fact we once tried having two policies at the domain
level with different values for the password length. We then changed
filtering so that one Domain controller got one policy and an other Domain
controller got a different policy.

We then tested how each behaved when processing password changes and each
was using the different values.

A cute setup, but of no practical use that I can think of.

Alan Cuthbertson

- Original Message -
From: "Kingslan, Rick T." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 3:17 AM
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome


> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.

Can you elaborate on this?  I've only had one coffee this morning, and I
don't think I follow what you're saying

Are you saying that a GPO identified by a GUID other than the Default Domain
Policy can apply Paasword, Kerb, Lockout, etc?

Rick

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of ASB
> Sent: Tuesday, November 16, 2004 7:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] How to Enable a Warning Message During
Windows
> Logon Welcome
>
> > The Default Domain Policy is the *only* affective policy for those
> settings.
>
> That's not an accurate statement...
>
> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.
>
> -ASB
>
>
> On Sun, 7 Nov 2004 12:58:57 -0600, Brian Desmond 
> <[EMAIL PROTECTED]> wrote:
> > The Default Domain Policy is the *only* affective policy for those
> settings.
> >
> >
> >
> > Thanks.
> >
> > --Brian Desmond
> > [EMAIL PROTECTED]
> > Payton on the web! www.wpcp.org
> >
> > v - 773.534.0034 x135
> > f - 773.534.8101
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > > [EMAIL PROTECTED] On Behalf Of ASB
> > > Sent: Sunday, November 07, 2004 11:32 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] How to Enable a Warning Message During
> Windows
> > > Logon Welcome
> > >
> > > You would seem to be suggesting that multiple policies cannot be 
> > > applied...
> > >
> > > -ASB
> > >
> > > On Fri, 5 Nov 2004 21:19:38 -0600, Brian Desmond 
> > > <[EMAIL PROTECTED]> wrote:
> > > > Oh? How do you go about setting password policies, lockout
policies,
> > > kerb policies, etc with this practice?
> > > >
> > > > Thanks.
> > > >
> > > > --Brian Desmond
> > > > [EMAIL PROTECTED]
> > > > Payton on the web! www.wpcp.org
> > > >
> > > > v - 773.534.0034 x135
> > > > f - 773.534.8101
> > > >
> > > >
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > > > > [EMAIL PROTECTED] On Behalf Of Jared Manhat
> > > > > Sent: Friday, November 05, 2004 3:07 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message
During
> > > Windows
> > > > > Logon Welcome
> > > > >
> > >

Re: [ActiveDir] set AD password from linux?

2004-11-17 Thread Robbie Foust 
Just FYI for anyone interested, my other option may be to do password 
resets on an IIS 6 box, but authenticate the user to the mit kerberos 
realm using Shibboleth.  (http://shibboleth.internet2.edu/) - We already 
have a Shibboleth infrastructure in place so it wouldn't be that hard to do.

- Robbie
Eric Fleischman wrote:
(should have noted I repro'd this on ADAM, not ADperhaps diff?)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?
Ah hah! Yes it does work. I just tried it. But there is a trick.
Trick: when doing this on XP, you must specify the creds explicitly, not
pass null to use currently logged on user.
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Wednesday, November 17, 2004 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] set AD password from linux?
Believe Joe is right here...
A little more outside of the box, is the kerberos set password protocols
outlined in RFC 3244 - if i recall MS even had some nice sample code
already
written for *nix  application.
my .02
-steve
- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 7:56 AM
Subject: RE: [ActiveDir] set AD password from linux?

 

That will work for setting a password on AD (2K and K3)? I was under
   

the
 

impression you needed the 128 bit SSL if doing over straight LDAP.
 joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
   

Fleischman
 

Sent: Wednesday, November 17, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?
...or use ldap_opt_encrypt, but I don't know if your client side LDAP
   

api
 

supports that.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?
Yes, it requires LDAP and a 128 bit SSL connection to the Domain
   

Controller.
 

http://support.microsoft.com/?kbid=269190
You also might be able to find something in the Samba package which
   

uses
the
 

NT Lan Man functionality. Though many would question just how secure
   

that
 

really is.
 joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?
Hi,
Is there a way to (securely) set an AD account password through a web
   

page
 

on a  linux or unix machine running apache?  Assume that we can
   

already
 

verify the user's identity.
Thanks!
- Robbie
--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
   

http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
   

http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome

2004-11-17 Thread Darren Mar-Elia 
Joe-
Are you sure data like that is stored in AD? I thought, actually, that
security policy like this was still stored in the security hive of the
registry (i.e. the SAM) for each machine and thus not replicated.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 16, 2004 10:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

This would be extremely unstable. 

Not only is the policy being changed by the GPO replicated through FRS,
it is also being changed by the values replicating around for the Domain
NC head though AD replication. I.E. The machine that got say a value of
10 for bad hits for lockout would replicate to the machine that had a
value of say 5. Then the second would be changed back by policy and try
to replicate to the first and back and forth. 

What I am trying to say is instead of having one policy on one machine
and another on another machine, you would have no idea at any given
point what the policy was because it would be constantly changing on all
DCs as they duked it out.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 16, 2004 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome

Rick,

That's correct. In fact we once tried having two policies at the domain
level with different values for the password length. We then changed
filtering so that one Domain controller got one policy and an other
Domain controller got a different policy.

We then tested how each behaved when processing password changes and
each was using the different values.

A cute setup, but of no practical use that I can think of.

Alan Cuthbertson

- Original Message -
From: "Kingslan, Rick T." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 3:17 AM
Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
Logon Welcome


> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.

Can you elaborate on this?  I've only had one coffee this morning, and I
don't think I follow what you're saying

Are you saying that a GPO identified by a GUID other than the Default
Domain Policy can apply Paasword, Kerb, Lockout, etc?

Rick

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of ASB
> Sent: Tuesday, November 16, 2004 7:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] How to Enable a Warning Message During
Windows
> Logon Welcome
>
> > The Default Domain Policy is the *only* affective policy for those
> settings.
>
> That's not an accurate statement...
>
> Only Password Policies created at the domain level are effective for 
> domain users, but they don't have to be in the default domain policy 
> object.
>
> -ASB
>
>
> On Sun, 7 Nov 2004 12:58:57 -0600, Brian Desmond 
> <[EMAIL PROTECTED]> wrote:
> > The Default Domain Policy is the *only* affective policy for those
> settings.
> >
> >
> >
> > Thanks.
> >
> > --Brian Desmond
> > [EMAIL PROTECTED]
> > Payton on the web! www.wpcp.org
> >
> > v - 773.534.0034 x135
> > f - 773.534.8101
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > > [EMAIL PROTECTED] On Behalf Of ASB
> > > Sent: Sunday, November 07, 2004 11:32 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] How to Enable a Warning Message During
> Windows
> > > Logon Welcome
> > >
> > > You would seem to be suggesting that multiple policies cannot be 
> > > applied...
> > >
> > > -ASB
> > >
> > > On Fri, 5 Nov 2004 21:19:38 -0600, Brian Desmond 
> > > <[EMAIL PROTECTED]> wrote:
> > > > Oh? How do you go about setting password policies, lockout
policies,
> > > kerb policies, etc with this practice?
> > > >
> > > > Thanks.
> > > >
> > > > --Brian Desmond
> > > > [EMAIL PROTECTED]
> > > > Payton on the web! www.wpcp.org
> > > >
> > > > v - 773.534.0034 x135
> > > > f - 773.534.8101
> > > >
> > > >
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > > > > [EMAIL PROTECTED] On Behalf Of Jared Manhat
> > > > > Sent: Friday, November 05, 2004 3:07 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message
During
> > > Windows
> > > > > Logon Welcome
> > > > >
> > > > > You should never modify the Default Domain Policy, instead
create
> a
> > > new
> > > > > one.
> > > > >
> > > > > Jared Manhat
> > > > > Systems Administrator
> > > > > Accutest Laboratories
> > > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Lou
Vega
> > > > > Sent: Friday, November 05, 2004 11:01 AM
> > > > > To: [EMAIL PROTECTED]
> > >

[ActiveDir] Cross-domain authentication problem?

2004-11-17 Thread Happy 
Dear ActiveDir colleagues:

I am connected to the network hosting the org.company.com domain. 
org.domain.com is the root of a Windows 2000 forest.  There is a
one-way trust from org.domain.com to domain.com.

I have a workstation in the company.com domain and am logged in as a
user in the company.com domain.  Company.com is the root of a distinct
Windows Server 2003 forest.

When I attempt to connect from that workstation to a Samba server
which is a member of the org.company.com domain using an
org.company.com user account's credentials, several things happen:

(1) the org.company.com domain controller returns
NT_STATUS_WRONG_PASSWORD to the Samba server for the org.company.com
user
(2) my company.com account (frequently) becomes locked out after
multiple attempts

What is happening?  Why?  If it's unclear, how should I diagnose the
problem further.  If it's a "no-brainer," how can I correct the
problem?

Warmly,

--Pete Thomas

-- 
Pete 'Happy' Thomas ([EMAIL PROTECTED])
Web Site: https://www.painless-computing.com/peteandpam
Blog: http://happypete.livejournal.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Netlogon won't start

2004-11-17 Thread Brian Desmond 
It was the last DC.

Thanks.
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Rick Boza
> Sent: Wednesday, November 17, 2004 10:00 AM
> To: ActiveDir List
> Subject: Re: [ActiveDir] Netlogon won't start
> 
> Not to conflict with what you're saying, but if you were un-DCPROMOing the
> box, it is still a member of the domain - it just isn't a DC anymore.
> Unless it was the last DC in the domain?
> 
> So when you click the drop-down, it's trying to populate a list.  Does it
> have access to a DC?
> 
> 
> On 11/16/04 11:46 PM, "Brian Desmond" <[EMAIL PROTECTED]>
> wrote:
> 
> > Its not joined to a domain. It's in its own workgroup, so I don't think
> this
> > is a DNS thing. The dropdown is flat out empty - no local machine, no
> domain,
> > none of that.
> >
> > How would I go about logging in with the SYSTEM account? I've never
> tried to
> > do such a thing - didn't know it was possible.
> >
> > Thanks.
> >
> > --Brian Desmond
> > [EMAIL PROTECTED]
> > Payton on the web! www.wpcp.org
> >
> > v - 773.534.0034 x135
> > f - 773.534.8101
> >
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> >> [EMAIL PROTECTED] On Behalf Of Edwin
> >> Sent: Tuesday, November 16, 2004 10:01 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: RE: [ActiveDir] Netlogon won't start
> >>
> >> VNC'ing to a machine is no different than connecting to the machine via
> >> pcAnywhere, RDP or the local desktop except to say that it allows a
> remote
> >> connection.  During login, you must differentiate between a domain
> account
> >> login and the local system login regardless of what method is used to
> >> connect to the machine.
> >>
> >> If you do not have your domain listed in the drop down menu, I would
> think
> >> that maybe there is a DNS problem.  The Net Logon service relies on DNS
> to
> >> authenticate to the domain.
> >>
> >> If you can connect to the local system account, then I would probably
> >> check
> >> which name server the NIC was looking at and verify its setting with
> the
> >> domain controller's configured DNS server.  I would also double check
> that
> >> the Net Logon service was set to automatic.  In my opinion, you already
> >> have
> >> a messed up machine.  This may cause problems in the future. You may
> want
> >> to
> >> have your buddy try another dcpromo but this time to uninstall the
> >> configuring of a domain, reboot and then start over.
> >>
> >> You shouldn't have a problem logging in with the local system account
> of
> >> the
> >> machine.  If so, I would probably consider F8 during startup and using
> the
> >> last known configuration.
> >>
> >>
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
> >> Sent: Tuesday, November 16, 2004 10:46 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: RE: [ActiveDir] Netlogon won't start
> >>
> >> I just VNC'ed the box - equivalent to local logon. It has a log on to
> >> dropdown - the dropdown is empty though, no local machine name or
> domain -
> >> when you click the down arrow it just sorta sits there. Still whines
> about
> >> netlogon not being stated.
> >>
> >> Thanks.
> >>
> >> --Brian Desmond
> >> [EMAIL PROTECTED]
> >> Payton on the web! www.wpcp.org
> >>
> >> v - 773.534.0034 x135
> >> f - 773.534.8101
> >>
> >>
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> >>> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> >>> Sent: Tuesday, November 16, 2004 9:33 PM
> >>> To: [EMAIL PROTECTED]
> >>> Subject: RE: [ActiveDir] Netlogon won't start
> >>>
> >>> Yes. Local logon should still work.
> >>>
> >>>
> >>> Sincerely,
> >>>
> >>> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> >>> Microsoft MVP - Directory Services
> >>> www.readymaids.com - we know IT
> >>> www.akomolafe.com
> >>> Do you now realize that Today is the Tomorrow you were worried about
> >>> Yesterday?  -anon
> >>>
> >>> 
> >>>
> >>> From: [EMAIL PROTECTED] on behalf of Brian Desmond
> >>> Sent: Tue 11/16/2004 6:51 PM
> >>> To: [EMAIL PROTECTED]
> >>> Subject: RE: [ActiveDir] Netlogon won't start
> >>>
> >>>
> >>>
> >>> Well it's a member sever in a workgroup so the only account is the
> local
> >>> admin account. Are you saying that this error will not be an issue if
> >>> someone
> >>> tries to log on at the console rather than via TS?
> >>>
> >>>
> >>>
> >>> Thanks.
> >>>
> >>>
> >>>
> >>> --Brian Desmond
> >>>
> >>> [EMAIL PROTECTED] 
> >>>
> >>> Payton on the web! www.wpcp.org 
> >>>
> >>>
> >>>
> >>> v - 773.534.0034 x135
> >>>
> >>> f - 773.534.8101
> >>>
> >>>
> >>>
> >>> 
> >>>
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
> >>> Sent: Tuesday, November

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread Eric Fleischman 
(should have noted I repro'd this on ADAM, not ADperhaps diff?)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

Ah hah! Yes it does work. I just tried it. But there is a trick.

Trick: when doing this on XP, you must specify the creds explicitly, not
pass null to use currently logged on user.

~Eric






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Wednesday, November 17, 2004 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] set AD password from linux?

Believe Joe is right here...

A little more outside of the box, is the kerberos set password protocols
outlined in RFC 3244 - if i recall MS even had some nice sample code
already
written for *nix  application.

my .02

-steve
- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 7:56 AM
Subject: RE: [ActiveDir] set AD password from linux?


> That will work for setting a password on AD (2K and K3)? I was under
the
> impression you needed the 128 bit SSL if doing over straight LDAP.
>
>   joe
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric
Fleischman
> Sent: Wednesday, November 17, 2004 10:50 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> ...or use ldap_opt_encrypt, but I don't know if your client side LDAP
api
> supports that.
>
> ~Eric
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, November 17, 2004 9:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> Yes, it requires LDAP and a 128 bit SSL connection to the Domain
Controller.
>
>
> http://support.microsoft.com/?kbid=269190
>
>
> You also might be able to find something in the Samba package which
uses
the
> NT Lan Man functionality. Though many would question just how secure
that
> really is.
>
>
>   joe
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
> Sent: Wednesday, November 17, 2004 10:23 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] set AD password from linux?
>
> Hi,
>
> Is there a way to (securely) set an AD account password through a web
page
> on a  linux or unix machine running apache?  Assume that we can
already
> verify the user's identity.
>
> Thanks!
>
> - Robbie
>
> --
> Robbie Foust, IT Analyst
> OIT/CASI - Administrative Information Support Duke University
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread Eric Fleischman 
Ah hah! Yes it does work. I just tried it. But there is a trick.

Trick: when doing this on XP, you must specify the creds explicitly, not
pass null to use currently logged on user.

~Eric






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Wednesday, November 17, 2004 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] set AD password from linux?

Believe Joe is right here...

A little more outside of the box, is the kerberos set password protocols
outlined in RFC 3244 - if i recall MS even had some nice sample code
already
written for *nix  application.

my .02

-steve
- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 7:56 AM
Subject: RE: [ActiveDir] set AD password from linux?


> That will work for setting a password on AD (2K and K3)? I was under
the
> impression you needed the 128 bit SSL if doing over straight LDAP.
>
>   joe
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric
Fleischman
> Sent: Wednesday, November 17, 2004 10:50 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> ...or use ldap_opt_encrypt, but I don't know if your client side LDAP
api
> supports that.
>
> ~Eric
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, November 17, 2004 9:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> Yes, it requires LDAP and a 128 bit SSL connection to the Domain
Controller.
>
>
> http://support.microsoft.com/?kbid=269190
>
>
> You also might be able to find something in the Samba package which
uses
the
> NT Lan Man functionality. Though many would question just how secure
that
> really is.
>
>
>   joe
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
> Sent: Wednesday, November 17, 2004 10:23 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] set AD password from linux?
>
> Hi,
>
> Is there a way to (securely) set an AD account password through a web
page
> on a  linux or unix machine running apache?  Assume that we can
already
> verify the user's identity.
>
> Thanks!
>
> - Robbie
>
> --
> Robbie Foust, IT Analyst
> OIT/CASI - Administrative Information Support Duke University
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread Eric Fleischman 
Try it and let me know. I thought so, but now you are making me second
guess myself.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

That will work for setting a password on AD (2K and K3)? I was under the
impression you needed the 128 bit SSL if doing over straight LDAP.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

...or use ldap_opt_encrypt, but I don't know if your client side LDAP
api
supports that.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

Yes, it requires LDAP and a 128 bit SSL connection to the Domain
Controller.


http://support.microsoft.com/?kbid=269190


You also might be able to find something in the Samba package which uses
the
NT Lan Man functionality. Though many would question just how secure
that
really is. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?

Hi,

Is there a way to (securely) set an AD account password through a web
page
on a  linux or unix machine running apache?  Assume that we can already
verify the user's identity.

Thanks!

- Robbie

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] set AD password from linux?

2004-11-17 Thread Steve Patrick 
Believe Joe is right here...

A little more outside of the box, is the kerberos set password protocols
outlined in RFC 3244 - if i recall MS even had some nice sample code already
written for *nix  application.

my .02

-steve
- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 2004 7:56 AM
Subject: RE: [ActiveDir] set AD password from linux?


> That will work for setting a password on AD (2K and K3)? I was under the
> impression you needed the 128 bit SSL if doing over straight LDAP.
>
>   joe
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
> Sent: Wednesday, November 17, 2004 10:50 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> ...or use ldap_opt_encrypt, but I don't know if your client side LDAP api
> supports that.
>
> ~Eric
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, November 17, 2004 9:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] set AD password from linux?
>
> Yes, it requires LDAP and a 128 bit SSL connection to the Domain
Controller.
>
>
> http://support.microsoft.com/?kbid=269190
>
>
> You also might be able to find something in the Samba package which uses
the
> NT Lan Man functionality. Though many would question just how secure that
> really is.
>
>
>   joe
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
> Sent: Wednesday, November 17, 2004 10:23 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] set AD password from linux?
>
> Hi,
>
> Is there a way to (securely) set an AD account password through a web page
> on a  linux or unix machine running apache?  Assume that we can already
> verify the user's identity.
>
> Thanks!
>
> - Robbie
>
> --
> Robbie Foust, IT Analyst
> OIT/CASI - Administrative Information Support Duke University
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Netlogon won't start

2004-11-17 Thread Rick Boza 
Not to conflict with what you're saying, but if you were un-DCPROMOing the
box, it is still a member of the domain - it just isn't a DC anymore.
Unless it was the last DC in the domain?

So when you click the drop-down, it's trying to populate a list.  Does it
have access to a DC?


On 11/16/04 11:46 PM, "Brian Desmond" <[EMAIL PROTECTED]> wrote:

> Its not joined to a domain. It's in its own workgroup, so I don't think this
> is a DNS thing. The dropdown is flat out empty - no local machine, no domain,
> none of that. 
> 
> How would I go about logging in with the SYSTEM account? I've never tried to
> do such a thing - didn't know it was possible.
> 
> Thanks.
>  
> --Brian Desmond
> [EMAIL PROTECTED]
> Payton on the web! www.wpcp.org
>  
> v - 773.534.0034 x135
> f - 773.534.8101
> 
> 
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>> [EMAIL PROTECTED] On Behalf Of Edwin
>> Sent: Tuesday, November 16, 2004 10:01 PM
>> To: [EMAIL PROTECTED]
>> Subject: RE: [ActiveDir] Netlogon won't start
>> 
>> VNC'ing to a machine is no different than connecting to the machine via
>> pcAnywhere, RDP or the local desktop except to say that it allows a remote
>> connection.  During login, you must differentiate between a domain account
>> login and the local system login regardless of what method is used to
>> connect to the machine.
>> 
>> If you do not have your domain listed in the drop down menu, I would think
>> that maybe there is a DNS problem.  The Net Logon service relies on DNS to
>> authenticate to the domain.
>> 
>> If you can connect to the local system account, then I would probably
>> check
>> which name server the NIC was looking at and verify its setting with the
>> domain controller's configured DNS server.  I would also double check that
>> the Net Logon service was set to automatic.  In my opinion, you already
>> have
>> a messed up machine.  This may cause problems in the future. You may want
>> to
>> have your buddy try another dcpromo but this time to uninstall the
>> configuring of a domain, reboot and then start over.
>> 
>> You shouldn't have a problem logging in with the local system account of
>> the
>> machine.  If so, I would probably consider F8 during startup and using the
>> last known configuration.
>> 
>> 
>> 
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
>> Sent: Tuesday, November 16, 2004 10:46 PM
>> To: [EMAIL PROTECTED]
>> Subject: RE: [ActiveDir] Netlogon won't start
>> 
>> I just VNC'ed the box - equivalent to local logon. It has a log on to
>> dropdown - the dropdown is empty though, no local machine name or domain -
>> when you click the down arrow it just sorta sits there. Still whines about
>> netlogon not being stated.
>> 
>> Thanks.
>> 
>> --Brian Desmond
>> [EMAIL PROTECTED]
>> Payton on the web! www.wpcp.org
>> 
>> v - 773.534.0034 x135
>> f - 773.534.8101
>> 
>> 
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>>> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
>>> Sent: Tuesday, November 16, 2004 9:33 PM
>>> To: [EMAIL PROTECTED]
>>> Subject: RE: [ActiveDir] Netlogon won't start
>>> 
>>> Yes. Local logon should still work.
>>> 
>>> 
>>> Sincerely,
>>> 
>>> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>>> Microsoft MVP - Directory Services
>>> www.readymaids.com - we know IT
>>> www.akomolafe.com
>>> Do you now realize that Today is the Tomorrow you were worried about
>>> Yesterday?  -anon
>>> 
>>> 
>>> 
>>> From: [EMAIL PROTECTED] on behalf of Brian Desmond
>>> Sent: Tue 11/16/2004 6:51 PM
>>> To: [EMAIL PROTECTED]
>>> Subject: RE: [ActiveDir] Netlogon won't start
>>> 
>>> 
>>> 
>>> Well it's a member sever in a workgroup so the only account is the local
>>> admin account. Are you saying that this error will not be an issue if
>>> someone
>>> tries to log on at the console rather than via TS?
>>> 
>>> 
>>> 
>>> Thanks.
>>> 
>>> 
>>> 
>>> --Brian Desmond
>>> 
>>> [EMAIL PROTECTED] 
>>> 
>>> Payton on the web! www.wpcp.org 
>>> 
>>> 
>>> 
>>> v - 773.534.0034 x135
>>> 
>>> f - 773.534.8101
>>> 
>>> 
>>> 
>>> 
>>> 
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
>>> Sent: Tuesday, November 16, 2004 7:10 PM
>>> To: [EMAIL PROTECTED]
>>> Subject: RE: [ActiveDir] Netlogon won't start
>>> 
>>> 
>>> 
>>> I had a similar problem in the past.  Have you tried logging into the
>>> local
>>> administrator account?  Then you could set the Net Logon service to
>>> Automatic
>>> within the Services Snap-In and then attempt to log into the domain
>> after
>>> a
>>> server reboot.  I did this in the past and everything was good after.
>>> 
>>> 
>>> 
>>> Of course you do not have physical access to the machine so you will
>> have
>>> to
>>> ask your buddy again for assistance.
>>> 
>>> 
>>> 
>>> 
>>> 
>>>

RE: [ActiveDir] Syskey and AD

2004-11-17 Thread Perdue David J Contr InDyne/Enterprise IT 








Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools.  Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam.  We would have to do it for our security folks to test password
strength every so often.

Honestly, I don't believe it
matters what version of the Windows OS you use.  If you have physical
access to the system, you win.

 

Dave 

 




David J. Perdue
Network Security Engineer, InDyne
Inc 
Comm: (805) 606-4597    DSN: 276-4597 












From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People)
Sent: Wednesday, November 17, 2004
12:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD



 

I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure. 

If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to run).

 

I accept that one of the
golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would probably be many terabytes in size.

 

Having said all that, I
wouldn't bother using Syskey on my DCs or any other server due to the hassles
you mention. The best idea is just to keep them in a physically secure location
in the first place.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 16 November 2004 17:32
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Syskey
and AD



 

I don't think
I would say that the SAM is more secure than it is with NT. 

 

The issue of
being hacked is still there and still fairly trivial. The syskey can maybe
help depending on the tools used to crack the server and whether it is an
attempt to brute force passwords (or Rainbow crack) or gain access to the box.
I don't want to get very deep into this but if someone has physical access to
the machine, they can own the machine if they so desire - period. Using a
user generated password or floppy (and not keeping the floppy with the machine)
with SysKey is safer but not tremendously so and again, only for someone trying
to steal the password database. Mostly it just adds considerable heartache
to management since you have to be in front of the machine (or using
some low level IO card to redirect console) to start it. Once the
local SAM is cracked, it is one reboot and one more tool away from the DIT
being cracked. 

 

Basically if
my goal is to steal your passwords in a quiet way, syskey will help a
little as it adds another 128 bit encryption piece in front of the hashes. If
my goal is to take over your server or domain or forest, syskey
doesn't hamper that.

 

  joe

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People)
Sent: Tuesday, November 16, 2004
4:57 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD

It's still
possible, but whether or not it will still be necessary with Windows Server
2003 is another question. The default security of the SAM is higher than with
NT. This page gives you the process. http://support.microsoft.com/kb/310105


 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: 15 November 2004 20:03
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Syskey and AD



 

Is it still necessary to syskey DC's?  On NT 4.0
we always did that.  Does the same apply for Windows 2003?

 

***


The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. 

***


 

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread joe 
That will work for setting a password on AD (2K and K3)? I was under the
impression you needed the 128 bit SSL if doing over straight LDAP.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, November 17, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

...or use ldap_opt_encrypt, but I don't know if your client side LDAP api
supports that.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller.


http://support.microsoft.com/?kbid=269190


You also might be able to find something in the Samba package which uses the
NT Lan Man functionality. Though many would question just how secure that
really is. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?

Hi,

Is there a way to (securely) set an AD account password through a web page
on a  linux or unix machine running apache?  Assume that we can already
verify the user's identity.

Thanks!

- Robbie

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread Eric Fleischman 
...or use ldap_opt_encrypt, but I don't know if your client side LDAP
api supports that.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 17, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] set AD password from linux?

Yes, it requires LDAP and a 128 bit SSL connection to the Domain
Controller.


http://support.microsoft.com/?kbid=269190


You also might be able to find something in the Samba package which uses
the
NT Lan Man functionality. Though many would question just how secure
that
really is. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?

Hi,

Is there a way to (securely) set an AD account password through a web
page
on a  linux or unix machine running apache?  Assume that we can already
verify the user's identity.

Thanks!

- Robbie

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] set AD password from linux?

2004-11-17 Thread Robbie Foust 
Thanks Joe!  Thats exactly what I needed. :-)
- Robbie
joe wrote:
Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller.
http://support.microsoft.com/?kbid=269190
You also might be able to find something in the Samba package which uses the
NT Lan Man functionality. Though many would question just how secure that
really is. 

 joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?
Hi,
Is there a way to (securely) set an AD account password through a web page
on a  linux or unix machine running apache?  Assume that we can already
verify the user's identity.
Thanks!
- Robbie
--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Master Browser

2004-11-17 Thread joe 
Your current employer? That makes it sound like you are ready to jump to
some other employer Rog. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, November 17, 2004 12:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

You are correct - its all about enumerating NetBIOS shares.

My current employer rather likes personal shares - rather there's no
resistence to having them. 


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> Sent: Monday, November 15, 2004 11:00 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> So, really the only thing this service does is allow users to click 
> through the Network Neighborhood (or its successors).
> Is it correct that it does not prevent users from finding devices from 
> the run line or (obviously) from mapped drives?
> 
> As for publishing shares from workstations ... (zoinks!) you may have 
> bigger fish to fry!  ;-)
> 
> -- nme
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Monday, November 15, 2004 10:13 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> I personally favor disabling it on all workstation machines. 
> There's little harm in leaving it running on servers, even non DC's.
> 
> The big question is whether or not its needed - are the browse list 
> issues relevant enough to fix. In other words, is there a minor change 
> to usage that would eliminate the issue entirely? The biggest place 
> I'd expect to see this is if users are publishing shares from their 
> own machines.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> Tyson Leslie
> > Sent: Monday, November 15, 2004 4:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > Do you still suggest turning it off on all servers and workstations 
> > (as per
> > your KB article), even in an all W2K or better environment?   
> > We have done
> > so (via group policy) for quite some time, but recently ended up 
> > having to defend this decision to an admin in one of our other 
> > offices, because he was encountering browse list issues in
> his domain.  
> > (We have left it running on the Domain Controllers only.)
> > 
> > Tyson.
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of ASB
> > Sent: Monday, November 15, 2004 10:46 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] Master Browser
> > 
> > Turning off the service is a *much* better approach and doesn't 
> > generate any errors in the EventLog.
> > 
> > 
> > 
> > - ASB
> >   Cheap, Fast, Secure -- Pick Any TWO.
> >   http://www.ultratech-llc.com/KB/
> > 
> >  
> > 
> > 
> > On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino <[EMAIL PROTECTED]>
> > wrote:
> > > 
> > > 
> > > 
> > > I wouldn't turn of the service - -I would ( and do) go into the 
> > > registry and tell the box it is NOT a Master Browser and NOT to 
> > > maintain a list
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Adams, 
> > > Kenneth W
> > > (Ken)
> > > Sent: Monday, November 15, 2004 12:16 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > To stop this error message, you will need to turn off the
> Computer
> > > Browser service.  The error message is actually an informational 
> > > message telling you about the browser status of computer CCDC01.
> > > 
> > > Ken Adams
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> Jacob Stabl
> > > Sent: Monday, November 15, 2004 12:01 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [ActiveDir] Master Browser
> > > 
> > > One of my DC's is returning the following error and I'm not
> > sure what
> > > to
> > do:
> > > 
> > >  
> > > 
> > > The browser has received a server announcement indicating
> that the
> > > computer
> > > CCDC01 is a master browser, but this computer is not a
> > master browser.
> > > 
> > >  
> > > 
> > > Event ID 8005
> > > 
> > >  
> > > 
> > > This DC holds none of the FSMO roles so I'm not sure what
> I need to
> > > tell this server so I don't get this error anymore.
> > > 
> > >  
> > > 
> > > Thanks
> > > 
> > > Jake
> > >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.c

RE: [ActiveDir] adfind and -excl

2004-11-17 Thread joe 



For some reason my initial post didn't reach 
everyone, I myself didn't get it back and I know several others didn't get it 
either. Though I heard from some people who said they saw 
it...
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Wednesday, November 17, 2004 12:25 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] adfind and 
-excl

I believe you'll see that Joe (of joeware.net) himself 
offered a good answer yesterday
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
  DevonSent: Tuesday, November 16, 2004 5:38 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] adfind and 
  -excl
  
  
  

  
  Anyone?
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harding, DevonSent: Monday, November 15, 2004 2:51 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] adfind and 
  -excl
   
  Adfind.exe has a switch called 
  –excl which basically exclude certain attributes.  Does anyone know if it 
  can do the opposite?  I want to specify only certain attributes to 
  include. (too many to exclude)
   
  Devon 
  Harding
  Windows 
  Systems Engineer
  Southern 
  Wine & Spirits - GSD
  954-602-2469
   
  
  
  
  __This 
  message and any attachments are solely for the intended recipient and may 
  contain confidential or privileged information. If you are not the intended 
  recipient, any disclosure, copying, use or distribution of the information 
  included in the message and any attachments is prohibited. If you have 
  received this communication in error, please notify us by reply e-mail and 
  immediately and permanently delete this message and any attachments. Thank 
  You. 
  
  

  
  __This message and any 
  attachments are solely for the intended recipient and may contain confidential 
  or privileged information. If you are not the intended recipient, any 
  disclosure, copying, use or distribution of the information included in the 
  message and any attachments is prohibited. If you have received this 
  communication in error, please notify us by reply e-mail and immediately and 
  permanently delete this message and any attachments. Thank You.

RE: [ActiveDir] set AD password from linux?

2004-11-17 Thread joe 
Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller.


http://support.microsoft.com/?kbid=269190


You also might be able to find something in the Samba package which uses the
NT Lan Man functionality. Though many would question just how secure that
really is. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, November 17, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] set AD password from linux?

Hi,

Is there a way to (securely) set an AD account password through a web page
on a  linux or unix machine running apache?  Assume that we can already
verify the user's identity.

Thanks!

- Robbie

--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support Duke University


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] set AD password from linux?

2004-11-17 Thread Robbie Foust 
Hi,
Is there a way to (securely) set an AD account password through a web 
page on a  linux or unix machine running apache?  Assume that we can 
already verify the user's identity.

Thanks!
- Robbie
--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD integrated DNS

2004-11-17 Thread Douglas M. Long 
What settings are recommended for 2003 AD integrated DNS?

Automatic scavenging? If so, how frequently?
Is there a way to automatically clear the cache on the server
every night, or do you just have to add a task to task scheduler to do
it? Would there be anything wrong with clearing the cache every night?
The reason I ask is because nslookups were timing out for cnn.com today,
and clearing the cache on the DNS server fixed it. 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Issues

2004-11-17 Thread Rimmerman, Russ 

Our Win2k DNS servers are on our internal network.  I have a rule allowing
53 tcp and 53 udp outbound to the Internet.  I don't have any other rules
for DNS.  Why do I need to create an inbound rule?  Aren't the DNS servers
doing all the lookups outbound?  What would initiate a connection inbound to
our DNS servers from the outside? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, November 16, 2004 11:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Issues

TCP shouldn't be an issue - since most firewalls will do some sort of state
management for those connects.

My money's on the fact there ISN'T an an inbound firewall rule allowing
UDP/53 to his DNS servers and tangental to that the fact that there is no
static NAT enabled for the DNS servers internally.

In other words, create a static NAT rule for the DNS servers with root hints
enabled, and enable UDP/53 inbound to those hosts. DNS starts working again
- this time consistently.

The reason for inconsistency is most likely caused by the fact some
resolutions will fall over to TCP, due to response size and some less
regular occurances.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Tuesday, November 16, 2004 7:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> TCP or UDP through the firewall?
> 
> What have you done to troubleshoot?  Logs?  ?? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> Russ
> Sent: Tuesday, November 16, 2004 8:58 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> Yes, all DNS is working fine except for some rare instances of 
> hostnames we've run into.  Last week we couldn't get to ftp.nai.com 
> but now we can.
> All our workstations are pointed to our child DCs for DNS.  
> They are set to forward to our empty root DCs, and the empty root DCs 
> have the root-hints, and the firewall allows them out port 53.
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert 
> Rutherford
> Sent: Tuesday, November 16, 2004 7:53 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> 
> 
> I'd advise using forwarding for the functions you require.
> 
>  
> 
> It may seem stupid... but I take it the DNS server/s have appropriate 
> rules in your firewall/s?
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> Russ
> Sent: 16 November 2004 13:48
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DNS Issues
> 
>  
> 
> Since changing our DNS design from forwarding to our old firewall 
> which had root-hints built into it, to forwarding our DNS to our empty 
> forest root domain controllers with the root-hints on them, we are not 
> getting all our DNS lookups.
> 
>  
> 
> For example, http://www.volksbanksalzburg.at right now is not 
> resolving for us.  Yet if we RDP into one of our home PCs, it resolves 
> fine.  So my question is, is there anything weird about Windows 2000 
> root-hints or DNS servers that would cause us to not be able to look 
> up some hostnames properly in DNS?
> Or what would cause this issue?
> 
> 
> ==
> =
> Scanned for virus infection by Messagelabs 
> ==
> =
> 
> ~~
> This e-mail is confidential, may contain proprietary information of 
> the Cooper Cameron Corporation and its operating Divisions and may be 
> confidential or privileged.
> 
> This e-mail should be read, copied, disseminated and/or used only by 
> the addressee. If you have received this message in error please 
> delete it, together with any attachments, from your system.
> ~~
>   
> ~~
> This e-mail is confidential, may contain proprietary information of 
> the Cooper Cameron Corporation and its operating Divisions and may be 
> confidential or privileged.
> 
> This e-mail should be read, copied, disseminated and/or used only by 
> the addressee. If you have received this message in error please 
> delete it, together with any attachments, from your system.
> ~~
>   
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~

RE: [ActiveDir] Syskey and AD

2004-11-17 Thread Geary, Simon (Computer People) 








I would suggest the Windows 2003 (and 2000
and XP) SAM is more secure than NT as it is encrypted with a locally stored key
by default. The Syskey process allows you to store that key on a separate floppy
disk, thus adding an extra layer of security. In the NT SAM, the encryption is
not on by default but can be added with Syskey as an optional extra so I reckon
this makes the 2003 SAM more secure. 

If you have ever used l0phtcrack on an NT
SAM you may be scared at how quickly it can rip through all your passwords
(even if it does require an admin account to run).

 

I accept that one of the golden rules of
security is that if the bad guy has physical access to your machine it's
not your machine any more but a 128bit encryption key will take some time to
crack, giving some breathing space to take action. Especially as the Syskey
password needs at least 12 characters and should contain all sort of numbers,
letters, squiggles and hieroglyphics. The rainbow tables needed to crack that
would probably be many terabytes in size.

 

Having said all that, I wouldn't
bother using Syskey on my DCs or any other server due to the hassles you
mention. The best idea is just to keep them in a physically secure location in
the first place.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 16 November 2004 17:32
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Syskey
and AD



 

I don't
think I would say that the SAM is more secure than it is with NT. 

 

The
issue of being hacked is still there and still fairly trivial. The syskey
can maybe help depending on the tools used to crack the server and whether it
is an attempt to brute force passwords (or Rainbow crack) or gain access to the
box. I don't want to get very deep into this but if someone has physical access
to the machine, they can own the machine if they so desire - period. Using
a user generated password or floppy (and not keeping the floppy with the
machine) with SysKey is safer but not tremendously so and again, only for
someone trying to steal the password database. Mostly it just adds
considerable heartache to management since you have to be in front of the
machine (or using some low level IO card to redirect console) to
start it. Once the local SAM is cracked, it is one reboot and one more tool
away from the DIT being cracked. 

 

Basically
if my goal is to steal your passwords in a quiet way, syskey will help a
little as it adds another 128 bit encryption piece in front of the hashes. If
my goal is to take over your server or domain or forest, syskey
doesn't hamper that.

 

 
joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People)
Sent: Tuesday, November 16, 2004
4:57 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD

It's
still possible, but whether or not it will still be necessary with Windows
Server 2003 is another question. The default security of the SAM is higher than
with NT. This page gives you the process. http://support.microsoft.com/kb/310105


 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: 15 November 2004 20:03
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Syskey and AD



 

Is it still
necessary to syskey DC's?  On NT 4.0 we always did that.  Does the
same apply for Windows 2003?

 

***


The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. 

***