RE: [ActiveDir] How Secure is a Domain Controller?

[neil.ruston]

The use of 20 char passwords caught my 
eye.

In previous discussions with MS et al, it was suggested 
that the majority of users would simply repeat a (at most ( 7 char password n 
times, so as to meet the 20+ char pw policy requirement.

As a result, I have heard it suggested that in reality (not 
theory) a pw policy of more than 7 chars is actually counter productive. [Any pw 
policy with a multiple of 7 chars being most counter 
productive.]

Food for thought,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 05 March 2006 08:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  EdwinPLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] SYSVOL and Junction Points

[Smith, Brad]

The same question was asked at an MS seminar I went to about 3 or 4
years ago, and the MS rep explained that he didn't have a firm technical
answer either, and that at some early point during the dev of AD, there
was an intention to be able to host more than one AD on a DC and that
junction points would have been used somehow for thatand just never
got removed.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: 04 March 2006 16:50
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SYSVOL and Junction Points

I'm going to ask what may be a dumb question, but I can't find anything
on it in the literature.  I am trying to get a better understanding of
how SYSVOL functions, and I think I've got a pretty decent idea.  But
when it comes to Junction Points, I'm a bit mystified.

I have read the literature, and I understand that junction points are
really just pointers to actual directories, rather than directories
themselves.  I understand that if you look in a junction point, it will
appear as a directory but it's content will be the content of the real
directory it's pointing to.

I understand that the 2 junction points in SYSVOL are:

1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to
%systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN of
domain pointing to %systemroot%\Sysvol\Staging\domain

What I want to know is why Junction Points are used?  I understand, for
example, that you want to prevent files being copied when they're open
by users.  This is the purpose for the staging directory, I believe.  I
understand that the PreInstall folder is so SYSVOL doesn't copy a file
in until it's fully replicated.

But I just can't get anyone to tell me why Junction Points are needed in
SYSVOL, and what their presence helps to achieve.

If you guys have an answer, or can point me to the literature to help
figure it out, that would be great.  Any information would be much
appreciated.

Thanks,

Scott
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)


This email and any attached files are confidential and copyright protected. If 
you are not the addressee, any dissemination of this communication is strictly 
prohibited. Unless otherwise expressly agreed in writing, nothing stated in 
this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC Lookup....

[Smith, Brad]

Title: Message



My 
environment: W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 
DC's, all DC's bar one 
are relatively well connected (smallest link is 256k).One DCis 
poorly connectedon a very highly utilised 1MB 
line:-(

Does anyone know 
if there is a way to specify which DC a site uses when the DC assigned to that 
site is offline? To be specific, I want to manage a situation where a site 
is assigned a DC (or a bunch of them) and then those DC's fail. The 
clients then will look up alternate DC's, but I want different subnets to lookup 
different "secondary" DC's. So Site a has DCServerA, site B has DCServerB, 
site C has DCServerC, Site D has DCServerDand siteE has DCServer 
E. When DCServer A fails, I want those clients to use DCServerE. 
When one of DCServerB, DCServerC or DCServerD fail, I want them to use one of 
DCServerB, DCServerC or DCServerD.

Sort of confusing 
question to ask..anyone have any ideas? I know that DC dns records can be 
weighted, but that is accross the board and would effect all sites right 
?
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.

RE: [ActiveDir] DC Lookup....

[Darren Mar-Elia]

Title: Message










Brad-

Have you seen this article?



http://support.microsoft.com/kb/306602











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, March 06, 2006 12:34
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Lookup







My environment: W2K
FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 DC's, all DC's bar one
are relatively well connected (smallest link is 256k).One
DCis poorly connectedon a very highly utilised 1MB line:-(











Does anyone know if there
is a way to specify which DC a site uses when the DC assigned to that site is
offline? To be specific, I want to manage a situation where a site is
assigned a DC (or a bunch of them) and then those DC's fail. The clients
then will look up alternate DC's, but I want different subnets to lookup
different secondary DC's. So Site a has DCServerA, site B has
DCServerB, site C has DCServerC, Site D has DCServerDand siteE has
DCServer E. When DCServer A fails, I want those clients to use DCServerE.
When one of DCServerB, DCServerC or DCServerD fail, I want them to use one of
DCServerB, DCServerC or DCServerD.











Sort of confusing
question to ask..anyone have any ideas? I know that DC dns records can be
weighted, but that is accross the board and would effect all sites right ?





This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed in
writing, nothing stated in this communication shall be legally binding.

Fw: [ActiveDir] SYSVOL and Junction Points

[[EMAIL PROTECTED]]

they are also known as reparse points and ris uses them for the single instance 
store
 Original Message
 From: [EMAIL PROTECTED]
 Date: 06/03/2006 11:15
 To: ActiveDir@mail.activedir.org
 Subj: RE: [ActiveDir] SYSVOL and Junction Points
 
 The same question was asked at an MS seminar I went to about 3 or 4
 years ago, and the MS rep explained that he didn't have a firm technical
 answer either, and that at some early point during the dev of AD, there
 was an intention to be able to host more than one AD on a DC and that
 junction points would have been used somehow for thatand just never
 got removed.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
 Sent: 04 March 2006 16:50
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] SYSVOL and Junction Points
 
 I'm going to ask what may be a dumb question, but I can't find anything
 on it in the literature.  I am trying to get a better understanding of
 how SYSVOL functions, and I think I've got a pretty decent idea.  But
 when it comes to Junction Points, I'm a bit mystified.
 
 I have read the literature, and I understand that junction points are
 really just pointers to actual directories, rather than directories
 themselves.  I understand that if you look in a junction point, it will
 appear as a directory but it's content will be the content of the real
 directory it's pointing to.
 
 I understand that the 2 junction points in SYSVOL are:
 
 1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to
 %systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN 
of
 domain pointing to %systemroot%\Sysvol\Staging\domain
 
 What I want to know is why Junction Points are used?  I understand, for
 example, that you want to prevent files being copied when they're open
 by users.  This is the purpose for the staging directory, I believe.  
I
 understand that the PreInstall folder is so SYSVOL doesn't copy a file
 in until it's fully replicated.
 
 But I just can't get anyone to tell me why Junction Points are needed in
 SYSVOL, and what their presence helps to achieve.
 
 If you guys have an answer, or can point me to the literature to help
 figure it out, that would be great.  Any information would be much
 appreciated.
 
 Thanks,
 
 Scott
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 This message has been scanned for viruses by MailControl - (see
 http://bluepages.wsatkins.co.uk/?4318150)
 
 
 This email and any attached files are confidential and copyright protected. 
 If 
you are not the addressee, any dissemination of this communication is strictly 
prohibited. Unless otherwise expressly agreed in writing, nothing stated 
in this communication shall be legally binding.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.
org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SYSVOL and Junction Points

[neil.ruston]

Junction Points are one implementation of the NTFS technology known as
Reparse Points.

http://www.pcguide.com/ref/hdd/file/ntfs/filesReparse-c.html

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 06 March 2006 13:20
To: ActiveDir@mail.activedir.org
Subject: Fw: [ActiveDir] SYSVOL and Junction Points

they are also known as reparse points and ris uses them for the single
instance store
 Original Message
 From: [EMAIL PROTECTED]
 Date: 06/03/2006 11:15
 To: ActiveDir@mail.activedir.org
 Subj: RE: [ActiveDir] SYSVOL and Junction Points
 
 The same question was asked at an MS seminar I went to about 3 or 4 
 years ago, and the MS rep explained that he didn't have a firm 
 technical answer either, and that at some early point during the dev 
 of AD, there was an intention to be able to host more than one AD on a

 DC and that junction points would have been used somehow for 
 thatand just never got removed.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
 Sent: 04 March 2006 16:50
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] SYSVOL and Junction Points
 
 I'm going to ask what may be a dumb question, but I can't find 
 anything on it in the literature.  I am trying to get a better 
 understanding of how SYSVOL functions, and I think I've got a pretty 
 decent idea.  But when it comes to Junction Points, I'm a bit
mystified.
 
 I have read the literature, and I understand that junction points are 
 really just pointers to actual directories, rather than directories 
 themselves.  I understand that if you look in a junction point, it 
 will appear as a directory but it's content will be the content of the

 real directory it's pointing to.
 
 I understand that the 2 junction points in SYSVOL are:
 
 1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to 
 %systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN
of
 domain pointing to %systemroot%\Sysvol\Staging\domain
 
 What I want to know is why Junction Points are used?  I understand, 
 for example, that you want to prevent files being copied when they're 
 open by users.  This is the purpose for the staging directory, I
believe.
I
 understand that the PreInstall folder is so SYSVOL doesn't copy a file

 in until it's fully replicated.
 
 But I just can't get anyone to tell me why Junction Points are needed 
 in SYSVOL, and what their presence helps to achieve.
 
 If you guys have an answer, or can point me to the literature to help 
 figure it out, that would be great.  Any information would be much 
 appreciated.
 
 Thanks,
 
 Scott
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 This message has been scanned for viruses by MailControl - (see
 http://bluepages.wsatkins.co.uk/?4318150)
 
 
 This email and any attached files are confidential and copyright 
 protected. If
you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing,
nothing stated in this communication shall be legally binding.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.
org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member 

[ActiveDir] Recommendations for spam issue

[Rimmerman, Russ]

If you were a 20
user non-profit organization that were having a serious problem with SPAM, had
an Exchange server in-house but an external internet provider that was
"filtering" and forwardingyoure-mail but not doing a good job, what
product or solution would you recommend? The problem is valid e-mails are
being blocked and SPAM is getting through. 
Would something
like Trend Client Server Security for SMB work well in this
situation?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Recommendations for spam issue

[Creamer, Mark]

Russ, I've used two solutions for this issue, both of which I think turned out 
well:
 
1. Astaro Security Linux with mail protection subscription - available either 
as an appliance or a
hardened Linux distro you can install on a decent PC
2. Sunbelt Software's IHATESPAM
 
The 501c(3) I support, with about 15 desktops currently, uses the Astaro 
appliance solution



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Mon 3/6/2006 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommendations for spam issue


If you were a 20 user non-profit organization that were having a serious 
problem with SPAM, had an
Exchange server in-house but an external internet provider that was filtering 
and forwarding your
e-mail but not doing a good job, what product or solution would you recommend?  
The problem is valid
e-mails are being blocked and SPAM is getting through.  

Would something like Trend Client Server Security for SMB work well in this 
situation?
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.winmail.dat

[ActiveDir] Resolving SIDs

[Clay, Justin \(ITS\)]

I thought I remember seeing something recently about how to
build some user information from a SID. Is this possible or am I dreaming? I
dont mean resolving the SID against AD, I actually mean taking a lone
SID and building some user information based on just the SID.



Thanks,



Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573











ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

RE: [ActiveDir] Recommendations for spam issue

[Lucas, Bryan]

Are you 2003 and dissatisfied with the
IMF? Ive found for small businesses it is extremely effective when
loaded with the right RBLs, IP blocks and configured correctly.





Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: Monday, March 06, 2006 9:10
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Recommendations for spam issue







If you were a 20 user non-profit organization that were
having a serious problem with SPAM, had an Exchange server in-house but an
external internet provider that was filtering and
forwardingyoure-mail but not doing a good job, what product or
solution would you recommend? The problem is valid e-mails are being
blocked and SPAM is getting through. 






Would something like Trend Client Server Security for SMB work well in this
situation?








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] How Secure is a Domain Controller?

[Tim Vander Kooi]

Based on the subject of this discussion: if you have those 
regular users, who can't comprehend or remember a password over 7 characters, 
signing on to your domain controllers I would say that your domain controllers 
are VERY not secure. Secondly, if your domain administrators are so lazy as to 
be using 7 character passwords you are still very 
insecure.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

The use of 20 char passwords caught my 
eye.

In previous discussions with MS et al, it was suggested 
that the majority of users would simply repeat a (at most ( 7 char password n 
times, so as to meet the 20+ char pw policy requirement.

As a result, I have heard it suggested that in reality (not 
theory) a pw policy of more than 7 chars is actually counter productive. [Any pw 
policy with a multiple of 7 chars being most counter 
productive.]

Food for thought,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 05 March 2006 08:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  Edwin
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

Re: [ActiveDir] Recommendations for spam issue

[mike kline]

Non Profit probably means you don't have a huge IT budget. You may want to give SpamBayes a try.

The client plug-in does a decent job of filtering spam... and it's free. 

http://spambayes.sourceforge.net/index.html
On 3/6/06, Rimmerman, Russ [EMAIL PROTECTED] wrote:


If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. 

Would something like Trend Client Server Security for SMB work well in this situation?



~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.
~~

RE: [ActiveDir] How Secure is a Domain Controller?

[neil.ruston]

You mis-understand :)

Ulf was suggesting that in order to protect the AD data on 
a poorly protected DC, that strong passwords should be used that are harder to 
crack.

In the event that the disks were compromised, the hacker 
would not be able to crack a 20 char pw. He does not suggest the use of 20 char 
passwords to logon to the DC but instead, it is suggested as a way to further 
protect the AD data, in the event that physical protection is 
weak.

hth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander 
KooiSent: 06 March 2006 15:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

Based on the subject of this discussion: if you have those 
regular users, who can't comprehend or remember a password over 7 characters, 
signing on to your domain controllers I would say that your domain controllers 
are VERY not secure. Secondly, if your domain administrators are so lazy as to 
be using 7 character passwords you are still very 
insecure.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

The use of 20 char passwords caught my 
eye.

In previous discussions with MS et al, it was suggested 
that the majority of users would simply repeat a (at most ( 7 char password n 
times, so as to meet the 20+ char pw policy requirement.

As a result, I have heard it suggested that in reality (not 
theory) a pw policy of more than 7 chars is actually counter productive. [Any pw 
policy with a multiple of 7 chars being most counter 
productive.]

Food for thought,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 05 March 2006 08:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  Edwin
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent 

RE: [ActiveDir] How Secure is a Domain Controller?

[Tim Vander Kooi]

I understand/stood what you were saying, just was hoping to 
bring out a clearer answer for some of the lurker/newbies on the list (of which 
there are many). And you provided exactly that clarification which was 
excellent. Thank you.
I still personally believe in the statement that if I can 
touch your server, I own your server. There just is no good technical solution 
to a physical problem, and it's part of our job responsibility to make that 
clear to management.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:52 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

You mis-understand :)

Ulf was suggesting that in order to protect the AD data on 
a poorly protected DC, that strong passwords should be used that are harder to 
crack.

In the event that the disks were compromised, the hacker 
would not be able to crack a 20 char pw. He does not suggest the use of 20 char 
passwords to logon to the DC but instead, it is suggested as a way to further 
protect the AD data, in the event that physical protection is 
weak.

hth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander 
KooiSent: 06 March 2006 15:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

Based on the subject of this discussion: if you have those 
regular users, who can't comprehend or remember a password over 7 characters, 
signing on to your domain controllers I would say that your domain controllers 
are VERY not secure. Secondly, if your domain administrators are so lazy as to 
be using 7 character passwords you are still very 
insecure.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

The use of 20 char passwords caught my 
eye.

In previous discussions with MS et al, it was suggested 
that the majority of users would simply repeat a (at most ( 7 char password n 
times, so as to meet the 20+ char pw policy requirement.

As a result, I have heard it suggested that in reality (not 
theory) a pw policy of more than 7 chars is actually counter productive. [Any pw 
policy with a multiple of 7 chars being most counter 
productive.]

Food for thought,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 05 March 2006 08:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  Edwin
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services 

Re: [ActiveDir] Recommendations for spam issue

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Exchange 2003?

The Trend CSM 3 version isn't having a good rep these days in my space.

Exchange SP2 includes IMF

www.vladville.com click on Articles on how to set it up.

www.techsoup.org btw...

Rimmerman, Russ wrote:

If you were a 20 user non-profit organization that were having a 
serious problem with SPAM, had an Exchange server in-house but an 
external internet provider that was filtering and 
forwarding your e-mail but not doing a good job, what product or 
solution would you recommend?  The problem is valid e-mails are being 
blocked and SPAM is getting through. 

Would something like Trend Client Server Security for SMB work well in 
this situation?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How Secure is a Domain Controller?

[neil.ruston]

I understand/stood what you were saying, just was 
hoping to bring out a clearer answer for some of the lurker/newbies on the list 
(of which there are many). And you provided exactly that clarification which was 
excellent. Thank you.[Neil 
Ruston]You're welcome :)

I still personally believe in the statement that if I 
can touch your server, I own your server. There just is no good technical 
solution to a physical problem, and it's part of our job responsibility to make 
that clear to management.[Neil 
Ruston]Sometimes we're forced to make compromises due to management and 
political pressure. Ulf has written an article which helps to secure the DC if 
it finds itself physically insecure. Ideally, the DC would not be deployed at 
all, but the world [of IT] is far from ideal... 
:)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:52 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

You mis-understand :)

Ulf was suggesting that in order to protect the AD data on 
a poorly protected DC, that strong passwords should be used that are harder to 
crack.

In the event that the disks were compromised, the hacker 
would not be able to crack a 20 char pw. He does not suggest the use of 20 char 
passwords to logon to the DC but instead, it is suggested as a way to further 
protect the AD data, in the event that physical protection is 
weak.

hth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander 
KooiSent: 06 March 2006 15:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

Based on the subject of this discussion: if you have those 
regular users, who can't comprehend or remember a password over 7 characters, 
signing on to your domain controllers I would say that your domain controllers 
are VERY not secure. Secondly, if your domain administrators are so lazy as to 
be using 7 character passwords you are still very 
insecure.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
How Secure is a Domain Controller?

The use of 20 char passwords caught my 
eye.

In previous discussions with MS et al, it was suggested 
that the majority of users would simply repeat a (at most ( 7 char password n 
times, so as to meet the 20+ char pw policy requirement.

As a result, I have heard it suggested that in reality (not 
theory) a pw policy of more than 7 chars is actually counter productive. [Any pw 
policy with a multiple of 7 chars being most counter 
productive.]

Food for thought,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 05 March 2006 08:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a 
Domain Controller?

I've written down some related thoughts 
once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
  Domain Controller?
  
  
  How Secure is a Domain Controller 
  that is fully patched on a default install of Windows 2003? When 
  promoted the domain controller has the two default policies, both of which are 
  recommended not to be modified. But there are things that could be done 
  better for added security. For example, NTLMv2 refuse NTLM and LM. 
  Is it common practice to add additional GPOs to the DC OU? Or is DC 
  protected enough to where all that is needed to worry about are the member 
  machines?
  
  If adding additional GPOs to the 
  DC OU, is there anything that should definitely be 
  avoided?
  
  Edwin
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) 

RE: [ActiveDir] How Secure is a Domain Controller?

[Myrick, Todd \(NIH/CC/DNA\) [E]]

To add my 2 cents.




 Add Anti-virus and Anti-Spywear
 detection.
 Configure and backup your event
 logs. At remote sites, I would recommend collecting the event logs
 on a faster rotation.
 Add monitoring, You want to
 monitor account lockout events and have notification when excessive
 amounts of authentications are occurring. (Tips you off to possible
 brute force attacks, and up/down situations).
 Use IPSEC Policies to not allow
 outside traffic to your DCs. (I havent tried this, but
 the theory seems pretty solid)
 Use GPOs to enforce
 group memberships for EA and Domain Admins.
 When possible do not have child
 domains, allows you to use tighter security policies.
 Enforce all registry changes
 using GPOs. Things like DNS record weight, fixed ports for
 NTDS and FRS replication, etc should be set this way to avoid
 mis-configuration.
 At a minimum have a MFT backup
 of the AD system state done at a central site each night. If you
 should lose objects, etc. Having this will give you options for
 restore. Not having it youre doomed.
 Make sure your account policies
 balance the need to thwart an attack but also consider the potential for
 brute force and denial of service. You dont want to come in
 on Monday to 40K of accounts locked out, and everyone waiting for you to
 unlock them.
 TBD




Todd Myrick 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 06, 2006 11:23
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How
Secure is a Domain Controller?








I understand/stood what you were saying,
just was hoping to bring out a clearer answer for some of the lurker/newbies on
the list (of which there are many). And you provided exactly that clarification
which was excellent. Thank you.
[Neil
Ruston]You're welcome :)



I still personally believe in the
statement that if I can touch your server, I own your server. There just is no
good technical solution to a physical problem, and it's part of our job
responsibility to make that clear to management.
[Neil Ruston]Sometimes
we're forced to make compromises due to management and political pressure. Ulf
has written an article which helps to secure the DC if it finds itself
physically insecure. Ideally, the DC would not be deployed at all, but the
world [of IT] is far from ideal... :)









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 06, 2006 9:52
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How Secure
is a Domain Controller?

You mis-understand :)



Ulf was suggesting that in order to
protect the AD data on a poorly protected DC, that strong passwords should be
used that are harder to crack.



In the event that the disks were
compromised, the hacker would not be able to crack a 20 char pw. He does not
suggest the use of 20 char passwords to logon to the DC but instead, it is
suggested as a way to further protect the AD data, in the event that physical
protection is weak.



hth,

neil







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tim Vander Kooi
Sent: 06 March 2006 15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How
Secure is a Domain Controller?

Based on the subject of this discussion:
if you have those regular users, who can't comprehend or remember a password
over 7 characters, signing on to your domain controllers I would say that your
domain controllers are VERY not secure. Secondly, if your domain administrators
are so lazy as to be using 7 character passwords you are still very insecure.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 06, 2006 2:25
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How
Secure is a Domain Controller?

The use of 20 char passwords caught my
eye.



In previous discussions with MS et al, it
was suggested that the majority of users would simply repeat a (at most ( 7
char password n times, so as to meet the 20+ char pw policy requirement.



As a result, I have heard it suggested
that in reality (not theory) a pw policy of more than 7 chars is actually
counter productive. [Any pw policy with a multiple of 7 chars being most
counter productive.]



Food for thought,

neil









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: 05 March 2006 08:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How
Secure is a Domain Controller?

I've written down some related thoughts
once:

http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx

Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 


MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org
 Profile:http://mvp.support.microsoft.com/profile="">

















From: [EMAIL PROTECTED]
[mailto:[EMAIL 

RE: [ActiveDir] AD Lag Sites

[Myrick, Todd \(NIH/CC/DNA\) [E]]

I dont really look at problems from
the Trying to Save Money Approach. I try to spend my
money and use my time wisely. 



I base all my value judgments on the
following factors. 



1. Does it value people?

2. Is it priced acceptably? (I value
dominate designs, but also feel that some innovative features are worth more if
they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?



AD lag site restores seem a little
advanced for general operators to be able to perform. To me restore
operations are an operator job not an engineers so I want a solution
that offers value to operators.



The standard Free AD solution
to restore objects has a lot of CLI, it doesnt restore all the
attributes, it takes more time to implement, it requires a DC be rebooted, it
lacks the ability to restore single attributes, and groups. The lag site
approach seems okay initially, but it requires more dedicated hardware that has
to be maintained, it complicates the AD design in a unnatural way,
it requires knowledge of the AD site architecture to properly implement (You
have to force replication to the rest of the forest) and takes longer to implement
a restore operation (The use might be out in china, where your lag site
might be in the UK).



For me I wanted the ability to quickly
restore objects using a turnkey solution that I can delegate to trusted
operators to perform. A dedicated person to do this task would cost about
30 to 40K per year. My base thinking is that would work between 10K to 20K up
front, and about 3 to 5% overhead each additional year. I gain the
ability to restore all objects and attributes, as well as groups and their
memberships. I can restore these objects at the site the user resides, I
dont have to reboot a DC to do this operation, and I free up the
engineer to be an engineer not an operator. 



So my priorities are different than yours..
and so are my responsibilities. I dont have to save the company
money.



Notice I didnt say lag sites dont
work, but the number of steps involved to do an authoritative restore compared
to using a third-party product designed for the job and the possible end
results are akin to shooting a bullet and throwing one.



Yeah you probably hit the target both ways.
But I think my way is more accurate, has better range, and gets the job done a
lot faster and has the potential to be more effective with less skill.



Todd Myrick











From: Frank Abagnale
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 04, 2006
5:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites







Todd,











You mentioned 'potentially has the ability to create more problems'











Could you outline the problemsthat are on your mind? 











I see Lag Sites as a solution to save the business money
frompurchasing a solution, but I still need to think about business risk
if such a solution was to be implemented. 











Frank

Myrick, Todd (NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote:







Agreed.











Not a big fan of the
Lag-Site, I think it potentially has the ability to create more
problems. At least MS added some limited functionality in 2003, now if
they would just finish the job in Vista this topic might goto rest. (Are
you there Stewart?) 











I do see value in Creative Subnetting,
when it comes to establishing multiple sites on a physical network segment to
get the KCC to replicate in a more deterministic manner. Fun to do in the
classroom too when teaching subnetting.











Todd Myrick



















From: Almeida Pinto,
Jorge de [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites













7 lag sites? holy sh*t!





would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?





jorge











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites





As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same virtual
subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site.. AD-Replication will do 

RE: [ActiveDir] AD Lag Sites

[deji]

He does NOT have to save the company money, he says.
 
That's MY money you are talking about there, bucko! :)
 
Seriously, Todd, you do have to understand that a vast majority of IT shops
don't have budget for their IT folks to be as productive as they desire to
be. This is why people tend to be as creative and conservative as possible.
They want to stay as native as humanly possible and as painful as the
exercise tend to be, they typically can't do anything about it. When
management expects you to squeeze water out of rocks, you hardly have much
options.
 
The Lag Site concept is not a replacement for specialized recovery
solutions. But, the concept came about as a result of people realizing that,
much as they like the Quests and Netpros of this world, the steep price
associated with them makes those products out of reach. If you've seen the
California Cows commercials, you will begin to understand how much people
salivate over professional tools. So, what's a poor admin to do? Especially
when his/her CIO has just played golf with a buddy who has just read
something from, say, Gartner, preaching the benefits of DR, and the CIO now
wants DR implemented like, oh, say, one week ago without any additional
funding?
 
Lag Sites are NOT as expensive as any of the other options. Where budget
constraint is a factor, the Lag Site concept is the next best thing for any
AD Admin. The fact that it requires some expertise to successfully implement
and utilize IS a big plus rather than a drawback. If you are going to
administer any sizeable enterprise where DR is essential, you better start
knowing something about the inner workings of the things you are claiming to
be administering. Come to think of it, the vendors who market these
specialized recovery tools are not engaged in voodoo. By learning how things
work, you may not need to pay their protection money any longer.
 
OK, now I've said too much ;)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Mon 3/6/2006 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



I don't really look at problems from the Trying to Save Money Approach
I try to spend my money and use my time wisely. 

 

 I base all my value judgments on the following factors.  

 

1. Does it value people?

2. Is it priced acceptably?  (I value dominate designs, but also feel that
some innovative features are worth more if they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?

 

AD lag site restores seem a little advanced for general operators to be able
to perform.  To me restore operations are an operator job not an engineer's
so I want a solution that offers value to operators.

 

The standard Free AD solution to restore objects has a lot of CLI, it
doesn't restore all the attributes, it takes more time to implement, it
requires a DC be rebooted, it lacks the ability to restore single attributes,
and groups.  The lag site approach seems okay initially, but it requires more
dedicated hardware that has to be maintained, it complicates the AD design in
a unnatural way, it requires knowledge of the AD site architecture to
properly implement (You have to force replication to the rest of the forest)
and takes longer to implement a restore operation... (The use might be out in
china, where your lag site might be in the UK).

 

For me I wanted the ability to quickly restore objects using a turnkey
solution that I can delegate to trusted operators to perform.  A dedicated
person to do this task would cost about 30 to 40K per year. My base thinking
is that would work between 10K to 20K up front, and about 3 to 5% overhead
each additional year.  I gain the ability to restore all objects and
attributes, as well as groups and their memberships.  I can restore these
objects at the site the user resides, I don't have to reboot a DC to do this
operation, and I free up the engineer to be an engineer not an operator.  

 

So my priorities are different than yours. and so are my
responsibilities.  I don't have to save the company money.

 

Notice I didn't say lag sites don't work, but the number of steps involved to
do an authoritative restore compared to using a third-party product designed
for the job and the possible end results are akin to shooting a bullet and
throwing one.

 

Yeah you probably hit the target both ways But I think my way is more
accurate, has better range, and gets the job done a lot faster and has the
potential to be more effective with less skill.

 

Todd Myrick

 



From: Frank Abagnale [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 04, 2006 5:47 AM
To: ActiveDir@mail.activedir.org

RE: [ActiveDir] How Secure is a Domain Controller?

[Ulf B. Simon-Weidner]

Hi Neil,

I think long passwords are primary necessary for 
priviledged accounts such as domain admins and especially service accounts. 
Having long, randomly generated passwords is not an issue for service accounts 
if you have a procedure in place to change them. If you need to provide the 
password again, you can generate a new one and change it - no need to even store 
those passwords.
For domain admins teach them how to create long passwords - 
e.g. starting with passphrases would be a start which can be improved with 
nonsense characters in between to avoid dictionary attacks. I also believe it's 
a good idea to teach your users as well, but that's mainly internal 
marketing.

Long passwords don't buy you the security that those 
passwords can not be hacked, however it increases the time the attacker needs to 
get to the passwords, and buys you time for changing the passwords after a DC 
has been stolen.

Since I'm talking about admin and service-accounts it's not 
enforceable via GPO - at least not without 3rd party software or a special 
domain design.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:25 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] How Secure is a Domain Controller?
  
  The use of 20 char passwords caught my 
  eye.
  
  In previous discussions with MS et al, it was suggested 
  that the majority of users would simply repeat a (at most ( 7 char password n 
  times, so as to meet the 20+ char pw policy requirement.
  
  As a result, I have heard it suggested that in reality 
  (not theory) a pw policy of more than 7 chars is actually counter productive. 
  [Any pw policy with a multiple of 7 chars being most counter 
  productive.]
  
  Food for thought,
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 05 March 2006 08:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is 
  a Domain Controller?
  
  I've written down some related thoughts 
  once:
  http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: Sunday, March 05, 2006 4:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a 
Domain Controller?


How Secure is a Domain 
Controller that is fully patched on a default install of Windows 2003? 
When promoted the domain controller has the two default policies, both of 
which are recommended not to be modified. But there are things that 
could be done better for added security. For example, NTLMv2 refuse 
NTLM and LM. Is it common practice to add additional GPOs to the DC 
OU? Or is DC protected enough to where all that is needed to worry 
about are the member machines?

If adding additional GPOs to 
the DC OU, is there anything that should definitely be 
avoided?

Edwin
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St 

Re: [ActiveDir] How Secure is a Domain Controller?

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Question?

On a DC ...why do you need anti spyware?

If spyware enters via web browsing and email...and IE should never be 
used/launched on a DC... why do you need it? If the enhanced IE lockdown 
is still in place that shuts off scripting and what not.


Is it on my TS box and all workstations? Yup. On my DC. No. the only 
site that that box surfs to is Microsoft Update (I mean I don't even go 
to Joewear on that DC)


Why introduce another thing that might introduce new code and new 
false positives?


(see Spybot that flagged Microsoft's remote desktop control for RWW as 
spyware, see Microsoft's Antispyware that flagged Symantec as a trojan)


And if you do a/v ensure that the needed folders and files are excluded 
(see prior posts in this forum about the KB articles regarding how to 
set up a/v on a domain controller and Exchange servers)


Myrick, Todd (NIH/CC/DNA) [E] wrote:


To add my 2 cents.

   1. Add Anti-virus and Anti-Spywear detection.
   2. Configure and backup your event logs. At remote sites, I would
  recommend collecting the event logs on a faster rotation.
   3. Add monitoring, You want to monitor account lockout events and
  have notification when excessive amounts of authentications are
  occurring. (Tips you off to possible brute force attacks, and
  up/down situations).
   4. Use IPSEC Policies to not allow outside traffic to your DC’s. (I
  haven’t tried this, but the theory seems pretty solid)
   5. Use GPO’s to enforce group memberships for EA and Domain Admins.
   6. When possible do not have child domains, allows you to use
  tighter security policies.
   7. Enforce all registry changes using GPO’s. Things like DNS record
  weight, fixed ports for NTDS and FRS replication, etc should be
  set this way to avoid mis-configuration.
   8. At a minimum have a MFT backup of the AD system state done at a
  central site each night. If you should lose objects, etc. Having
  this will give you options for restore. Not having it you’re doomed.
   9. Make sure your account policies balance the need to thwart an
  attack but also consider the potential for brute force and
  denial of service. You don’t want to come in on Monday to 40K of
  accounts locked out, and everyone waiting for you to unlock them.
  10. TBD

Todd Myrick



*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*Sent:* Monday, March 06, 2006 11:23 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?


I understand/stood what you were saying, just was hoping to bring out 
a clearer answer for some of the lurker/newbies on the list (of which 
there are many). And you provided exactly that clarification which was 
excellent. Thank you.

**[Neil Ruston] You're welcome :)**

I still personally believe in the statement that if I can touch your 
server, I own your server. There just is no good technical solution to 
a physical problem, and it's part of our job responsibility to make 
that clear to management.
**[Neil Ruston] Sometimes we're forced to make compromises due to 
management and political pressure. Ulf has written an article which 
helps to secure the DC if it finds itself physically insecure. 
Ideally, the DC would not be deployed at all, but the world [of IT] is 
far from ideal... :)**




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
[EMAIL PROTECTED]

*Sent:* Monday, March 06, 2006 9:52 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?

You mis-understand :)

Ulf was suggesting that in order to protect the AD data on a poorly 
protected DC, that strong passwords should be used that are harder to 
crack.


In the event that the disks were compromised, the hacker would not be 
able to crack a 20 char pw. He does not suggest the use of 20 char 
passwords to logon to the DC but instead, it is suggested as a way to 
further protect the AD data, in the event that physical protection is 
weak.


hth,

neil



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi

*Sent:* 06 March 2006 15:44
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?

Based on the subject of this discussion: if you have those regular 
users, who can't comprehend or remember a password over 7 characters, 
signing on to your domain controllers I would say that your domain 
controllers are VERY not secure. Secondly, if your domain 
administrators are so lazy as to be using 7 character passwords you 
are still very insecure.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
[EMAIL PROTECTED]

RE: [ActiveDir] Recommendations for spam issue

[Al Garrett]

CommTouch

http://www.commtouch.com/Site/Home/home.asp







-Original Message-
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Monday, March 06, 2006 7:10
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Recommendations for spam issue





If you were a 20 user non-profit
organization that were having a serious problem with SPAM, had an Exchange
server in-house but an external internet provider that was
filtering and forwardingyoure-mail but not doing a good
job, what product or solution would you recommend? The problem is valid
e-mails are being blocked and SPAM is getting through. 






Would something like Trend Client Server Security for SMB work well in this
situation?








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.

[Manjeet Singh]

One of my application required IIS6 (or
windows 2003 server) for its functionality.



I am running some windows 2000 Server and
I need to run this application on these server. Is there any way to upgrade/Install
windows 2000 IIS5 to IIS6?



Customer do not want to upgrade to windows
2003 right now.



Thanks, Manjeet

RE: [ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.

[deji]

No.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Manjeet Singh
Sent: Mon 3/6/2006 11:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace
server.



One of my application required IIS6 (or windows 2003 server) for its
functionality.

 

I am running some windows 2000 Server and I need to run this application on
these server. Is there any way to upgrade/Install windows 2000 IIS5 to IIS6?

 

Customer do not want to upgrade to windows 2003 right now.

 

Thanks, Manjeet

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD - What to monitor?

[Adeel Ansari]

AD Gurus,

Can you guys expand on the topic of what should be monitored in AD? and Why?
I am talking in terms of Security events only to protect AD and also protect
from attacks of any kind.

Obviously, one would monitor failed logon, too many accounts creations etc.
What else should we monitor?

Regards,
Adeel




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Resolving SIDs

[Adeel Ansari]

Justin,
 
The only thing that I can think of is Sidtoname.exe. I dont think that you
are looking for this however. 
 
Can you expand a little bit more on building user information based on SID?
 
-Adeel
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Clay, Justin (ITS)
Sent: Monday, March 06, 2006 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Resolving SIDs



I thought I remember seeing something recently about how to build some user
information from a SID. Is this possible or am I dreaming? I don't mean
resolving the SID against AD, I actually mean taking a lone SID and building
some user information based on just the SID.

 

Thanks,

 

Justin Clay
ITS Enterprise Services 
Metropolitan Government of Nashville and Davidson County 
Howard School Building 
Phone: (615) 880-2573

 



ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.

attachment: winmail.dat

[ActiveDir] Dynamic Groups

[Lucas, Bryan]

I know you can build a dynamic query based distribution
group, but can you do the same for a security group? What is the best way to
accomplish making anyone who is in a particular OU a member of a security group
on a dynamic basis (scheduled task frequency)?



Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971

RE: [ActiveDir] Resolving SIDs

[Clay, Justin \(ITS\)]

Adeel,



I was thinking that I read that without
the account database, you could actually gain some information from the SID,
using a formula of some type. I dont know if thats actually
possible or not. I might have made it up in a dream.



Thanks for the info on sidtoname.exe, that
might not help here, but I can see it being useful in the future.



Thanks,

Justin











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Monday, March 06, 2006 2:04
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Resolving
SIDs







Justin,











The only thing that I can think of is
Sidtoname.exe. I dont think that you are looking for this however. 











Can you expand a little bit more on
building user information based on SID?











-Adeel















-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin (ITS)
Sent: Monday, March 06, 2006 9:31
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Resolving
SIDs

I thought I remember seeing something recently about how to
build some user information from a SID. Is this possible or am I dreaming? I
dont mean resolving the SID against AD, I actually mean taking a lone
SID and building some user information based on just the SID.



Thanks,



Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573




 
  
  
  
  ITS ENTERPRISE SERVICES EMAIL NOTICE
  
  The information contained in this email and any attachments is confidential
  and may be subject to copyright or other intellectual property protection. If
  you are not the intended recipient, you are not authorized to use or disclose
  this information, and we request that you notify us by reply mail or
  telephone and delete the original message from your mail system.
  
 












ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

RE: [ActiveDir] Dynamic Groups

[Brian Desmond]

Bryan-



Just write a script which runs as a scheduled task which enumerates all
the users in an OU and checks that theyre a member of the group. Youll
also need to remove users who dont belong in there anymore. Depending
on the scale of your AD deployment (in terms of number of DCs and links between
them) it may just be easier for you to clear out the group and repopulate it. 





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Monday, March 06, 2006 3:06
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Dynamic
Groups





I know you can build a dynamic query based distribution
group, but can you do the same for a security group? What is the best way
to accomplish making anyone who is in a particular OU a member of a security
group on a dynamic basis (scheduled task frequency)?



Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971

RE: [ActiveDir] Recommendations for spam issue

[Alborzfard, Alex]

As you can see from the responses, you
have lot of options. It just depends on your budget, time (setup 
administration), and expertise which one is the best bet for you.







Alex Alborzfard













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: Monday, March 06, 2006 10:10
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Recommendations for spam issue







If you were a 20 user non-profit organization that were
having a serious problem with SPAM, had an Exchange server in-house but an
external internet provider that was filtering and
forwardingyoure-mail but not doing a good job, what product or solution
would you recommend? The problem is valid e-mails are being blocked and
SPAM is getting through. 






Would something like Trend Client Server Security for SMB work well in this
situation?








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Dynamic Groups

[Ulf B. Simon-Weidner]

And keep in mind that it only works when users are logging 
off and on (at least for domain groups) so that the token is recreated - so 
running it multiple times a day is propably not practical.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Monday, March 06, 2006 9:29 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Dynamic 
  Groups
  
  
  Bryan-
  
  Just 
  write a script which runs as a scheduled task which enumerates all the users 
  in an OU and checks that theyre a member of the group. Youll also need to 
  remove users who dont belong in there anymore. Depending on the scale of 
  your AD deployment (in terms of number of DCs and links between them) it may 
  just be easier for you to clear out the group and repopulate it. 
  
  
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Lucas, 
  BryanSent: Monday, March 06, 
  2006 3:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Dynamic 
  Groups
  
  I know you can build a dynamic 
  query based distribution group, but can you do the same for a security 
  group? What is the best way to accomplish making anyone who is in a 
  particular OU a member of a security group on a dynamic basis (scheduled task 
  frequency)?
  
  Bryan 
  Lucas
  Server 
  Administrator
  Texas 
  Christian University
  (817) 
  257-6971
  

RE: [ActiveDir] Resolving SIDs

[Ulf B. Simon-Weidner]

The SID is only a number which isissued on each DC to 
new security principles by first comes first serves, so if you create two users 
on the same DC you propably have two following SIDs. There's nothing encrypted 
or magic into the SID, so there are no more informations you can get just out of 
the SID without resolving it to the domain.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
  (ITS)Sent: Monday, March 06, 2006 9:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving 
  SIDs
  
  
  Adeel,
  
  I was thinking that I 
  read that without the account database, you could actually gain some 
  information from the SID, using a formula of some type. I dont know if thats 
  actually possible or not. I might have made it up in a 
dream.
  
  Thanks for the info 
  on sidtoname.exe, that might not help here, but I can see it being useful in 
  the future.
  
  Thanks,
  Justin
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Adeel 
  AnsariSent: Monday, March 
  06, 2006 2:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving 
  SIDs
  
  
  Justin,
  
  
  
  The only thing that I 
  can think of is Sidtoname.exe. I dont think that you are looking for this 
  however. 
  
  
  
  Can you expand a 
  little bit more on building user information based on 
  SID?
  
  
  
  -Adeel
  
  
  
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin 
  (ITS)Sent: Monday, March 06, 
  2006 9:31 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Resolving 
  SIDs
  I thought I remember seeing 
  something recently about how to build some user information from a SID. Is 
  this possible or am I dreaming? I dont mean resolving the SID against AD, I 
  actually mean taking a lone SID and building some user information based on 
  just the SID.
  
  Thanks,
  
  Justin 
  ClayITS 
  Enterprise Services 
  Metropolitan 
  Government of Nashville and Davidson County Howard School Building 
  Phone: 
  (615) 880-2573
  
  


  
ITS ENTERPRISE SERVICES 
EMAIL NOTICEThe information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, 
you are not authorized to use or disclose this information, and we 
request that you notify us by reply mail or telephone and delete the 
original message from your mail 
  system.
  
  


  ITS ENTERPRISE SERVICES 
EMAIL NOTICEThe information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, 
you are not authorized to use or disclose this information, and we 
request that you notify us by reply mail or telephone and delete the 
original message from your mail 
system.

RE: [ActiveDir] Photos in AD

[al_maurer]

Im thinking about security  privacy
concerns.  Theres already a lot of personal information in the
directory, much of it viewable by anybody.  Add a photo and viola:  instant
ability to make a photo ID.



Al Maurer 
Service
Manager, Naming and Authentication Services 
IT
| Information Technology

Agilent
Technologies 
(719)
590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Saturday, March 04, 2006
3:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Photos in
AD





most secure way is simply to remove any
write-permissions for SELF on user objects. This is best done prior to user
creation by changing the default security descriptor of the user-class object
in the schema - otherwise you're going to have to script the removal from all
users since the permission is added explicitely to the ACL of every user
object.



Users can still logon normally and
change their PW since that right is granted by default to the Everyone
well-known-security principal anyways (changing a PW requires that you know the
current PW - this is not to be confused with a permission to reset
a PW, which is typically granted to delegated admins, but not to normal users).



If you then have a need for users to
update specific attributes, you can more easily achieve this by granting the
required permissions to the users via inheritance at the OU level.









Another option - as suggested below - is
to remove the more risky attributes from the respective default
property set (not possible in Win2). This would directly impact
permissions for all users (or any object that leverages the respective propery
set). As such the change of a property set is risky itself, but if tested and
documented well, it can be a helpful means to secure an existing AD. For
example, I'd consider removing the thumbnail photo from the Personal
Information property set a sensible thing (only required if you haven't
removed the write permissions for SELF on user objects via other means as
described above).

















Back to the original question, if it
makes sense to store photos in AD. Leaving the security thought asside and
assuming you've ensured that users can't do this themselves, I'd say that this
could even be useful for small AD environments. But what is small? 





Well, I don't consider a multi-domain AD
100K as small. Adding real photo data into this AD will considerable
impact DIT size and memory requirements to allow good query performance of AD,
bandwidth requirements for replication,backup and recovery times as well
as promotion times for new DCs. While I'm sure AD can handle it (even in
memory once you upgrade to 64bit DCs and add sufficient memory), I can
certainly not recommend it. I am not aware of a single AD of this size
that leverages the storage of photo-data in AD - instead, as mentioned
before,I'd add a link to the photos on another store. Ofcourse the link
could be replicated to the GC and be available wherever.











/Guido















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor
NASIC/SCNA
Sent: Donnerstag, 2. März 2006
14:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Photos in
AD

Arethere any Best Practices
whitepapers out there on the recommended default property sets for a secure
AD? It sounds like this ability could seriously hindersome
infrastructures running AD.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Wednesday, March 01, 2006
8:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Photos in AD



Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or nay?











Ichecked the archives on this and didn't see too much there
beyond Guido saying don't do it. To quote: 











[Grillenmeier, Guido
Tue, 14 Dec 2004 12:35:42 -0800











that's likely the photo or the thumbnailPhoto attribute (both octet
strings) - best way to kill your AD. There are a couple of tools out
there that allow uploading a user's photo to this attribute... The downside:
every user has the right to do so on his own account (via the SELF security
principal and the permissions granted to it with the PersonalInformation
property set). I can only recommend to take these permissions away (possible
in 2k3 to remove unwanted attributes from the default property sets). 

a link would certainly be better - I don't think there's a default attribute
for this - you might want to introduce a new attribute to your schema.

/Guido]












I actually didn't see the jpegPhoto attribute in the
Personal-Information attribute set (http://msdn.microsoft.com/library/default.asp?url=""
). Regardless, our users do not have the ability to update any of the photo
attributes. So beyond DoS issues with users being able to upload large files
into AD, what are the potential issues with 

Re: [ActiveDir] AD - What to monitor?

[Ryan A. Conrad]

You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product.


If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available.

Ryan
On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote:
AD Gurus,Can you guys expand on the topic of what should be monitored in AD? and Why?I am talking in terms of Security events only to protect AD and also protect
from attacks of any kind.Obviously, one would monitor failed logon, too many accounts creations etc.What else should we monitor?Regards,AdeelList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How Secure is a Domain Controller?

[Myrick, Todd \(NIH/CC/DNA\) [E]]

Okay for you Susan, I will modify my statement... Add IPsec filter that only 
allows http traffic to update.microsoft.com.  Also, in the future MS will 
probably bake in the spyware service into the product, so it will be there 
anyway.  I think I helped flush out the KB article on AV way back.
 
Todd



From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 2:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How Secure is a Domain Controller?



Question?

On a DC ...why do you need anti spyware?

If spyware enters via web browsing and email...and IE should never be
used/launched on a DC... why do you need it? If the enhanced IE lockdown
is still in place that shuts off scripting and what not.

Is it on my TS box and all workstations? Yup. On my DC. No. the only
site that that box surfs to is Microsoft Update (I mean I don't even go
to Joewear on that DC)

Why introduce another thing that might introduce new code and new
false positives?

(see Spybot that flagged Microsoft's remote desktop control for RWW as
spyware, see Microsoft's Antispyware that flagged Symantec as a trojan)

And if you do a/v ensure that the needed folders and files are excluded
(see prior posts in this forum about the KB articles regarding how to
set up a/v on a domain controller and Exchange servers)

Myrick, Todd (NIH/CC/DNA) [E] wrote:

 To add my 2 cents.

1. Add Anti-virus and Anti-Spywear detection.
2. Configure and backup your event logs. At remote sites, I would
   recommend collecting the event logs on a faster rotation.
3. Add monitoring, You want to monitor account lockout events and
   have notification when excessive amounts of authentications are
   occurring. (Tips you off to possible brute force attacks, and
   up/down situations).
4. Use IPSEC Policies to not allow outside traffic to your DC's. (I
   haven't tried this, but the theory seems pretty solid)
5. Use GPO's to enforce group memberships for EA and Domain Admins.
6. When possible do not have child domains, allows you to use
   tighter security policies.
7. Enforce all registry changes using GPO's. Things like DNS record
   weight, fixed ports for NTDS and FRS replication, etc should be
   set this way to avoid mis-configuration.
8. At a minimum have a MFT backup of the AD system state done at a
   central site each night. If you should lose objects, etc. Having
   this will give you options for restore. Not having it you're doomed.
9. Make sure your account policies balance the need to thwart an
   attack but also consider the potential for brute force and
   denial of service. You don't want to come in on Monday to 40K of
   accounts locked out, and everyone waiting for you to unlock them.
   10. TBD

 Todd Myrick

 

 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 *Sent:* Monday, March 06, 2006 11:23 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] How Secure is a Domain Controller?


 I understand/stood what you were saying, just was hoping to bring out
 a clearer answer for some of the lurker/newbies on the list (of which
 there are many). And you provided exactly that clarification which was
 excellent. Thank you.
 **[Neil Ruston] You're welcome :)**

 I still personally believe in the statement that if I can touch your
 server, I own your server. There just is no good technical solution to
 a physical problem, and it's part of our job responsibility to make
 that clear to management.
 **[Neil Ruston] Sometimes we're forced to make compromises due to
 management and political pressure. Ulf has written an article which
 helps to secure the DC if it finds itself physically insecure.
 Ideally, the DC would not be deployed at all, but the world [of IT] is
 far from ideal... :)**

 

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of
 [EMAIL PROTECTED]
 *Sent:* Monday, March 06, 2006 9:52 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] How Secure is a Domain Controller?

 You mis-understand :)

 Ulf was suggesting that in order to protect the AD data on a poorly
 protected DC, that strong passwords should be used that are harder to
 crack.

 In the event that the disks were compromised, the hacker would not be
 able to crack a 20 char pw. He does not suggest the use of 20 char
 passwords to logon to the DC but instead, it is suggested as a way to
 further protect the AD data, in the event that physical protection is
 weak.

 hth,

 neil

 

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi
 *Sent:* 06 March 2006 15:44
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: 

Re: [ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Hi Al,

Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts!

We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it's registrations. In case of a cluster, including all records for it's cluster resources.


As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them.


Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations.


I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for server* records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge.


Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-)

I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like *string* in DNS so I can remove them all and keep the DNS tidy...


Best regards,
Bart
On 3/5/06, Al Mulnick [EMAIL PROTECTED] wrote:


It sounds like what you really want is to move those records to another server. I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do. One other method, which is very much azone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based. 


If not AD-Integrated, you could just copy the zone files :)

Am I missing something you need to do? 



Al

On 3/2/06, Bart Van den Wyngaert [EMAIL PROTECTED]
 wrote: 


Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations. 

We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description. 

Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...

I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool I'll get back to you.

Many thanks,

Bart
On 3/1/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] 
 wrote: 


Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition). 


However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front - 
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book Windows XP - Die Expertentipps: 
http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner 
 Website: 
http://www.windowsserverfaq.org Profile:
 

RE: [ActiveDir] AD - What to monitor?

[Myrick, Todd \(NIH/CC/DNA\) [E]]

Things I like to know about.
 
Administration Events
 
OU creations/deletions/mods
Critical Security Group Modifications
GPO Creation/deletion/mods and Linking
Domain Administrator Logins and from where
Password changes on critical accounts
 
Domain Activities
 
Got one word for you Replication!  AD's go bad when replication is out of 
whack... In my experience when it comes to replication you need to monitor both 
the Event Logs, but also the ports.  Also if a firewall goes anywhere between 
two replication partners, you then have to start to consider UDP fragmentation 
which manifest itself as broken trust and bad authentication attempts.
 
As for events, well the security event logs are a maze of Event ID's that I 
just rather not dig into unless I am required.  Both Quest and Netpro (probably 
NetIQ, MOM and some other tools out there I haven't evaluated as well) have 
some nice tools that make monitoring the security event logs a lot nicer.  I 
currently use Quest Intrust and Intrust for AD.  The nice thing about the AD 
product is that it creates a nice little Event Log for administration and logs 
those activities separately.  The put a hook into the LDAP service that 
intercepts the LDAP calls and logs them.
 
There are some KB articles out there that list several of the events.  As one 
person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get 
an idea.  MoM also has some pretty slick admin packs that might be informative, 
but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of 
value in Third-Party add-ons since most of these products offer add-ons to MoM 
as part of their features.
 
Todd



From: Ryan A. Conrad [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD - What to monitor?


You may want to start by looking at some commercial products and see what 
functions they perform and what they monitor.  NetPro's Change Auditor is 
great, and the MOM AD MP (entire Technical Guide is available) would be two 
nice starting points. If I remember correctly, NetPro also has an AD Health 
product. 
 
If you don't want to pay, then you can start scripting based upon what you see 
common among all of the commercial products available.
 
Ryan

 
On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: 

AD Gurus,

Can you guys expand on the topic of what should be monitored in AD? and 
Why?
I am talking in terms of Security events only to protect AD and also 
protect 
from attacks of any kind.

Obviously, one would monitor failed logon, too many accounts creations 
etc.
What else should we monitor?

Regards,
Adeel




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Sites

[Myrick, Todd \(NIH/CC/DNA\) [E]]

I also said, I have to spend my time and money wisely.
 
I am well aware of why people use lag-sites.  They always like to throw the 
money issue around... but I wonder what the TCO is really.  Maybe these major 
AD DR players should commission a study heck maybe MSFT should for both AD 
and Exchange Mailboxes.
 
I think you would do better to encourage new Admins to make sure they do a MFT 
backup of a domain controllers system state each night, then stand-up more 
sites and servers.  Then based on need select the restore method and evaluate 
the results.
 
I agree knowing how all the inner workings does help as well, but operations 
people are usually not engineers, so it is best to give them tools that have 
some workflow, and makes the operation smooth and less error prone.
 
Thanks again,
Todd



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 2:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



He does NOT have to save the company money, he says.

That's MY money you are talking about there, bucko! :)

Seriously, Todd, you do have to understand that a vast majority of IT shops
don't have budget for their IT folks to be as productive as they desire to
be. This is why people tend to be as creative and conservative as possible.
They want to stay as native as humanly possible and as painful as the
exercise tend to be, they typically can't do anything about it. When
management expects you to squeeze water out of rocks, you hardly have much
options.

The Lag Site concept is not a replacement for specialized recovery
solutions. But, the concept came about as a result of people realizing that,
much as they like the Quests and Netpros of this world, the steep price
associated with them makes those products out of reach. If you've seen the
California Cows commercials, you will begin to understand how much people
salivate over professional tools. So, what's a poor admin to do? Especially
when his/her CIO has just played golf with a buddy who has just read
something from, say, Gartner, preaching the benefits of DR, and the CIO now
wants DR implemented like, oh, say, one week ago without any additional
funding?

Lag Sites are NOT as expensive as any of the other options. Where budget
constraint is a factor, the Lag Site concept is the next best thing for any
AD Admin. The fact that it requires some expertise to successfully implement
and utilize IS a big plus rather than a drawback. If you are going to
administer any sizeable enterprise where DR is essential, you better start
knowing something about the inner workings of the things you are claiming to
be administering. Come to think of it, the vendors who market these
specialized recovery tools are not engaged in voodoo. By learning how things
work, you may not need to pay their protection money any longer.

OK, now I've said too much ;)


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Mon 3/6/2006 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



I don't really look at problems from the Trying to Save Money Approach
I try to spend my money and use my time wisely.



 I base all my value judgments on the following factors. 



1. Does it value people?

2. Is it priced acceptably?  (I value dominate designs, but also feel that
some innovative features are worth more if they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?



AD lag site restores seem a little advanced for general operators to be able
to perform.  To me restore operations are an operator job not an engineer's
so I want a solution that offers value to operators.



The standard Free AD solution to restore objects has a lot of CLI, it
doesn't restore all the attributes, it takes more time to implement, it
requires a DC be rebooted, it lacks the ability to restore single attributes,
and groups.  The lag site approach seems okay initially, but it requires more
dedicated hardware that has to be maintained, it complicates the AD design in
a unnatural way, it requires knowledge of the AD site architecture to
properly implement (You have to force replication to the rest of the forest)
and takes longer to implement a restore operation... (The use might be out in
china, where your lag site might be in the UK).



For me I wanted the ability to quickly restore objects using a turnkey
solution that I can delegate to trusted operators to perform.  A dedicated
person to do this task would cost about 30 to 40K per year. My base thinking
is that would work between 10K to 20K up front, and about 3 to 5% overhead
each additional year.  I gain the ability to restore all 

RE: [ActiveDir] OT : Query DNS using wildcards?

[deji]

Extracting the zones to a .txt file which a script can loop through
searching for certain strings. Ideal solution would be to look for server*
records and delete them as they are being found. But as already indicated by
other people, this is not available..
 
Why not? If it's a standard zone, you could just read the zone file, using
filesystemobject, do a Readline, and if you see servername in the line,
delete the line.
 
Or did I misread you?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Bart Van den Wyngaert
Sent: Mon 3/6/2006 3:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT : Query DNS using wildcards?


Hi Al,
 
Thanks for your answer. It's not zone transfers I'm looking for, but your
answer nevertheless pointed me towards another road with a lot of thoughts!
 
We are used to register DNS records manually by script. All other records are
added manually. When a server is at the end of it's life, we clean all it's
registrations. In case of a cluster, including all records for it's cluster
resources. 
 
As this process is totally manually and there are some with quiet a lot of
records pointing to cluster resources, we're looking for a way to query the
DNS server to retrieve all records related to that server/cluster and then
delete them. 
 
Additionally a lot of servers/clusters are being powered off some week
already before we format them and unregister everything in our environment.
This is mostly the case for migrations so that the owners are sure they
haven't forgotten a little thing ;-) Currently we have to boot the server
again to have a script running locally to retrieve IP's and names registered
in the DNS. If we should have a workaround, we don't need to this anymore and
we just break the array, run a script that looks everything up and removes
the registrations. 
 
I'm having already a small idea of a way to perform the check, although not
ideal. Extracting the zones to a .txt file which a script can loop through
searching for certain strings. Ideal solution would be to look for server*
records and delete them as they are being found. But as already indicated by
other people, this is not available... At least not to our knowledge. 
 
Another possible to solution is to review the DNS infrastructure, like for
example aging. But, and it's not my choice, I have nothing to see with that
part... Although I'm trying to find out if there is nobody interested in
adapting the DNS infra to make my life easier, but that rather working on the
political road ;-) 
 
I could understand that it doesn't make a lot of sense, but that's the way of
working at this moment. And I have to deal with it and try handle it the best
possible way. So in short: looking for a way to retrieve all records like
*string* in DNS so I can remove them all and keep the DNS tidy... 
 
Best regards,
Bart
 
On 3/5/06, Al Mulnick [EMAIL PROTECTED] wrote: 

It sounds like what you really want is to move those records to
another server.  I don't recall if this is AD integrated or not, and if so,
what the scope of those records is set to.  However, setting up a second
server and using zone transfer to that server (for backup purposes) is one
way to get all of the records in the zones into text files. You could also
use WMI scripts/programs to cull that information or you could realize that
if it is AD integrated that data exists elsewhere and that copying it off is
not what you want to do.  One other method, which is very much a zone
transfer is to use the nslookup ls -d zonename command which puts that
information to std i/o. Using dnscmd would be able to gather that information
as would a backup (either AD based (see above if that's what you need) or
server file based. 
 
If not AD-Integrated, you could just copy the zone files  :)
 

Am I missing something you need to do? 

 
 
Al
 

On 3/2/06, Bart Van den Wyngaert [EMAIL PROTECTED]  wrote: 

Well I kind of need a DNS query. We used to register our DNS
records manually and also remove them. But in case the server is at the end
of it's lifecycle, we shut it down for some weeks (in case of migration
scenario) and then remove all it's registrations. 
We're looking into a way that we don't need to power on the
server again, but still are able to remove all DNS registrations (server
itself, cluster resources, ...). So it would be like a DNS query... But if
there is something in AD that we can use as reference... Something like an
LDAP query for AD, but then on DNS seems like the best description. 
Also there is a part that is always related to the server,
but there are extensions 

RE: [ActiveDir] AD - What to monitor?

[Darren Mar-Elia]

Depends upon what you're organization's security/compliance requirements
are but here are some things to think about:

--excessive failed logons, password changes
--account policy changes
--changes to AD configuration objects (e.g. creation/deletion of sites,
site links, AD-integrated DNS zones, schema object mods., FSMO role
changes )
--changes to key AD group memberships (e.g. Domain Admins, Enterprise
Admins.) or service accounts
--changes to key Group Policies
--changes to key attributes (e.g. department, phone number, ManagedBy)

There's probably a longer list but those are just some that come to mind
right away.

Depending upon the objects being monitored, and your needs, the native
security logs may/may not provide the data you need. In that case, 3rd
party tools like those from NetPro, Quest, NetIQ may make sense.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Monday, March 06, 2006 9:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD - What to monitor?

AD Gurus,

Can you guys expand on the topic of what should be monitored in AD? and
Why?
I am talking in terms of Security events only to protect AD and also
protect
from attacks of any kind.

Obviously, one would monitor failed logon, too many accounts creations
etc.
What else should we monitor?

Regards,
Adeel




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] There must be an easier way...

[Larry Wahlers]

Hello, colleagues,

A client that we had set up as a site within our domain with its own
pair of DC's has decided to break off from us, get their own ISP, and
cut the network cable between us. In fact, they've done that last
weekend. Now, the Directory Service event log on one of our DC's is
spewing out 21 warning and error messages every 15 minutes, all related
to the fact that there are no available DC's in that site.
 
Doing a Google search, I found this article
http://support.microsoft.com/?kbid=216498 which describes at least 20
steps that must be taken to remove a DC following an unsuccessful DC
demotion. Which, I suppose, is what I would have done had I had the
opportunity to demote the DC's before this client cut the line. The
article also has this warning:

Caution The administrator must also make sure that replication has
occurred since the demotion before manually removing the NTDS Settings
object for any server. Using the Ntdsutil utility incorrectly may result
in partial or complete loss of Active Directory functionality.

Being a relative newbie to Active Directory management (but, just
emerging from a pair of classes), I have to ask if there is an easier
way to do this? We have about 800 users and 4 corporations on this wire,
and they might get a bit testy if their computers stopped working all of
a sudden!

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Photos in AD

[Derek Harris]

How would it do anyone any good to make an ID with my photo 
on it? Wouldn't it be better for them to make the ID with my info  
THEIR photo, if it's identity theft they're after?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:01 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Photos in AD


I’m thinking about 
security  privacy concerns. There’s already a lot of personal 
information in the directory, much of it viewable by anybody. Add a photo 
and viola: instant ability to make a photo 
ID.

Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Saturday, March 04, 
2006 3:02 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Photos in 
AD

most secure way is 
simply to remove any write-permissions for SELF on user objects. This is best 
done prior to user creation by changing the default security descriptor of the 
user-class object in the schema - otherwise you're going to have to script the 
removal from all users since the permission is added explicitely to the ACL of 
every user object.

Users can still logon 
normally and change their PW since that right is granted by default to the 
Everyone well-known-security principal anyways (changing a PW requires that you 
know the current PW - this is not to be confused with a permission to "reset" a 
PW, which is typically granted to delegated admins, but not to normal 
users).

If you then have a 
need for users to update specific attributes, you can more easily achieve this 
by granting the required permissions to the users via inheritance at the OU 
level.



Another option - as 
suggested below - is to remove the more "risky" attributes from the respective 
default property set (not possible in Win2). This would directly impact 
permissions for all users (or any object that leverages the respective propery 
set). As such the change of a property set is risky itself, but if tested and 
documented well, it can be a helpful means to secure an existing AD. For 
example, I'd consider removing the thumbnail photo from the "Personal 
Information" property set a sensible thing (only required if you haven't removed 
the write permissions for SELF on user objects via other means as described 
above).





Back to the original 
question, if it makes sense to store photos in AD. Leaving the security thought 
asside and assuming you've ensured that users can't do this themselves, I'd say 
that this could even be useful for small AD environments. But what is 
small? 

Well, I don't 
consider a multi-domain AD 100K as small. Adding real photo data into 
this AD will considerable impact DIT size and memory requirements to allow good 
query performance of AD, bandwidth requirements for replication,backup and 
recovery times as well as promotion times for new DCs. While I'm sure AD 
can handle it (even in memory once you upgrade to 64bit DCs and add sufficient 
memory), I can certainly not recommend it. I am not aware of a single AD 
of this size that leverages the storage of photo-data in AD - instead, as 
mentioned before,I'd add a link to the photos on another store. Ofcourse 
the link could be replicated to the GC and be available 
wherever.



/Guido





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bahta, Nathaniel V 
Contractor NASIC/SCNASent: 
Donnerstag, 2. März 2006 14:42To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Photos in 
AD
Arethere any Best 
Practices whitepapers out there on the recommended default property sets for a 
secure AD? It sounds like this ability could seriously hindersome 
infrastructures running AD.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mr OteeceSent: Wednesday, March 01, 2006 8:56 
PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Photos in 
AD

Storage of photos in AD using jpegPhoto or 
thumbnailPhoto - yay or nay?



Ichecked the archives on this and didn't see too 
much there beyond Guido saying "don't do it". To quote: 




[Grillenmeier, GuidoTue, 14 Dec 2004 12:35:42 
-0800



that's likely the photo or the thumbnailPhoto attribute 
(both octet strings) - best way to kill your AD. There are a couple of 
tools out there that allow uploading a user's photo to this attribute... The 
downside: every user has the right to do so on his own account (via the SELF 
security principal and the permissions granted to it with the 
PersonalInformation property set). I can only recommend to take these 
permissions away (possible in 2k3 to remove unwanted attributes from the default 
property sets). a link would certainly be better - I don't think there's 
a default attribute for this - you might want to introduce a new attribute to 
your schema./Guido]



I 

RE: [ActiveDir] There must be an easier way...

[Myrick, Todd \(NIH/CC/DNA\) [E]]

That is interesting  Who established the forest?  Cause if it was them, 
they have issues.  If it was you all, then just do a AD Clean-up operation and 
remove the domain and domain controllers from your directory.  Also be prepared 
to hear from them soon... :)
 
Todd Myrick



From: Larry Wahlers [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 7:17 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] There must be an easier way...



Hello, colleagues,

A client that we had set up as a site within our domain with its own
pair of DC's has decided to break off from us, get their own ISP, and
cut the network cable between us. In fact, they've done that last
weekend. Now, the Directory Service event log on one of our DC's is
spewing out 21 warning and error messages every 15 minutes, all related
to the fact that there are no available DC's in that site.

Doing a Google search, I found this article
http://support.microsoft.com/?kbid=216498 which describes at least 20
steps that must be taken to remove a DC following an unsuccessful DC
demotion. Which, I suppose, is what I would have done had I had the
opportunity to demote the DC's before this client cut the line. The
article also has this warning:

Caution The administrator must also make sure that replication has
occurred since the demotion before manually removing the NTDS Settings
object for any server. Using the Ntdsutil utility incorrectly may result
in partial or complete loss of Active Directory functionality.

Being a relative newbie to Active Directory management (but, just
emerging from a pair of classes), I have to ask if there is an easier
way to do this? We have about 800 users and 4 corporations on this wire,
and they might get a bit testy if their computers stopped working all of
a sudden!

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] There must be an easier way...

[Brian Desmond]

Larry-

Just follow the steps and remove the two DCs that were offsite. Wait for
replication internally and delete the site/subnet. All done.

I suggest you reset all passwords for sensitive accounts or even better
expire every password in the domain. Your client can obtain these if
they're industrious and it sounds like you left on a bad note.

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Larry Wahlers
 Sent: Monday, March 06, 2006 7:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] There must be an easier way...
 
 Hello, colleagues,
 
 A client that we had set up as a site within our domain with its own
 pair of DC's has decided to break off from us, get their own ISP, and
 cut the network cable between us. In fact, they've done that last
 weekend. Now, the Directory Service event log on one of our DC's is
 spewing out 21 warning and error messages every 15 minutes, all
related
 to the fact that there are no available DC's in that site.
 
 Doing a Google search, I found this article
 http://support.microsoft.com/?kbid=216498 which describes at least 20
 steps that must be taken to remove a DC following an unsuccessful DC
 demotion. Which, I suppose, is what I would have done had I had the
 opportunity to demote the DC's before this client cut the line. The
 article also has this warning:
 
 Caution The administrator must also make sure that replication has
 occurred since the demotion before manually removing the NTDS Settings
 object for any server. Using the Ntdsutil utility incorrectly may
result
 in partial or complete loss of Active Directory functionality.
 
 Being a relative newbie to Active Directory management (but, just
 emerging from a pair of classes), I have to ask if there is an easier
 way to do this? We have about 800 users and 4 corporations on this
wire,
 and they might get a bit testy if their computers stopped working all
of
 a sudden!
 
 --
 Larry Wahlers
 Concordia Technologies
 The Lutheran Church - Missouri Synod
 mailto:[EMAIL PROTECTED]
 direct office line: (314) 996-1876
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] There must be an easier way...

[Myrick, Todd \(NIH/CC/DNA\) [E]]

Brian, 
 
I never did this, but I guess I should try it if one domain tree 
established the forest, another domain tree is added, but then the initial tree 
is removed won't that cause problems for the other domain tree, even if 
they clean up the forest and seize the FSMO roles.  The schema and 
configuration containers will reflect the naming context of the root forest.  
Also that is where the enterprise roles will exist.  I think the only thing the 
non-root can do is reinstall the Forest, while the forest root can just do the 
clean-up.
 
Todd Myrick



From: Brian Desmond [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 7:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] There must be an easier way...



Larry-

Just follow the steps and remove the two DCs that were offsite. Wait for
replication internally and delete the site/subnet. All done.

I suggest you reset all passwords for sensitive accounts or even better
expire every password in the domain. Your client can obtain these if
they're industrious and it sounds like you left on a bad note.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Larry Wahlers
 Sent: Monday, March 06, 2006 7:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] There must be an easier way...

 Hello, colleagues,

 A client that we had set up as a site within our domain with its own
 pair of DC's has decided to break off from us, get their own ISP, and
 cut the network cable between us. In fact, they've done that last
 weekend. Now, the Directory Service event log on one of our DC's is
 spewing out 21 warning and error messages every 15 minutes, all
related
 to the fact that there are no available DC's in that site.

 Doing a Google search, I found this article
 http://support.microsoft.com/?kbid=216498 which describes at least 20
 steps that must be taken to remove a DC following an unsuccessful DC
 demotion. Which, I suppose, is what I would have done had I had the
 opportunity to demote the DC's before this client cut the line. The
 article also has this warning:

 Caution The administrator must also make sure that replication has
 occurred since the demotion before manually removing the NTDS Settings
 object for any server. Using the Ntdsutil utility incorrectly may
result
 in partial or complete loss of Active Directory functionality.

 Being a relative newbie to Active Directory management (but, just
 emerging from a pair of classes), I have to ask if there is an easier
 way to do this? We have about 800 users and 4 corporations on this
wire,
 and they might get a bit testy if their computers stopped working all
of
 a sudden!

 --
 Larry Wahlers
 Concordia Technologies
 The Lutheran Church - Missouri Synod
 mailto:[EMAIL PROTECTED]
 direct office line: (314) 996-1876
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] There must be an easier way...

[Umer Y]

Hello Larry,

Unfortunately there is no way around doing a metadata cleanup against
those 2 DCs that have been removed from your domain and are not going
to come back.

You would want to figure out the machines in that particular subnet
where the 2 DCs were, have connectivity to an existing and functional
DC to be able to logon to the domain.

Also, from your description, it seems that atleast 1 DC which is
giving the error, is part of that domain from which the 2 DCs were
yanked off. If there are more DCs, and are set to replicate with
either of the 2, they will also give replication errors unless a
metadata has been performed.



On 3/6/06, Larry Wahlers [EMAIL PROTECTED] wrote:
 Hello, colleagues,

 A client that we had set up as a site within our domain with its own
 pair of DC's has decided to break off from us, get their own ISP, and
 cut the network cable between us. In fact, they've done that last
 weekend. Now, the Directory Service event log on one of our DC's is
 spewing out 21 warning and error messages every 15 minutes, all related
 to the fact that there are no available DC's in that site.

 Doing a Google search, I found this article
 http://support.microsoft.com/?kbid=216498 which describes at least 20
 steps that must be taken to remove a DC following an unsuccessful DC
 demotion. Which, I suppose, is what I would have done had I had the
 opportunity to demote the DC's before this client cut the line. The
 article also has this warning:

 Caution The administrator must also make sure that replication has
 occurred since the demotion before manually removing the NTDS Settings
 object for any server. Using the Ntdsutil utility incorrectly may result
 in partial or complete loss of Active Directory functionality.

 Being a relative newbie to Active Directory management (but, just
 emerging from a pair of classes), I have to ask if there is an easier
 way to do this? We have about 800 users and 4 corporations on this wire,
 and they might get a bit testy if their computers stopped working all of
 a sudden!

 --
 Larry Wahlers
 Concordia Technologies
 The Lutheran Church - Missouri Synod
 mailto:[EMAIL PROTECTED]
 direct office line: (314) 996-1876
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
Ambition is a dream with a V8 engine. ~ Elvis Presley
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] There must be an easier way...

[Brian Desmond]

I didn't get the drift he had a multidomain forest.

If he does, and he doesn't have a forest root DC then he's SOL and will
have to ADMT to a new domain/forest.



Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
 Sent: Monday, March 06, 2006 8:37 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] There must be an easier way...
 
 Brian,
 
 I never did this, but I guess I should try it if one domain tree
 established the forest, another domain tree is added, but then the
initial
 tree is removed won't that cause problems for the other domain
tree,
 even if they clean up the forest and seize the FSMO roles.  The schema
and
 configuration containers will reflect the naming context of the root
 forest.  Also that is where the enterprise roles will exist.  I think
the
 only thing the non-root can do is reinstall the Forest, while the
forest
 root can just do the clean-up.
 
 Todd Myrick
 
 
 
 From: Brian Desmond [mailto:[EMAIL PROTECTED]
 Sent: Mon 3/6/2006 7:47 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] There must be an easier way...
 
 
 
 Larry-
 
 Just follow the steps and remove the two DCs that were offsite. Wait
for
 replication internally and delete the site/subnet. All done.
 
 I suggest you reset all passwords for sensitive accounts or even
better
 expire every password in the domain. Your client can obtain these if
 they're industrious and it sounds like you left on a bad note.
 
 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]
 
 c - 312.731.3132
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of Larry Wahlers
  Sent: Monday, March 06, 2006 7:17 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] There must be an easier way...
 
  Hello, colleagues,
 
  A client that we had set up as a site within our domain with its own
  pair of DC's has decided to break off from us, get their own ISP,
and
  cut the network cable between us. In fact, they've done that last
  weekend. Now, the Directory Service event log on one of our DC's is
  spewing out 21 warning and error messages every 15 minutes, all
 related
  to the fact that there are no available DC's in that site.
 
  Doing a Google search, I found this article
  http://support.microsoft.com/?kbid=216498 which describes at least
20
  steps that must be taken to remove a DC following an unsuccessful DC
  demotion. Which, I suppose, is what I would have done had I had the
  opportunity to demote the DC's before this client cut the line. The
  article also has this warning:
 
  Caution The administrator must also make sure that replication has
  occurred since the demotion before manually removing the NTDS
Settings
  object for any server. Using the Ntdsutil utility incorrectly may
 result
  in partial or complete loss of Active Directory functionality.
 
  Being a relative newbie to Active Directory management (but, just
  emerging from a pair of classes), I have to ask if there is an
easier
  way to do this? We have about 800 users and 4 corporations on this
 wire,
  and they might get a bit testy if their computers stopped working
all
 of
  a sudden!
 
  --
  Larry Wahlers
  Concordia Technologies
  The Lutheran Church - Missouri Synod
  mailto:[EMAIL PROTECTED]
  direct office line: (314) 996-1876
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD - What to monitor?

[Lucas, Bryan]

So, does Intrust do these things:

OU creations/deletions/mods
Critical Security Group Modifications
GPO Creation/deletion/mods and Linking
Domain Administrator Logins and from where
Password changes on critical accounts

Can you get granular and say show me all the changes to these groups, or
these OU's, or when this account is used, etc?

Do you use Quest Reporter?

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Monday, March 06, 2006 5:16 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD - What to monitor?

Things I like to know about.
 
Administration Events
 
OU creations/deletions/mods
Critical Security Group Modifications
GPO Creation/deletion/mods and Linking
Domain Administrator Logins and from where
Password changes on critical accounts
 
Domain Activities
 
Got one word for you Replication!  AD's go bad when replication is out
of whack... In my experience when it comes to replication you need to
monitor both the Event Logs, but also the ports.  Also if a firewall
goes anywhere between two replication partners, you then have to start
to consider UDP fragmentation which manifest itself as broken trust and
bad authentication attempts.
 
As for events, well the security event logs are a maze of Event ID's
that I just rather not dig into unless I am required.  Both Quest and
Netpro (probably NetIQ, MOM and some other tools out there I haven't
evaluated as well) have some nice tools that make monitoring the
security event logs a lot nicer.  I currently use Quest Intrust and
Intrust for AD.  The nice thing about the AD product is that it creates
a nice little Event Log for administration and logs those activities
separately.  The put a hook into the LDAP service that intercepts the
LDAP calls and logs them.
 
There are some KB articles out there that list several of the events.
As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff
also helps get an idea.  MoM also has some pretty slick admin packs that
might be informative, but I see Mom more as a Big Picture Up/Down
monitor, there is still a lot of value in Third-Party add-ons since most
of these products offer add-ons to MoM as part of their features.
 
Todd



From: Ryan A. Conrad [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD - What to monitor?


You may want to start by looking at some commercial products and see
what functions they perform and what they monitor.  NetPro's Change
Auditor is great, and the MOM AD MP (entire Technical Guide is
available) would be two nice starting points. If I remember correctly,
NetPro also has an AD Health product. 
 
If you don't want to pay, then you can start scripting based upon what
you see common among all of the commercial products available.
 
Ryan

 
On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: 

AD Gurus,

Can you guys expand on the topic of what should be monitored in
AD? and Why?
I am talking in terms of Security events only to protect AD and
also protect 
from attacks of any kind.

Obviously, one would monitor failed logon, too many accounts
creations etc.
What else should we monitor?

Regards,
Adeel




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en 
http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en


Unable to discover computers in AD after upgrading to .NET Framework 2.0

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0 (should have been MOM can't find computers in AD after 2.0)

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Sorry should have described that a bit better...

MOM can't find computers in AD after 2.0

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en 
http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en 



Unable to discover computers in AD after upgrading to .NET Framework 2.0



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Domain rename and third party tool

[Irwan Hadi]

Our company just changed its name including its domain, and would like
to change also change our Active Directory domain.
Currently we are using our AD just for Exchange. We will join our
workstations which currently are using Novell Netware to AD soon.

Our AD domain:
- Current forest functional level is Windows 2000
- Current domain functional level is Windows 2000 Native.
- All the Active Directory servers are running Windows 2003 + SP1 with
latest updates.
- No clients (workstations or laptops) have been joined to the domain.
- AD is still pristine without any custom modifications.

Our Exchange servers:
- One front-end, two back-end servers all running on Windows 2003
- Front end is Exchange 2003 standard + SP1, back ends are Exchange
2003 enterprise + SP1

Because Exchange Organization Name can not be changed at all, and
while AD domain can be renamed but it may leave some debris behind, I
would like to start with a new AD forest and new Exchange 2003
organization.
The problems now are:
- Migration must be done very quickly (all should be done over the weekend)
- Users with their password should be migrated from the old domain to
the new domain
- Our BlackBerry 4.0 and its users must be able to use the service
before and after the migration.
- Users computers have not joined to the domain. Some scripting may
need to be done for them to have the new Outlook profile.

My questions now, are there any 3rd party tool recommended for this
and what is your preference?
Also do you have any tips regarding Active Directory migration?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain rename and third party tool

[deji]

Honestly?
 
All the products I know of require some investments in time, planning, tests
and efforts to get used to them. They are not really like deploy-and-go
type of solutions. I mentioned that because you appear to be in a dire
emergency, and it is usually emergencies like this that tend to complicate
migrations when all is said and done. So, if you are so constrained, I highly
recommend that you drop everything now, grab something form Quest (they lead
the market in popularity and ease of use) or download ADMT3.0 (free from MS),
lock yourself and your team in a lab and get married to the product for the
next several days.
 
If you have neither the time for learning curve, nor the bodies to execute a
migration/rename project at such short notice, you might also want to
consider seeking professional services from companies who do such for a
living.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Irwan Hadi
Sent: Mon 3/6/2006 8:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain rename and third party tool



Our company just changed its name including its domain, and would like
to change also change our Active Directory domain.
Currently we are using our AD just for Exchange. We will join our
workstations which currently are using Novell Netware to AD soon.

Our AD domain:
- Current forest functional level is Windows 2000
- Current domain functional level is Windows 2000 Native.
- All the Active Directory servers are running Windows 2003 + SP1 with
latest updates.
- No clients (workstations or laptops) have been joined to the domain.
- AD is still pristine without any custom modifications.

Our Exchange servers:
- One front-end, two back-end servers all running on Windows 2003
- Front end is Exchange 2003 standard + SP1, back ends are Exchange
2003 enterprise + SP1

Because Exchange Organization Name can not be changed at all, and
while AD domain can be renamed but it may leave some debris behind, I
would like to start with a new AD forest and new Exchange 2003
organization.
The problems now are:
- Migration must be done very quickly (all should be done over the weekend)
- Users with their password should be migrated from the old domain to
the new domain
- Our BlackBerry 4.0 and its users must be able to use the service
before and after the migration.
- Users computers have not joined to the domain. Some scripting may
need to be done for them to have the new Outlook profile.

My questions now, are there any 3rd party tool recommended for this
and what is your preference?
Also do you have any tips regarding Active Directory migration?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/