Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B On Tue, 1 Aug 2006, Matt Hargraves wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the problem with it is that it has a very high level of maintenance and has a lot of room for error and a lot of inherent cost in hardware. The larger the environment, the larger the number of points of failure in the security model. You have 100,000 shares in an environment (or more) and the number of people required to manage that resource start getting restrictively high. Does John the Crankshaft mechanic need access to share \\servername\share80385? Probably not 95% of the time, but that one or two times a year that he does need access, do you really want to make him wait between 2 hours and potentially as high as 2 days to gain that access just so that you an have 100 people controlling 1,000 shares and the ACLs each? I can't argue that RBS is the only way to go, but there's nothing wrong with going with a hybrid. RBS base with an ABS overlap ends up with a security model where you've got the potential for granularity, but a system where a resource has a team that may need access to an object, they can be granted that access and if there are individuals who need access above and beyond what the RBS model would grant, the access can be granted. Users who change roles are automatically removed from the groups they are no longer members of (via the HR software, SAP or whatever) and when someone moves into a role where they now require access to a resource (or set of resources), they are automatically granted that access via the same mechanism. The alternative is a forest root with disjoined domain that holds users, then a resource subdomain and an Exchange subdomain. 2-3 times as many DCs, added cost that goes with that (power, a/c, NOC space), added overhead of maintaining that somewhat complex environment... the alternative for larger environments is to buy 2-3 times as many Exchange servers due to large token sizes. Not to mention the bloating of your DIT database causing reduced performance on your DCs. An exclusive RBS is a best-case scenario that almost never exists. But it should be the basis of a security model. The alternative is a bloated environment and a bloated management structure for that environment. An exclusive ABS is another best-case scenario that rarely exists outside of smaller environments, where management of resources is easier to control because the people who are controlling the resource know everyone who needs access to their resource. Considering how large the companies you commonly work with are, it's suprising to see you recommending a difficult to manage model. With hundreds of thousands of users and possibly a nearly identical number of shares (or worse... more) and a large number of applications, it's hard to see where an ABS is practical. On 7/31/06, joe [EMAIL PROTECTED] wrote: If I am fixing security bugs in my program is it ok to get 80% of them and leave the remaining known 20%? Do you have a lot of faith in a firewall that stops 80% of the bad traffic? Or an AV scanner that finds 80%? If I set up a shared folder to get files shared out to multiple folks, is it ok if only 80% of the people I give access to really need the access? What if in that shared folder are personal files about you or your wife or your kids or maybe some compromising photos of you and your mistress[1]? :) How about the flip side, if I set up a shared folder and only 80% of the folks who need the access get it, is that good? Would you have a list of people in the DA group where only 80% really needed the access? Or again on the flip side, only 80% of the people who required it got it? Security should be very tightly controlled. Especially for access. Role based security fits squarely in this hole, IMO. It is probably more a problem with the implementation and the definition of the roles than anything because if you really got into defining really granular roles that you should, you are almost at the point of doing resource based security anyway which again, IMO, is by far the more secure way of handling resource security. It is rare that the data access requirements of everyone listed as a CrankShaft Engineer, for example, are identical in a
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
From the pentest listserve... If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke Matt Hargraves wrote: You made a comment in the previous thread that I think is rather interesting: Get your checkbook out and stop being stingy. :) That's a nice thing to say when you're saying it to someone else. But if they tell you that you have to spend hundreds of thousands of dollars or millions when they have metrics that require them to reduce the costs or it's their job. I'm not trying to minimize the importance of security and least privileged access. Reality is though that we don't control what the rest of the company does, no matter how much 'for their good' it might be. We don't own the data, we don't own the groups. We own the servers, the OS and the security model itself. We can simply provide the tools and try and steer them down the right path, while trying to make sure it's a path that they can walk down. The minute we make a path that's too difficult to walk down, the path will get changed on us for a more managable model, with only a chance that we're involved at all. More likely it will be someone who has no knowledge of the environment and is building a straight forward MS says environment that could potentially be worse than what is already in place, but the people who are now making the decisions aren't very busy listening to us any more. On 8/1/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the problem with it is that it has a very high level of maintenance and has a lot of room for error and a lot of inherent cost in hardware. The larger the environment, the larger the number of points of failure in the security model. You have 100,000 shares in an environment (or more) and the number of people required to manage that resource start getting restrictively high. Does John the Crankshaft mechanic need access to share \\servername\share80385? Probably not 95% of the time, but that one or two times a year that he does need access, do you really want to make him wait between 2 hours and potentially as high as 2 days to gain that access just so that you an have 100 people controlling 1,000 shares and the ACLs each? I can't argue that RBS is the only way to go, but there's nothing wrong with going with a hybrid. RBS base with an ABS overlap ends up with a security model where you've got the potential for granularity, but a system where a resource has a team that may need access to an object, they can be granted that access and if there are individuals who need access above and beyond what the RBS model would grant, the access can be granted. Users who change roles are automatically removed from the groups they are no longer members of (via the HR software, SAP or whatever) and when someone moves into a role where they now require access to a resource (or set of resources), they are automatically granted that access via the same mechanism. The alternative is a forest root with disjoined domain that holds users, then a resource subdomain and an Exchange subdomain. 2-3 times as many DCs, added cost that goes with that (power, a/c, NOC space), added overhead of maintaining that somewhat complex environment... the alternative for larger environments is to buy 2-3 times as many Exchange servers due to large token sizes. Not to mention the bloating of your DIT database causing reduced performance on your DCs. An exclusive RBS is a best-case scenario that almost never exists. But it should be the basis of a security model. The alternative is a bloated environment and a bloated management structure for that environment. An exclusive ABS is another best-case scenario that rarely exists outside of smaller environments, where management of resources is easier to control because the people who are controlling the resource know everyone who needs access to their resource. Considering how large the companies you commonly work with are, it's suprising to see you recommending a difficult to manage model. With hundreds of thousands of users and possibly a nearly identical number of shares (or worse... more) and a large number of
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Isn't DSI being discussed in great detail at Blackhat starting tomorrow.. or am I mistaken and just thinking about the blog post again? http://blog.joeware.net/2006/07/11/445/ Brett Shirley wrote: I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B On Tue, 1 Aug 2006, Matt Hargraves wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the problem with it is that it has a very high level of maintenance and has a lot of room for error and a lot of inherent cost in hardware. The larger the environment, the larger the number of points of failure in the security model. You have 100,000 shares in an environment (or more) and the number of people required to manage that resource start getting restrictively high. Does John the Crankshaft mechanic need access to share \\servername\share80385? Probably not 95% of the time, but that one or two times a year that he does need access, do you really want to make him wait between 2 hours and potentially as high as 2 days to gain that access just so that you an have 100 people controlling 1,000 shares and the ACLs each? I can't argue that RBS is the only way to go, but there's nothing wrong with going with a hybrid. RBS base with an ABS overlap ends up with a security model where you've got the potential for granularity, but a system where a resource has a team that may need access to an object, they can be granted that access and if there are individuals who need access above and beyond what the RBS model would grant, the access can be granted. Users who change roles are automatically removed from the groups they are no longer members of (via the HR software, SAP or whatever) and when someone moves into a role where they now require access to a resource (or set of resources), they are automatically granted that access via the same mechanism. The alternative is a forest root with disjoined domain that holds users, then a resource subdomain and an Exchange subdomain. 2-3 times as many DCs, added cost that goes with that (power, a/c, NOC space), added overhead of maintaining that somewhat complex environment... the alternative for larger environments is to buy 2-3 times as many Exchange servers due to large token sizes. Not to mention the bloating of your DIT database causing reduced performance on your DCs. An exclusive RBS is a best-case scenario that almost never exists. But it should be the basis of a security model. The alternative is a bloated environment and a bloated management structure for that environment. An exclusive ABS is another best-case scenario that rarely exists outside of smaller environments, where management of resources is easier to control because the people who are controlling the resource know everyone who needs access to their resource. Considering how large the companies you commonly work with are, it's suprising to see you recommending a difficult to manage model. With hundreds of thousands of users and possibly a nearly identical number of shares (or worse... more) and a large number of applications, it's hard to see where an ABS is practical. On 7/31/06, joe [EMAIL PROTECTED] wrote: If I am fixing security bugs in my program is it ok to get 80% of them and leave the remaining known 20%? Do you have a lot of faith in a firewall that stops 80% of the bad traffic? Or an AV scanner that finds 80%? If I set up a shared folder to get files shared out to multiple folks, is it ok if only 80% of the people I give access to really need the access? What if in that shared folder are personal files about you or your wife or your kids or maybe some compromising photos of you and your mistress[1]? :) How about the flip side, if I set up a shared folder and only 80% of the folks who need the access get it, is that good? Would you have a list of people in the DA group where only 80% really needed the access? Or again on the flip side, only 80% of the people who required it got it? Security should be very tightly controlled. Especially for access. Role based security fits squarely in this hole, IMO. It is probably more a problem with the implementation and the definition of the roles than anything because if you really got into defining really granular roles that you should, you are almost at the point of doing resource based security anyway which again, IMO, is by far the more secure way of handling resource security. It is rare that the
RE: [ActiveDir] DNS suffix resolution..
We appear to agree that there is no 'need'. The OP used the word 'need' and I merely continued that line of thought :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: 31 July 2006 19:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each machine in each region. If I assume you have an HQ and branch locations, then consider adding appropriate suffices for the HQ machines and (different?)appropriatesuffices for each branch.i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. [Neil Ruston]As ever -'it depends' :) On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the
RE: [ActiveDir] DNS suffix resolution..
Wow, joe and Deji both agreed with me and in the same day :) I am at peace :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 31 July 2006 20:24To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. One word... disjoint name space. AD itself doesn't need WINS unless DNS is broken because it uses FQDNs. It is everything else. If you have a simple single domain setup, you are probably going to be able to remove WINS requirements unless you have legacy apps that actually force a lookup of a specific type of NetBIOS record or do the lookups themselves with the NetBIOS calls. As you add more domains it becomes more complicated. As you add more trees or go to disjoint namespaces the work required isn't worth the benefit. Personally I like WINS, I have had very very few issues with it even at the Enterprise scale. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each machine in each region. If I assume you have an HQ and branch locations, then consider adding appropriate suffices for the HQ machines and (different?)appropriatesuffices for each branch.i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. [Neil
[ActiveDir] DNS Scavenging
Hi,Windows 2003 R2 Single Domain/ FFL, AD Intergrated DNSI am thinkingaboutconfiguring DNS Scavenging, I was reading the AD Cookbook and it mentions 'Configure Non Refresh and Refresh Intervals as necessary'What does this mean? what do you normally set your environment to?does this also look at Reverse Zones as well?thanks James Do you Yahoo!? Get on board. You're invited to try the new Yahoo! Mail Beta.
RE: [ActiveDir] DNS Scavenging
Personally, the defaults work for me. Here's a good article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_tahj.mspx?mfr=true Re reverse zones - enable scavenging per server and per zone as appropriate. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: 01 August 2006 09:23To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Scavenging Hi, Windows 2003 R2 Single Domain/ FFL, AD Intergrated DNS I am thinkingaboutconfiguring DNS Scavenging, I was reading the AD Cookbook and it mentions 'Configure Non Refresh and Refresh Intervals as necessary' What does this mean? what do you normally set your environment to? does this also look at Reverse Zones as well? thanks James Do you Yahoo!?Get on board. You're invited to try the new Yahoo! Mail Beta.PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] DNS oddities?
Ha ha! So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off? Cheers M@ On 8/1/06, joe [EMAIL PROTECTED] wrote: If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts?CheersM~
RE: [ActiveDir] DNS oddities?
netlogon is responsible for all SRV records and the DHCP client is responsible for the A record. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: 01 August 2006 09:53To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS oddities? Ha ha! So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the "A" record etc.. or am I way off? Cheers M@ On 8/1/06, joe [EMAIL PROTECTED] wrote: If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the "A" record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the "A" record. Restarted dhcpclient again and the "A" record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the "A" record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use "netdiag /test:dns /fix" on the child DC. It does the same. Creates all records except for the "A". I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the "A" record?Also netdiag /test:dns on child DC reports all required everything as OK even though the "A" record is missing in the child domain zone. Thoughts?CheersM~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it.
Re: [ActiveDir] DNS oddities?
Thanks Neil. That makes a lot of sense. Cheers M@ On 8/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: netlogon is responsible for all SRV records and the DHCP client is responsible for the A record. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: 01 August 2006 09:53 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS oddities? Ha ha! So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off? Cheers M@ On 8/1/06, joe [EMAIL PROTECTED] wrote: If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts?CheersM~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in,
[ActiveDir] WINS/DNS access on DC's
Single Windows 2003 domain FFL.I have a 2 DC's which act as WINS/DNS and DHCP. I want to give our Server Support team the ability to view these services from their workstations via an MMC console. For DHCP, the DHCP Users group provides me with an answer for that, does anyone know how I can get the WINS and DNS service available to them. At the moment when I add the Server name it says its unavailable and to look at the WINS User group, only problem is I can;t find a WINS User group.Note the Server Support Team are not Domain Admins, they have local access to every member server and delegated rights in Active Directory.thanks Frank Groups are talking. Were listening. Check out the handy changes to Yahoo! Groups.
RE: [ActiveDir] WINS/DNS access on DC's
Check out the 'DNSadmins' group for DNS access and 'WINS Users' for access to WINS. Membership of these groups may give too little or too much access. Can you be more specific about what access these support ppl actually need? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: 01 August 2006 11:36To: ActiveSubject: [ActiveDir] WINS/DNS access on DC's Single Windows 2003 domain FFL. I have a 2 DC's which act as WINS/DNS and DHCP. I want to give our Server Support team the ability to view these services from their workstations via an MMC console. For DHCP, the DHCP Users group provides me with an answer for that, does anyone know how I can get the WINS and DNS service available to them. At the moment when I add the Server name it says its unavailable and to look at the WINS User group, only problem is I can;t find a WINS User group. Note the Server Support Team are not Domain Admins, they have local access to every member server and delegated rights in Active Directory. thanks Frank Groups are talking. We´re listening. Check out the handy changes to Yahoo! Groups. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] DNS oddities?
The intermittent result in the repro. isn’t unusual, it seems likely there’s some kind of race condition occurring under the covers … thus the unpredictable nature of the test scenarios. I love this list, if you just wait long enough someone else will do your work for you :0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all? Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues. I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS oddities? All Can someone please explain the following observation? Installed a new R2 DC forest with one DC/DNS. created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record? Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts? Cheers M~
RE: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers?
Ben, thanks for the article, I dont think I had seen that before. Guido, thanks for the info, I will incorporate that into our testing. Thank you all! Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Monday, July 31, 2006 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers? Hi Nate, Just in case you hadnt seen this before, you might want to keep your eye on this KB article. http://support.microsoft.com/kb/314649 Good luck with your upgrade! ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, July 31, 2006 6:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers? All, We are rounding home base in our upgrade path to 2K3 and have our Exchange Server Cluster runningW2K and EXCH2K and our Domain Controllers to upgrade lastly. Which of them would you think would be the best to upgrade first? We thought to upgrade the DC's first because it takes care of the extension of the schema and all which has to be done prior to EXCH2K3 anyhow. I cant think of a reason to not upgrade the Domain Controllers before the Exchange Server. Can anyone else? Thanks Nate
[ActiveDir] OT: NTLM troubleshooting info
Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
RE: [ActiveDir] OT: NTLM troubleshooting info
might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
Re: [ActiveDir] OT: NTLM troubleshooting info
Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. Cheers M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
RE: [ActiveDir] OT: NTLM troubleshooting info
there is at leastsome documentation on this found at http://davenport.sourceforge.net/ntlm.html.i i'm not sure if it will meet your needs or not. think there are some others around as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: NTLM troubleshooting info Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. Cheers M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Well, at least Darren posted another mail regarding security by obscurity which this is. Its just like removing the Domain Admins group from the local administrators group on member servers to secure the member server Just because many of those domain admins dont know why they may be missing some permissions and have no clue how to fix it, doesnt mean that youre protected from them. Some may even cause more harm by trying to regain access once youve removed it for the group. And GPOs are certainly not your only worry in a domain with too many domain admins. So as many have already stated and Im happy to chime in - dont try to fix the wrong thing. Instead remove all those users from the Domain Admins group, which you would have otherwise not added to the Group Policy Creator Owners group Youll now need to find ways to delegate the tasks that the ex-Domain Admins performed when they were still in the group. For example you may need to create few groups and add these to the local admin groups on the appropriate machines (such as a ComputerAdmin and ServerAdmins groups that will grant admin access to all workstations and member-servers respectively if this is what your admins need). Then add those ex-Domain Admins to these groups. Your Domain Admins can add these groups to the local admin groups on the respective machines via Group Policy /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 31, 2006 11:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Andy- Yes, its possible. There are actually two steps here. If you have GPMC, highlight the Group Policy Objects node on your domain and choose the Delegation tab. From here, you can delegate which groups can create GPOs in the domain. However, even if you remove Domain Admins from this list, what you will notice is that, when a GPO gets created by someone legitimately, the Domain Admins group will still have edit rights over that GPO. This is because the defaultSecurityDescriptor attribute on the groupPolicyContainer schema class object includes this group when any new objects are created. In order to change this, you will need to modify this attribute in the schema (e.g. using ADSIEdit) to remove that group from the SDDL list stored in that attribute. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Monday, July 31, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi, I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance. Andy
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Richard doesnt seem to be too keen on giving us further details too bad. But not sure why you Matt - are talking about breaking 1.25 GB with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, Id argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today youll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way youll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, Guido Sent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD guess you'd be close to 100k users in your forest, if you've used the standard attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RM Sent: Thursday, July 27, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
California law AB1950 and SB1386 That's also real world... where I could get sued for civil damages if I don't do reasonable measures to protect the PII on my network. One of these days that we don't care ... will be in a deposition statement in court. Matt Hargraves wrote: BTW, I wasn't trying to suggest that people should spend less money on security, just that there are a lot of financial and technical considerations that we don't have control over, so we have to target our security proposals to a real world where companies do want to lower their overall costs and the people saying Cut your budget and I don't care what the implications are (while that's not necessarily exactly they are saying, that's the gist of it). Creating security models that, when the decision makers look at the costs involved, are going to get denied is a waste of time (and time is money) and will just end up with you having to come up with another model that will meet the requirements, including the monetary requirements. It's either that or we end up deceiving our client (boss, whatever) on the actual cost of the security model that we're implementing. I think we'd all love to have a blank check for security considerations, but we all know that's not going to happen now or any time in the future. On 8/1/06, * Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: From the pentest listserve... If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke Matt Hargraves wrote: You made a comment in the previous thread that I think is rather interesting: Get your checkbook out and stop being stingy. :) That's a nice thing to say when you're saying it to someone else. But if they tell you that you have to spend hundreds of thousands of dollars or millions when they have metrics that require them to reduce the costs or it's their job. I'm not trying to minimize the importance of security and least privileged access. Reality is though that we don't control what the rest of the company does, no matter how much 'for their good' it might be. We don't own the data, we don't own the groups. We own the servers, the OS and the security model itself. We can simply provide the tools and try and steer them down the right path, while trying to make sure it's a path that they can walk down. The minute we make a path that's too difficult to walk down, the path will get changed on us for a more managable model, with only a chance that we're involved at all. More likely it will be someone who has no knowledge of the environment and is building a straight forward MS says environment that could potentially be worse than what is already in place, but the people who are now making the decisions aren't very busy listening to us any more. On 8/1/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the problem with it is that it has a very high level of maintenance and has a lot of room for error and a lot of inherent cost in hardware. The larger the environment, the larger the number of points of failure in the security model. You have 100,000 shares in an environment (or more) and the number of people required to manage that resource start getting restrictively high. Does John the Crankshaft mechanic need access to share \\servername\share80385? Probably not 95% of the time, but that one or two times a year that he does need access, do you really want to make him wait between 2 hours and potentially as high as 2 days to gain that access just so that you an have 100 people controlling 1,000 shares and the ACLs each? I can't argue that RBS is the only way to go, but there's nothing wrong with going with a hybrid. RBS base with an ABS overlap ends up with a security model where you've got the potential for granularity, but a system where a resource has a
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
On a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural 'protection' from their predators. Each animal has evolved to ensure they have some level of camouflage in the way of color/features etc so that when their predator targets them they attempt to blend into the background. Some plants and animals depend on other plants and animals to survive. There's a unique falcon that will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncers at the door and keep out the predators that prey on the Weaver birds. Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk? (call me wacko) but it seems to me that we do a lot of footballish type of security models.. offensive moves and defensive moves. (Isn't RODC a defensive move?) Do we and can we add lessons from nature into future networks? (1) Lessons learned from camping in a zoo...yes.. this high maintenance female stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild Animal Park's Roar and Snore is the way to do it. Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Isn't DSI being discussed in great detail at Blackhat starting tomorrow.. or am I mistaken and just thinking about the blog post again? http://blog.joeware.net/2006/07/11/445/ http://blog.joeware.net/2006/07/11/445/ Brett Shirley wrote: I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Thanks Joe. Interestingly, I agree with what you're saying here, but not for exactlythe same reason. I happen to think that the "badness" of having lots of over-privileged admins is not the accidental stupidity (hmmm...is that an oxymoron?), although we know that happens. This actually gets to the heart of what I think is wrong with how some Windows shops are managed. When I worked in larger environments that had mainframes, there was rigorous change control over absolutely every little thing that was done. So, no matter how privileged an administrator was, nothing that they did went unseen, untested and didn't come with a rock-solid back out plan. Enter the distributed world of Windows and all bets are off. Having lots of domain admins is not a problem, in and of itself, if you follow good change management practices, because presumably none of those DAs would dare make a change for fear of having their heads chopped off. But that is a cultural thing that does not exist in most Windows shops. No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. I'd be much less worried from a DA that accidentally deletes an OU than I would be from a DA who accidentally clicks on that website that downloads malicious code that is smart enough to take advantage of that user's DA status to get at or modifycorporate directory data that compromises security, privacy or other critical business stuff. I have yet to see such a targeted attack but I am guessing its only a matter of time. So, yes, absolutely get rid of all those extra DAs, but not just because they do stupid admin tricks, but also because they open up your AD to all kinds of nasty attacks. And, while your at it, how about removing administrator rights from all of your end users From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 7:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Yeah I know where you are coming from Darren but absolutely can't say it is ok because I do not believe it is ok at all. I think saying it is ok or that it is understandable will relax people about it and people absolutely should not be relaxed about it or feel that they can't do anything about it and that it isn't their responsibility to try and get corrected. It is a very bad thing and they need to always have that spectre over them where they know it. That helps, I think, in making it so it isn't a surprise when something inevitably screws up and no one can sit there saying, wow, I had no idea it was that bad of a thing. People need to be working towards locking down their environment every moment and looking for bad things and removing them every second. It is a long slow climb uphill but if the work isn't done, it will never happen until maybe, hopefully not, something absolutely blows and everyone has to jump and try to figure out how to do it in one fell swoop. I saw the same logic of "the people really don't know what they can do"... used for running an Enterprise Data Center back in 1999 and this was with hundreds of NT servers and many domains and application owners were just given admin rights over all of these boxes and it was status quo; none of the people had a clue what kind of rights they had and figured anything bad they were actually protected from doing because it would be stupid to let them be able to do something bad Everyone said it was fine and didn't cause issues until I came in and started looking at it and got sick of running around working on stupid preventable stuff so started making sure every issue was reported and floated up. While it made me and my group look bad initially because the availability of the servers appeared to have plummetted from where it was before, it was only that it appeared that way because we actually reported the problems where the previous folks hid everything under the carpet and that slowly became apparent. It slowly gave us the permission to fix stupid things that the previous group said was impossible to get changed. It was a lot of hard work but by the end of it, things actually did run well and stable. I know probably better than most the politics and the outright pain and difficulty involved because I lived through 80 and 100+ hour weeks of it in a very high pressure Fortune 5 environment where I had plant managers and VPs of manufacturing who had no problem screaming at me but I also realize the huge benefits you get out of that work and I think any admins who are serious about doing a good job will keep it up and keep tryingto fight the good fight. In the long run, they will look better for it, the
[ActiveDir] LDAP query struggle
I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about "breaking 1.25 GB" with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, Guido Sent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the standard attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RM Sent: Thursday, July 27, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any
RE: [ActiveDir] LDAP query struggle
instead of (objectCategory=user) use (objectCategory=person)(objectClass=user) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Gordon Pegue Sent: Tue 2006-08-01 22:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] LDAP query struggle
Title: [ActiveDir] LDAP query struggle Also insure you are putting the full DN of the user that you are searching for in publicDelegates= since that is a linked attribute. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 01, 2006 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query struggle instead of (objectCategory=user) use (objectCategory=person)(objectClass=user) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Gordon Pegue Sent: Tue 2006-08-01 22:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP query struggle
objectcategory=user isn't optimal, that will get changed to objectcategory=person which will look at all contacts and users, however that wouldn't prevent the query from working unless you are timing out. What tool are you using to submit the query? Does it allow you to specify a timeout? Anyway, back to the real issue, publicdelegates has a syntax of 2.5.5.1 which is a DN, so if you are actually looking for what users a certain other user has delegate rights to then you could do something like ((objectcategory=person)(objectclass=user)(publicdelegates=cn=user,ou=someo u,dc=domain,dc=com)) Now down to brass tacks... What do you want to do? Is it A) Users who have ANY publicDelegates configured for themselves? B) Users who have a specific publicDelegate configured for themselves? Aka The users a specific user has publicDelegate access over? If A, then your query can be a simple ((objectcategory=person)(objectclass=user)(publicdelegates=*)) If B, then the better way is to enumerate the user's publicDelegatesBL attribute. That will list every account he/she has publicDelegate rights to. Do this against the GC though so cross domain links will show up. Now finally let me close up with a little bug in this area... This can come up if you have a multidomain forest. If the outlook client gets a GC for a domain that the user isn't in then it is possible that an update to publicDelegates did not occur properly. The whole publicDelegates thing has two aspects, there is some stuff in the STORE and stuff in AD. The stuff in AD is strictly how Send On Behalf is controlled. So it is possible that you will get someone who has publicDelegates listed in AD but Outlook won't show them properly because of the update bug (note that this should be corrected with the new DSPROXY/DSACCESS capability in E2K3 I think SP2). It is also possible for outlook to show someone but they aren't in AD in the attribute. The first is worse than the second because someone could send on behalf of the user and the user wouldn't know it. Go check out the EHLO blog, they talked a lot about this fix. For a detailed description of this issue check out the archives for this list as I really hounded on this problem in about August of 2003 and April or so of 2004 as I was trying to get MSFT to step up and fix it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Where is the 1.25GB number from andwhat do you mean the ability of the 32 bit server to handle it? Do you mean cache? How much can be cached will depend on the OS level and amount of RAM but you can get up to a 2.7GB on a properly configured 32 bit K3 DC. Certainly in terms of purely working, a 32 bit DC can easily handle far larger DITs, I have seen thousands of fully functioning 32 bit domain controllers running 5GB+ DITs. I have seen several DCs with 20GB+ DITs.Surely x64 with lots of RAM just does it more efficiently. Also if Guido is accurate on the 100k+ users I could pretty easily see 1.25 GB being exceeded. But again, depends on the data population that is occurring and the actual number of users and how many will be mail or mailbox enabled. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Monday, July 31, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, GuidoSent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD guess you'd be close to 100k users in your forest, if you've used the "standard" attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RMSent: Thursday, July 27, 2006 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] LDAP query struggle
It depends a little on what you're looking for. Let's say you have a meeting room (MR1) and a user (Bob Smith) has Send on Behalf of permissions for the meeting room. A search using MR1 would use publicDelegatesBL (the back link attribute) and would look something like this: ((objectclass=user)(objectcategory=person)(publicdelegatesbl=CN=MR1,CN=Users,DC=myco,DC=com)) A search using Bob Smith would use publicDelegates and would look something like this: ((objectclass=user)(objectcategory=person)(publicdelegates=CN=Bob Smith,CN=Users,DC=myco,DC=com)) Tony -- Original Message -- From: Gordon Pegue [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 1 Aug 2006 14:18:12 -0600 I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Sorry, I should have put everything together by subject before responding before. My experiences range pretty widely with how much the DIT will grow with the inclusion of Exchange. Again, it depends entirely on what is already there and what it will end up with for the GAL. One experience had a GC DIT of about 900MB or so for 250,000 users, at least that many machines, about 100k groups (No DLs, all Security, non were Exchange enabled)or so go to somewhere around 6-8GB after the Exchange data population. Some other experiences were with small numbers of people (relative to forest size)actually getting Exchange enabled so the growth was measured in a couple of hundred MB. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The "1.25GB" comment wasn't regarding any limitations to 32-bit Windows. It was more involving "I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user" than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went "Huh?" because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details too bad. But not sure why you Matt - are talking about "breaking 1.25 GB" with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, GuidoSent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD guess you'd be
RE: [ActiveDir] LDAP query struggle
Title: [ActiveDir] LDAP query struggle Here's what I tried: ((objectCategory=person)(objectClass=user)(publicDelegates=Benjamin*)) I have a mailbox-enabled user named Benjamin Ortega. I figured that using Benjamin* would grab the user(s) that have him set as having Send on behalf permission. I KNOW I have users defined thus but the query returns nothing. Steve Linehan mentions something about the full DN Guess I better 'fess up and say that I'm an LDAProokie and am not sure what he means But, with some thought about it, here's what worked after I figured out the full DN of the user in question: ((objectCategory=person)(objectClass=user)(publicDelegates=CN=Benjamin Ortega,CN=Users,DC=cg-engrs,DC=com)) Thanks for pointing me in the right direction. Now to read joe's post ThanksGordon Pegue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, August 01, 2006 2:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP query struggle instead of (objectCategory=user) use (objectCategory=person)(objectClass=user) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Gordon PegueSent: Tue 2006-08-01 22:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of usersthat have the "Send on behalf" field populated in the"Exchange General / Delivery Options" properties in ADUC.I cannot seems to make sense of the syntax of the query...((objectCategory=user)(publicDelegates=user I'm searching for))Is there something I'm missing or can someone provide the correctquery format to do what I need?ThanksGordon PegueList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Oh I completely agree with lack of change control. I can't count the number of times I have asked companies what their change control process is and they look at me and go huh? What do you mean, we go into insert tool name and make the change. Like you have quite a bit of main/mid frame experience and even changes are handled differently (have I said recently I really miss working on RSTS/E on PDP-11's?). Along with the change control is usually considerable testing (both of the change and backout) and everything tends to get "scripted" which is just the word for whatever batch type control mechanism is the standard for the platform so things can be done in a very specific controlled fashion. These things are also well outside the realm of the daily admin in the Windows world. No one thinks twice (or sometimes even once)about deep configuration changes because they are so easy to make. My solution for the clicking on the wrong website or reading the wrong email or whatnot is that DAs shouldn't be logging on interactively with their DA IDs. They log into PCs with normal IDs and use RUNAS/CPAU/Whatnot to create a process with an enhanced security context. And if an Admin logs into a server, especially a domain controller,and starts using the web or email or anything that can give access to untrusted code to run they need to be smacked about and possibly fired. I am all for all Servers having a default web page of a local file that comes up and says USE THE WEB BROWSER NOW, TURN IN YOUR BADGE RIGHT AFTER. I also have strong feelings about having few admins because of the managerial structure that can spring up around larger groups. 3-5 people can generally be all under the same supervisor, getting above that and the chances of dotted-line hierarchies start creeping in and you can't have several different people trying to manage how they think it should be managed. I have experienced this first hand and it was a nightmare, I spent every morning trying to unmake changes the European Admins made that they thought needed to be made to make things work, undoubtedly the next morning for them they would undo what I did or redo what they had done before because I was often having to correct yet again. Finally I just kicked them out of the admin groups and kept them kicked out and the environment stabilized. Had they done the same with me something similar possibly would have happened but who knows, they had had a long time in which to make things work well before I got there and when I came in it still wasn't well. ;o) Only sort of joking there. :) I think we are dancing around the same things. It is about competent, controlled, selective, knowledgable admins and how many people who are doing admin work that don't fit that description. :) It isn't entirely the fault of the admins themselves, culture and the quality of people that companies are willing to pay for play heavily into it. But yes, change control getting implemented and STRICTLY followed can certainly help a great deal. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, August 01, 2006 4:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Thanks Joe. Interestingly, I agree with what you're saying here, but not for exactlythe same reason. I happen to think that the "badness" of having lots of over-privileged admins is not the accidental stupidity (hmmm...is that an oxymoron?), although we know that happens. This actually gets to the heart of what I think is wrong with how some Windows shops are managed. When I worked in larger environments that had mainframes, there was rigorous change control over absolutely every little thing that was done. So, no matter how privileged an administrator was, nothing that they did went unseen, untested and didn't come with a rock-solid back out plan. Enter the distributed world of Windows and all bets are off. Having lots of domain admins is not a problem, in and of itself, if you follow good change management practices, because presumably none of those DAs would dare make a change for fear of having their heads chopped off. But that is a cultural thing that does not exist in most Windows shops. No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. I'd be much less worried from a DA that accidentally deletes an OU than I would be from a DA who accidentally clicks on that website that downloads malicious code that is smart enough to take advantage of that user's DA status to get at or modifycorporate directory data that
RE: [ActiveDir] LDAP query struggle
Title: [ActiveDir] LDAP query struggle Ok, so you are trying to find what users have Benjamin as a publicDelegate. That is my B scenerio I listed. Do this adfind -gc -b "" -f name="Benjamin Ortega" publicdelegatesBL If you want more detailed info about each of the users he is a delegate for then we can look at some attribute scoped query magic (-ASQ switch). joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon PegueSent: Tuesday, August 01, 2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP query struggle Here's what I tried: ((objectCategory=person)(objectClass=user)(publicDelegates=Benjamin*)) I have a mailbox-enabled user named Benjamin Ortega. I figured that using Benjamin* would grab the user(s) that have him set as having Send on behalf permission. I KNOW I have users defined thus but the query returns nothing. Steve Linehan mentions something about the full DN Guess I better 'fess up and say that I'm an LDAProokie and am not sure what he means But, with some thought about it, here's what worked after I figured out the full DN of the user in question: ((objectCategory=person)(objectClass=user)(publicDelegates=CN=Benjamin Ortega,CN=Users,DC=cg-engrs,DC=com)) Thanks for pointing me in the right direction. Now to read joe's post ThanksGordon Pegue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, August 01, 2006 2:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP query struggle instead of (objectCategory=user) use (objectCategory=person)(objectClass=user) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Gordon PegueSent: Tue 2006-08-01 22:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of usersthat have the "Send on behalf" field populated in the"Exchange General / Delivery Options" properties in ADUC.I cannot seems to make sense of the syntax of the query...((objectCategory=user)(publicDelegates=user I'm searching for))Is there something I'm missing or can someone provide the correctquery format to do what I need?ThanksGordon PegueList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP query struggle
Thanks joe for the very detailed reply! My whole purpose for creating the query is that I had an employee here depart about a month ago and I thought I had cleaned up everything when I finally killed the AD account. What I was not aware of was that some other employees had this person setup as a delegate and there were some weird behaviors taking place when meeting requests were issued So, I wanted to query my AD users to find out who So, as it turns out, you're a scenario was what I was after. FWIW I manage a small single-domain forest with about 50 users, and I mostly lurk here to learn. Thanks Gordon Pegue -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 01, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query struggle objectcategory=user isn't optimal, that will get changed to objectcategory=person which will look at all contacts and users, however that wouldn't prevent the query from working unless you are timing out. What tool are you using to submit the query? Does it allow you to specify a timeout? Anyway, back to the real issue, publicdelegates has a syntax of 2.5.5.1 which is a DN, so if you are actually looking for what users a certain other user has delegate rights to then you could do something like ((objectcategory=person)(objectclass=user)(publicdelegates=cn =user,ou=someo u,dc=domain,dc=com)) Now down to brass tacks... What do you want to do? Is it A) Users who have ANY publicDelegates configured for themselves? B) Users who have a specific publicDelegate configured for themselves? Aka The users a specific user has publicDelegate access over? If A, then your query can be a simple ((objectcategory=person)(objectclass=user)(publicdelegates=*)) If B, then the better way is to enumerate the user's publicDelegatesBL attribute. That will list every account he/she has publicDelegate rights to. Do this against the GC though so cross domain links will show up. Now finally let me close up with a little bug in this area... This can come up if you have a multidomain forest. If the outlook client gets a GC for a domain that the user isn't in then it is possible that an update to publicDelegates did not occur properly. The whole publicDelegates thing has two aspects, there is some stuff in the STORE and stuff in AD. The stuff in AD is strictly how Send On Behalf is controlled. So it is possible that you will get someone who has publicDelegates listed in AD but Outlook won't show them properly because of the update bug (note that this should be corrected with the new DSPROXY/DSACCESS capability in E2K3 I think SP2). It is also possible for outlook to show someone but they aren't in AD in the attribute. The first is worse than the second because someone could send on behalf of the user and the user wouldn't know it. Go check out the EHLO blog, they talked a lot about this fix. For a detailed description of this issue check out the archives for this list as I really hounded on this problem in about August of 2003 and April or so of 2004 as I was trying to get MSFT to step up and fix it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WINS/DNS access on DC's
What do you mean by View these services? The info that they maintain or the status on the services themselves? The WINS User Group should definitely work to give access to records. To make my life easier in aprevious job I just places auth users into that group for all WINS Machines. As for DNS, well we all know my thoughts there, lots of others more qualified to say how to admin it. :) Oh if you are looking at managing the services or even viewing the status, then you could be running into the ACL issue that is with services now as of K3 SP1. I blogged about it. http://blog.joeware.net/2005/06/12/36/ http://blog.joeware.net/2005/06/12/38/ -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, August 01, 2006 6:36 AMTo: ActiveSubject: [ActiveDir] WINS/DNS access on DC's Single Windows 2003 domain FFL. I have a 2 DC's which act as WINS/DNS and DHCP. I want to give our Server Support team the ability to view these services from their workstations via an MMC console. For DHCP, the DHCP Users group provides me with an answer for that, does anyone know how I can get the WINS and DNS service available to them. At the moment when I add the Server name it says its unavailable and to look at the WINS User group, only problem is I can;t find a WINS User group. Note the Server Support Team are not Domain Admins, they have local access to every member server and delegated rights in Active Directory. thanks Frank Groups are talking. We´re listening. Check out the handy changes to Yahoo! Groups.
RE: [ActiveDir] DNS suffix resolution..
:o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, August 01, 2006 3:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Wow, joe and Deji both agreed with me and in the same day :) I am at peace :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 31 July 2006 20:24To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. One word... disjoint name space. AD itself doesn't need WINS unless DNS is broken because it uses FQDNs. It is everything else. If you have a simple single domain setup, you are probably going to be able to remove WINS requirements unless you have legacy apps that actually force a lookup of a specific type of NetBIOS record or do the lookups themselves with the NetBIOS calls. As you add more domains it becomes more complicated. As you add more trees or go to disjoint namespaces the work required isn't worth the benefit. Personally I like WINS, I have had very very few issues with it even at the Enterprise scale. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each
RE: [ActiveDir] DNS suffix resolution..
I will beg to differ on the "worth the benefit" claim vis-à-vis the headaches associated with WINS and how less resilient I've found INS to be compared to DNS. Hey just because it isn't resilent for you doesn't it mean it doesn't work ok for some of us. :) I wouldn't say the rest of us because for some reason I have heard lots of people who have had lots of issues with WINS and it confuses me. My WINs architecture worked for hundreds of thousands of machines globally and the only time I had issues is when some dodo would fire up a misconfigured SAMBA machine but I had monitoring in place so I knew about it within seconds of it occurring and had it fixed within minutes even while sending Security out to go rip the machine off the network. I think for an integratedcorporate environment, WINS is great. If you have some environment where everyone and their cousin gets a forest, WINS can get to be a bit of a troublesome beast. Most users are hard pressed to recall an FQDN of www.google.com and if you get into a large multitree or disjoint namespace the DNS suffixing is ridiculous to try and use to maintain the ability to use short host names. What do you not like about WINS? Specifically. And please don't mention it isn't a standard based thing, I will refer you to RFCs for NBNS. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 4:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Understood. I made similar arguments in some places you will come to see in the very near future. I will beg to differ on the "worth the benefit" claim vis-à-vis the headaches associated with WINS and how less resilient I've found INS to be compared to DNS. However, my focus is on demystifying the "NEED" assertion. Ilike to take every opportunity I get to point out that, even with Exchange/multi-domain/disjointed names/etc all thrown into the mix, AD still does NOT NEED WINS[1]. AD is capable of functioning correctly (thank you very much) IF efforts are made to do the leg work "upfront". WINS is a substitute ..for the inability/unwillingness/some-other-obstacles to do the necessary due diligence necessary to be WINS-less. I call it a crutch and its continued existence and usage speaks more to our comfort level with it, our tendency to go for the quickest fix for any given "issue", and our buying into the oft-repeated claim that WINS is NEEDED. [1] OK, disclosure. The main reason I popped in today to post the original response was to elicit further comment and discussion of this "NEED" thing, with the hope that I may have every side covered thoroughly in some places that will remain nameless for now. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Mon 7/31/2006 12:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. One word... disjoint name space. AD itself doesn't need WINS unless DNS is broken because it uses FQDNs. It is everything else. If you have a simple single domain setup, you are probably going to be able to remove WINS requirements unless you have legacy apps that actually force a lookup of a specific type of NetBIOS record or do the lookups themselves with the NetBIOS calls. As you add more domains it becomes more complicated. As you add more trees or go to disjoint namespaces the work required isn't worth the benefit. Personally I like WINS, I have had very very few issues with it even at the Enterprise scale. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS
RE: [ActiveDir] LDAP query struggle
Lurk away, glad to help out. Don't be afraid to ask questions, we just all seem mean. In real life we are all nice teddy bears, well except Deji. Avoid Deji if you see him coming, he is a bit scary. ;o) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query struggle Thanks joe for the very detailed reply! My whole purpose for creating the query is that I had an employee here depart about a month ago and I thought I had cleaned up everything when I finally killed the AD account. What I was not aware of was that some other employees had this person setup as a delegate and there were some weird behaviors taking place when meeting requests were issued So, I wanted to query my AD users to find out who So, as it turns out, you're a scenario was what I was after. FWIW I manage a small single-domain forest with about 50 users, and I mostly lurk here to learn. Thanks Gordon Pegue -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 01, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query struggle objectcategory=user isn't optimal, that will get changed to objectcategory=person which will look at all contacts and users, however that wouldn't prevent the query from working unless you are timing out. What tool are you using to submit the query? Does it allow you to specify a timeout? Anyway, back to the real issue, publicdelegates has a syntax of 2.5.5.1 which is a DN, so if you are actually looking for what users a certain other user has delegate rights to then you could do something like ((objectcategory=person)(objectclass=user)(publicdelegates=cn =user,ou=someo u,dc=domain,dc=com)) Now down to brass tacks... What do you want to do? Is it A) Users who have ANY publicDelegates configured for themselves? B) Users who have a specific publicDelegate configured for themselves? Aka The users a specific user has publicDelegate access over? If A, then your query can be a simple ((objectcategory=person)(objectclass=user)(publicdelegates=*)) If B, then the better way is to enumerate the user's publicDelegatesBL attribute. That will list every account he/she has publicDelegate rights to. Do this against the GC though so cross domain links will show up. Now finally let me close up with a little bug in this area... This can come up if you have a multidomain forest. If the outlook client gets a GC for a domain that the user isn't in then it is possible that an update to publicDelegates did not occur properly. The whole publicDelegates thing has two aspects, there is some stuff in the STORE and stuff in AD. The stuff in AD is strictly how Send On Behalf is controlled. So it is possible that you will get someone who has publicDelegates listed in AD but Outlook won't show them properly because of the update bug (note that this should be corrected with the new DSPROXY/DSACCESS capability in E2K3 I think SP2). It is also possible for outlook to show someone but they aren't in AD in the attribute. The first is worse than the second because someone could send on behalf of the user and the user wouldn't know it. Go check out the EHLO blog, they talked a lot about this fix. For a detailed description of this issue check out the archives for this list as I really hounded on this problem in about August of 2003 and April or so of 2004 as I was trying to get MSFT to step up and fix it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Not disagreeing with you Matt were all just in a guess mode without RM providing more information. I love those posts to lists where the original poster never gets back the questions being posted to his questions Anyways I just made the point that his DIT size is not small for a company not running Exchange. The number of users given was just an example more likely 100k vs. 5k users And naturally most corporate environments then have a similar amount of computer accounts and a strongly varying number of groups (totally depends on group model being used). And even if his AD already included Exchange we couldnt easily tell how large his environment is, simply because there are so many dependencies. Thats why I gave those numbers using assumptions certainly nothing to take as a fixed value. Heck, we dont even know his DC version (Win2003 single instance storage of ACE has a huge impact on DIT size) or if he has disabled Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided you have sufficient file servers in your AD and are happily moving data around between the servers (or between volumes), DLT alone can eat up many hundred meg of your AD DIT. Did he defrag or not? Etc. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 10:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etc I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details too bad. But not sure why you Matt - are talking about breaking 1.25 GB with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL
RE: [ActiveDir] Read-Only Domain Controller and Server Core
My production patching has been very lucky. I tend to find the bugs in testing and if I get through my testing ok then I haven't had an issue in prod that I can recall, at least nothing in the last 6 or so years. Certainly when I managed an Enterprise (DCs/Wins/And utility servers for domain support) I was at a 100% patch rate for applied patches across the ~390 or so machines and I can't think of any patch that I wanted to apply but it wouldn't go on or would cause a failure if I did so. Once I felt a patch was good and my manager felt it was good (over and above or completely to the side of whether security or the integration group thought it was good) I would usually have a patch out to all of the machines globally in a couple of hours. The process involved pushing the patch package to all of the machines at the same time, then slowly, at first, pulling the triggers on machines that wouldn't have major impact if they all went unavailable together. After about a 1/3 were done then the speed got ramped up and larger numbers would be done at once. At the end the one off utility machines would be touched and I would wrap the new patch into the build wrapup process so it was automatically applied on every new machine built. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, July 31, 2006 6:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core The way I read that was as follows: 20% means that 20% of your assets are unprotected 1/5 of sensitive data is not managed like it should be, controlled, audited, protected etc. 20% of laptops with mobile data isn't encrypted. 20% of desktops unpatched 20% of servers unpatched. You get the idea... I seriously doubt that the guys that do the IT in MSland could have a 20% failure rate and not be taking remedial action to change a process or fix something. My guess is you'd like more like a 95 to 99% on that? A 20% failure rate on patching for example is not acceptable and I'd be calling MS and letting them know we got dead bodies that need cleaned up. Which begs the question.. I have seen on the PatchManagement.org listserve a 95% to 97% patch rate being striven for what's the normal % success factor of managed machines do you achieve? Alex Alborzfard wrote: Can you elaborate on why you think 80/20 concept in security is sloppy joe (no pun intended!)? Alex *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Monday, July 31, 2006 3:14 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Read-Only Domain Controller and Server Core It is a sensitive spot with me, I think 80/20 is a great concept, but in security it is a bit sloppy. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, July 31, 2006 12:29 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Read-Only Domain Controller and Server Core Darned if you weren't the only one to pick up on it. :) On 7/30/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Argh there it is 80/20 in a security discussion. Oi! :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Saturday, July 29, 2006 10:06 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *Re: [ActiveDir] Read-Only Domain Controller and Server Core Agreed. Very useful. Guido, I'm curious. You mentioned this: However, many companies have organized their AD with a geographic OU structure, which doesn't necessarily match 100% to their site structure, but certainly gets pretty close. And since the delegation model is often configured such that local admins manage particular aspects of the users and computers in their site, it is a common practice to move a user account from one OU to another when the user is relocated to a different location within the company. As such the OU structure is often a good starting base to build policies for which credentials to replicate to which RODC. How many of your customers do you see that travel between those sites and what would be the implications in your scenario/s? This has been a problem that I have seen many times in the past. I'm just curious what you've seen and how
RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
LOL. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 01, 2006 2:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B On Tue, 1 Aug 2006, Matt Hargraves wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the problem with it is that it has a very high level of maintenance and has a lot of room for error and a lot of inherent cost in hardware. The larger the environment, the larger the number of points of failure in the security model. You have 100,000 shares in an environment (or more) and the number of people required to manage that resource start getting restrictively high. Does John the Crankshaft mechanic need access to share \\servername\share80385? Probably not 95% of the time, but that one or two times a year that he does need access, do you really want to make him wait between 2 hours and potentially as high as 2 days to gain that access just so that you an have 100 people controlling 1,000 shares and the ACLs each? I can't argue that RBS is the only way to go, but there's nothing wrong with going with a hybrid. RBS base with an ABS overlap ends up with a security model where you've got the potential for granularity, but a system where a resource has a team that may need access to an object, they can be granted that access and if there are individuals who need access above and beyond what the RBS model would grant, the access can be granted. Users who change roles are automatically removed from the groups they are no longer members of (via the HR software, SAP or whatever) and when someone moves into a role where they now require access to a resource (or set of resources), they are automatically granted that access via the same mechanism. The alternative is a forest root with disjoined domain that holds users, then a resource subdomain and an Exchange subdomain. 2-3 times as many DCs, added cost that goes with that (power, a/c, NOC space), added overhead of maintaining that somewhat complex environment... the alternative for larger environments is to buy 2-3 times as many Exchange servers due to large token sizes. Not to mention the bloating of your DIT database causing reduced performance on your DCs. An exclusive RBS is a best-case scenario that almost never exists. But it should be the basis of a security model. The alternative is a bloated environment and a bloated management structure for that environment. An exclusive ABS is another best-case scenario that rarely exists outside of smaller environments, where management of resources is easier to control because the people who are controlling the resource know everyone who needs access to their resource. Considering how large the companies you commonly work with are, it's suprising to see you recommending a difficult to manage model. With hundreds of thousands of users and possibly a nearly identical number of shares (or worse... more) and a large number of applications, it's hard to see where an ABS is practical. On 7/31/06, joe [EMAIL PROTECTED] wrote: If I am fixing security bugs in my program is it ok to get 80% of them and leave the remaining known 20%? Do you have a lot of faith in a firewall that stops 80% of the bad traffic? Or an AV scanner that finds 80%? If I set up a shared folder to get files shared out to multiple folks, is it ok if only 80% of the people I give access to really need the access? What if in that shared folder are personal files about you or your wife or your kids or maybe some compromising photos of you and your mistress[1]? :) How about the flip side, if I set up a shared folder and only 80% of the folks who need the access get it, is that good? Would you have a list of people in the DA group where only 80% really needed the access? Or again on the flip side, only 80% of the people who required it got it? Security should be very tightly controlled. Especially for access. Role based security fits squarely in this hole, IMO. It is probably more a problem with the implementation and the definition of the roles than anything
RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Some of the new laws are definitely coming into play. I have heard more than once from Director level Security folks and CIOs that they want whatever is needed done to make sure they aren't in a position to get sued or even worse go to jail because some (and I am quoting) some numbskull admin screwing up and letting someone have access to something they shouldn't Security right now is the least important it will be over the next several forseeable years at least. Expect it to get far more important and consume far more budget until people start figuring out how to do it well, efficiently, and less expensively without compromising the first two more important points. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 01, 2006 3:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core California law AB1950 and SB1386 That's also real world... where I could get sued for civil damages if I don't do reasonable measures to protect the PII on my network. One of these days that we don't care ... will be in a deposition statement in court. Matt Hargraves wrote: BTW, I wasn't trying to suggest that people should spend less money on security, just that there are a lot of financial and technical considerations that we don't have control over, so we have to target our security proposals to a real world where companies do want to lower their overall costs and the people saying Cut your budget and I don't care what the implications are (while that's not necessarily exactly they are saying, that's the gist of it). Creating security models that, when the decision makers look at the costs involved, are going to get denied is a waste of time (and time is money) and will just end up with you having to come up with another model that will meet the requirements, including the monetary requirements. It's either that or we end up deceiving our client (boss, whatever) on the actual cost of the security model that we're implementing. I think we'd all love to have a blank check for security considerations, but we all know that's not going to happen now or any time in the future. On 8/1/06, * Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: From the pentest listserve... If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke Matt Hargraves wrote: You made a comment in the previous thread that I think is rather interesting: Get your checkbook out and stop being stingy. :) That's a nice thing to say when you're saying it to someone else. But if they tell you that you have to spend hundreds of thousands of dollars or millions when they have metrics that require them to reduce the costs or it's their job. I'm not trying to minimize the importance of security and least privileged access. Reality is though that we don't control what the rest of the company does, no matter how much 'for their good' it might be. We don't own the data, we don't own the groups. We own the servers, the OS and the security model itself. We can simply provide the tools and try and steer them down the right path, while trying to make sure it's a path that they can walk down. The minute we make a path that's too difficult to walk down, the path will get changed on us for a more managable model, with only a chance that we're involved at all. More likely it will be someone who has no knowledge of the environment and is building a straight forward MS says environment that could potentially be worse than what is already in place, but the people who are now making the decisions aren't very busy listening to us any more. On 8/1/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Without going with an Access-Based Security (ABS) model, there are few ways to make sure that all of the people who need access to an object are the only ones who are getting access. Local server security groups (which are difficult to manage), a smallish environment, user-based ACLs on rights and objects, or a very strange environment, there is no other way to have a 100% accurate security environment for resources. Access based security is nice because it is very granular, but the
RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Interesting thoughts there... My only tongue in cheek response right off (though this will bubble in my head for some time) is that most predators are brighter than many people doing admin work and we still need them to be able to find the systems... ;o) Raise your hand if in the last year you saw a postit with a password on it? Keep your hand up if you did anything about it like ripping it up and talking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wow that isn't good but there isn't anything I can do about it and then continue on your day. That is the kind of stuff that really needs to stop. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core On a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural 'protection' from their predators. Each animal has evolved to ensure they have some level of camouflage in the way of color/features etc so that when their predator targets them they attempt to blend into the background. Some plants and animals depend on other plants and animals to survive. There's a unique falcon that will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncers at the door and keep out the predators that prey on the Weaver birds. Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk? (call me wacko) but it seems to me that we do a lot of footballish type of security models.. offensive moves and defensive moves. (Isn't RODC a defensive move?) Do we and can we add lessons from nature into future networks? (1) Lessons learned from camping in a zoo...yes.. this high maintenance female stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild Animal Park's Roar and Snore is the way to do it. Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Isn't DSI being discussed in great detail at Blackhat starting tomorrow.. or am I mistaken and just thinking about the blog post again? http://blog.joeware.net/2006/07/11/445/ http://blog.joeware.net/2006/07/11/445/ Brett Shirley wrote: I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Different (open)LDAP Question
Without getting into the politics involved that got us here, suffice it to say that someone with a lot of political clout, no Windows or Active Directory experience (though considerable MAC/OS X experience), and a PhD at the end of their name, made a decision to deploy openLDAP and Active Directory would be fed with information through a connector written specifically for that purpose. For the most part this works well. We have developed a web page that allows users to change passwords, incorporated various (homegrown) connectors to provide for single sign-on to most services, network drives, etc., all platform independent, allowing users to freely move from Windows (~85% total number of systems) to MAC OS-X systems (~15% total number of systems) using the same set of credentials. One of the few areas where issues have arisen is in the changing of a users status. I have told them to modify userAccountControl, the programmers (connector is written in oCamel so there is a separate group that handles this) have decided that msDs-User-Account-Control-Computed is the correct attribute to use in order to enable, disable, lock, unlock, etc. a user account. Can someone from this group tell me the differences between these attributes and which would be the correct one to use for the stated purposes? David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster. Not that it's a problem for many environments, just the larger ones.I'd be interested to hear about that environment that Joe was talking about where a DIT went from 900MB to 6GB (and was that defragged?). I mean... holding 5x the native infromation of AD in *just* the Exchange extensions? Wow... I'd swear if someone wouldn't send me naughty boy messages. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Not disagreeing with you Matt – we're all just in a guess mode without RM providing more information. I love those posts to lists where the original poster never get's back the questions being posted to his questions… Anyways – I just made the point that his DIT size is not small for a company not running Exchange. The number of users given was just an example – more likely 100k vs. 5k users… And naturally most "corporate" environments then have a similar amount of computer accounts and a strongly varying number of groups (totally depends on group model being used). And even if his AD already included Exchange we couldn't easily tell how large his environment is, simply because there are so many dependencies. That's why I gave those numbers using assumptions – certainly nothing to take as a fixed value. Heck, we don't even know his DC version (Win2003 single instance storage of ACE has a huge impact on DIT size) or if he has disabled Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided you have sufficient file servers in your AD and are happily moving data around between the servers (or between volumes), DLT alone can eat up many hundred meg of your AD DIT. Did he defrag or not? Etc. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 10:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etc I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about breaking 1.25 GB with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information,
[ActiveDir] Need some user/group tools...
This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
Re: [ActiveDir] Different (open)LDAP Question
msDs-User-Account-Control-Computed is a constructed attribute. Constructed attributes cannot be set manually because they are automatically maintained by the system. Tony -- Original Message -- From: David Aragon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 1 Aug 2006 15:49:53 -0700 Without getting into the politics involved that got us here, suffice it to say that someone with a lot of political clout, no Windows or Active Directory experience (though considerable MAC/OS X experience), and a PhD at the end of their name, made a decision to deploy openLDAP and Active Directory would be fed with information through a connector written specifically for that purpose. For the most part this works well. We have developed a web page that allows users to change passwords, incorporated various (homegrown) connectors to provide for single sign-on to most services, network drives, etc., all platform independent, allowing users to freely move from Windows (~85% total number of systems) to MAC OS-X systems (~15% total number of systems) using the same set of credentials. One of the few areas where issues have arisen is in the changing of a users status. I have told them to modify userAccountControl, the programmers (connector is written in oCamel so there is a separate group that handles this) have decided that msDs-User-Account-Control-Computed is the correct attribute to use in order to enable, disable, lock, unlock, etc. a user account. Can someone from this group tell me the differences between these attributes and which would be the correct one to use for the stated purposes? David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with Password: ilikebananas and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least scold them and always make sure they take it down and throw it away themselves... taking ownership of disposing of eliminating their security risk). They stick it under their keyboards, in the top drawer of their desk... basically taking it out of sight so that we won't catch them. Unfortunately the people who are trying to breach your security are at least smart enough to check the top drawer, under the keyboard, under the monitor, under the paperweight, etc... I for one, would love to see AD related security taken a lot more seriously. Restricting the Domain Admins group members, applying more granular security throughout the environment so that if I need to create computer objects in the User workstations OU, then I can create them there and only there. If I can only change the user's homedrive location, then that's all I get the rights to do. It's only a lot of work when you first implement it and after it's done, then your overhead is mostly done and the minor cost of maintaining it is relatively low. Unfortunately it's difficult to get the momentum going to implement this level of security. As for security models, whether RBS or ABS... problems are abound. RBS is easy to audit, but grants rights that aren't necessarily required. ABS bloats quickly and ends up with someone having membership in many groups that haven't been needed for the past 18 months (or longer) because the group administrator added the user for a one-time reason and never removed them and on the last 18 once per month (or quarter or whatever) security audits, they verified that the user still needs those group memberships, out of sync with reality. Which is better? I think both can be ugly on their face when taken alone. Using a combination of the two is hopefully better (when people aren't getting added into both), but with the volume of data in many environments, it gets more and more difficult to control that data with any reasonable level of confidence, no matter what you do with your security model. On 8/1/06, joe [EMAIL PROTECTED] wrote: Interesting thoughts there...My only tongue in cheek response right off (though this will bubble in myhead for some time) is that most predators are brighter than many peopledoing admin work and we still need them to be able to find the systems... ;o)Raise your hand if in the last year you saw a postit with a password on it?Keep your hand up if you did anything about it like ripping it up andtalking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wowthat isn't good but there isn't anything I can do about it and then continueon your day. That is the kind of stuff that really needs to stop. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller andServer CoreOn a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural'protection' from their predators.Each animal has evolved to ensure they have some level of camouflage inthe way of color/features etc so that when their predator targets them they attempt to blend into the background.Some plants and animalsdepend on other plants and animals to survive.There's a unique falconthat will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncersat the door and keep out the predators that prey on the Weaver birds.Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk?(call me wacko) but it seems to me that we do a lot of footballishtype of security models.. offensive moves and defensive moves.(Isn't RODC a defensive move?)Do we and can we add lessons from nature intofuture networks?(1)Lessons learned from camping in a zoo...yes.. this high maintenancefemale stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild AnimalPark's Roar and Snore is the way to do it.Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL
RE: [ActiveDir] Need some user/group tools...
You can certainly get all the piece parts from here: http://rallenhome.com/books/adcookbook/code.html And you can use joe's wonderful adfind (or dsquery if you were to insist) to do much of the gruntwork. I show you some examples here: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
[ActiveDir] OT: XP exploit
Use GPO to prevent users from running the scheduler. Need to do a reg hack to block local accounts. http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc. html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Need some user/group tools...
That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships? On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote: You can certainly get all the piece parts from here: http://rallenhome.com/books/adcookbook/code.html And you can use joe's wonderful adfind (or dsquery if you were to insist) to do much of the gruntwork. I show you some examples here: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
RE: [ActiveDir] OT: XP exploit
This is silly. At least on XP, a normal, non-admin user cannot add AT jobs. So, yes, this would work if the user is local admin., but big deal. At that point, who cares? Is the point here that I can elevate from Administrator to LocalSystem? I'm not really sure that's a revelation... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Tuesday, August 01, 2006 7:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: XP exploit Use GPO to prevent users from running the scheduler. Need to do a reg hack to block local accounts. http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc. html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: XP exploit
Interesting exploit. Although I think this might not be new. I fired up a somewhat old Windows XP VM I had to test it, and despite the fact that standard users had permissions to readexecute AT.EXE, they were still denied access. Same deal on my company workstation which is absolutely up to date. I'm assuming that may be due to a patch that came through at some point in the past? I just wanted to make sure so I know whether I need to act on this or not. From: [EMAIL PROTECTED] on behalf of Derek Harris Sent: Tue 8/1/2006 7:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: XP exploit Use GPO to prevent users from running the scheduler. Need to do a reg hack to block local accounts. http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc. html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx winmail.dat
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
On Tue, 1 Aug 2006 18:29:24 +0100, Grillenmeier, Guido [EMAIL PROTECTED] said: Richard doesn't seem to be too keen on giving us further details - too bad. Sorry, been busy... 400 unread msgs from this list, got some catching up to do. What does the current environment look like? How extensive is your Exchange deployment going to be? 4800 user accounts, 3500 computer accounts. Maybe 3000-ish Exchange users? I'm leaning towards doing 64-bit everywhere we possibly can. It does seem like the more forward looking option. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: XP exploit
Title: [ActiveDir] OT: XP exploit Yeah, I jumped too soon; I tested it when I got home, and verified that it doesn't work with user or power user privs. Sorry for the noise. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, August 01, 2006 9:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: XP exploit Interesting exploit. Although I think this might not be new. I fired up a somewhat old Windows XP VM I had to test it, and despite the fact that standard users had permissions to readexecute AT.EXE, they were still denied access. Same deal on my company workstation which is absolutely up to date. I'm assuming that may be due to a patch that came through at some point in the past? I just wanted to make sure so I know whether I need to act on this or not. From: [EMAIL PROTECTED] on behalf of Derek HarrisSent: Tue 8/1/2006 7:20 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: XP exploit Use GPO to prevent users from running the scheduler. Need to do a reghack to block local accounts.http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc.htmlList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx