FW: [ActiveDir] LDAP Ping
Just in case it went out blank as highlighted by other people.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 04 August 2006 21:30
To: ActiveDir.org
Subject: Re: [ActiveDir] LDAP Ping
What SP level are you at? I remember when I was working at a big bank we used
to have this issue on certain DC's and it was escalated quite high within MS
and was never fully resolved but it was something to do with RDP/TS remote
admin - please excuse my vagueness but it was 4 years ago. Under SP3 it was
terrible - SP4 it was bearable - some totally unrelated KB which had a snippet
ie can also cause this - resolved the issue.
If I can find my old Black and Red for that period, I will let you know the KB.
Mark
-Original Message-
From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED]
Date: Fri, 4 Aug 2006 15:47:50
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
Yes, it sure is.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, August 04, 2006 3:09 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] LDAP Ping
Is the box a windows 2000 box and it just sits at the windows 2000 blue screen
- totally pingable but doing nothing else?
-Original Message-
From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED]
Date: Fri, 4 Aug 2006 12:47:15
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
No we cant rdp into the box when it hangs. We have tools that do everything
from NetIQ Application manager to HP Openview to Ethereal, but if I get here in
the morning, and I want to do a quick functions check of the system, I will
need a compilation of tools that can test things up and down the OSI model, and
then I will probably parse through that output for sucesses and failures. Much
like the eventcomb tool that takes a list of systems and parses through their
event logs and pulls out things I would want to see, its lightweight and gives
me only what I request.
Nate
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL
PROTECTED]
Sent: Friday, August 04, 2006 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
You can't ask that, coz that'd be troubleshooting :-^
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 04 August 2006 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
Are you able to RDP to the DC when it hangs?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel
V CTR USAF NASIC/SCNA
Sent: 04 Aug 2006 14:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
Its not for troubleshooting, its so we can tell when the DC is hung, you cant
tell when its hung because our monitoring software only pings by ip and it
responds. If it replies, I know it can serve ldap queries, and then i can rpc
ping it and make sure that authentication requests will be answered. Its just
to do a quick check of whats going on first thing in the morning.
Nate
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL
PROTECTED]
Sent: Friday, August 04, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
So you ldap ping the DC and it replies or it does not. What does this tell you?
How does it help troubleshoot the issue?
I'd suggest more detailed tools are needed such as network / packet sniffers
etc. They should be able to build a picture of the situation better than a ping
which offers little more than a 'yes/no' response.
My 2 penneth :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNA
Sent: 04 August 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping
Hey all,
Does anyone know of a command line utility that allows you to test ldap
connections? We have a dc that hangs, but remains pingable and I would like to
do ldap pings to it to as well as rpc pings. I know about the rpc ping
utility, but I wanted to test for ldap connectivity as well. Does anyone know
of a utility like this?
Thanks,
Nate
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended recipient
of this email please notify the sender immediately and delete your copy from
your system. You must not copy, distribute or take any further action in
reliance on it. Email is not a secure method of communication and Nomura
International plc ('NIplc') will not, to the extent permitted by law, accept
responsibility or liability for (a) the accuracy or completeness of, or (b) the
presence of any virus, worm or similar malicious or disabling code in, this
RE: [ActiveDir] OT: DNS entry
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain
NC)
2. Right click, choose Properties, then select the Security
tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select "Apply onto" and choose "dnsZone
objects"
6. Select'Write all properties' Failed and 'Write all
properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property
sheets
The above will audit all writes to zone objects and DNS
records which are stored in AD itself.
As stated previously, if the zones are stored as text
files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 05 August 2006 06:25To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats
changed..
On 8/4/06, Paul
Williams [EMAIL PROTECTED]
wrote:
If you've got the necessary auditing enabled in
your domain, and you had auditing ACEs configured on the DNS zone (location
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you
can. But you'll have to search each DCs security event log for this
info.
Otherwise, you can't get this info. You
can check the whenChanged attribute on the tombstoned record for a
rough idea of when the deletion occurred and try and move from there by
looking at logon events, again if you have auditing enabled.
If you're not using AD-Integrated DNS, then
none of the above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04, 2006 12:09
PM
Subject: [ActiveDir] OT: DNS entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\ PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: DNS entry
Neil,Are there any risks by carrying out your change listed below or is it a straight forward procedure.I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?We use MOM here, is this something I could use?thanksJim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspxI'll give steps to audit DNS objects:using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheetsThe above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited.hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys,could you point me to an article on how to setup audting for dns modifications and overall domain auditing ?i've done auditing on the desktop level, just wondering whats
changed.. On 8/4/06, Paul Williams [EMAIL PROTECTED] wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from
there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help.--Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entryWe had a static Server DNS entry deleted over the weekend.Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domainthanksJAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta.
Re: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question
If you look in the AD Delegation document http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en it shows the adminsdholder has permissions defined for the terminal server license servers group. Its allowed to view a terminalserver attribute that is defined on the user object and hence inherited by other classes based on it such as computer. I am not aware of the importance of the terminalserver attribute. But judging by the msdn explanation it looks like something maintained for backwards compatibility. I cant view the site right now as Its blocked by my corp's net nanny software as an adults only site. Go figure! But I remember it said something about opaqe data and Windows NT. I cannot see any harm with adding your license servers to the group. But then check with others before doing and test in a lab to see if there are any known issues. Might want to read http://support.microsoft.com/kb/895151/en-us as well.If you want some good details on terminal server licensing please refer to this doc http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx here.I have a domain based TS License server and it shows up just fine in lsview if launched from a machine in the same site as the license server. If launched from a different site I get the same results as yours. Green with no server names. I enabled the log file and configured lsview to check for a license server every 1 minute and all its logged is checking the local machine to see if its a domain license server. Its not so it failed. No messages about been able to find the correct domain license server. If I do this on a machine in the same site as my domain license server, it immediately logs the fact that it found it.I dont have any enterprise license servers to test with so can't comment. I also havent done any network traces either so I am not sure if it is indeed doing the license server discovery as a normal TS Client would at logon time. Might do later if I get the time. RegardsM@On 8/6/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi Freddy, Thanks for the feedback. But I get the same result from the W2K lsview.exe . And this is running these tools right on the license server/domain controller! I am thinking that I need to manually populate the AD group Terminal Server Licensing Servers. Conversely, I hate making changes when there are no known problems. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONO Sent: Sunday, August 06, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi Mike I had the same problems in which I actually logged a pss call on, try using the windows 2000 resource kit version of lsview.exe and it works fine. Basically if i remember this correctly using the win2003 lsview.exe it will only detect it if your machine is in the same site as the tsls server, if you are running the lsview on a machine that is outside the site, it wouldnt detect it. No solution, fedup with the answers I was getting - closed the ticket (as I thought this only occurs in my ex company, apparently now im getting the same result as well) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Thommes, Michael M. Sent: Saturday, August 05, 2006 5:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi, This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldn't have been populated in the first place? TIA, Mike Thommes
RE: [ActiveDir] OT: DNS entry
Neil,
Are there any risks by carrying out your change listed below or is it a
straight forward procedure.[Neil Ruston]The steps merely add SACL entries to DNS
objects - that will certainly result in more security events and a slight
overhead on the DCs but you need to weigh that against the risk of *not*
auditing this type of change. As usual, it depends upon your environment and
your requirements.
I don't think I have this enabled, if I do would that mean in the future if
a DNS record is deleted this can be traced?[Neil
Ruston]Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?[Neil
Ruston]MOM is aimed at systems monitoring whilst this thread deals with
security monitoring. MS don't have an app in that space (yet) altho other
vendors do. NetPro, NetIQ and Quest are the usual suspects here.These
vendors offer tools that help with tracing changes (or 'forensic analysis', to
use the correct parlance :)
thanks
Jim[EMAIL PROTECTED] wrote:
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain
NC)
2. Right click, choose Properties, then select the
Security tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group
Everyone
5. Select "Apply onto" and choose "dnsZone
objects"
6. Select'Write all properties' Failed and 'Write
all properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property
sheets
The above will audit all writes to zone objects and DNS
records which are stored in AD itself.
As stated previously, if the zones are stored as text
files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 05 August 2006 06:25To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats
changed..
On 8/4/06, Paul
Williams [EMAIL PROTECTED]
wrote:
If you've got the necessary auditing enabled
in your domain, and you had auditing ACEs configured on the DNS zone
(location depends, generally you'd set it on CN=MicrosoftDNS folder) then
yes, you can. But you'll have to search each DCs security event log
for this info.
Otherwise, you can't get this info. You
can check the whenChanged attribute on the tombstoned record for a
rough idea of when the deletion occurred and try and move from there by
looking at logon events, again if you have auditing enabled.
If you're not using AD-Integrated DNS, then
none of the above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04, 2006 12:09
PM
Subject: [ActiveDir] OT: DNS
entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
-- HBooGz:\
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services
[ActiveDir] DCs Hyper-Threading
Title: Message What are people's views on whether to enable or disable hyper-threading on a Proliant box running Windows 2003 as a DC. I remember Intel advised HT to be disabled on Windows 2000 but has this changed for Windows 2003?. Are the performance benefits significant for a DC? Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. �
RE: [ActiveDir] LDAP Ping
I am working at SP4 and am patched up to date. I got a recommendation from the microsoft folks to set the ctr-scroll lock reg key on or DC so it wont hang and it will actually blue screen and generate a memory dump. If you cannot remember that kb article Mark, or what it had to do with, I think I will go ahead and set the key so the dmp can be evaluated. The DC is taking NTFRS errors, so I had to set the enable journal wrap value to add it back into the replica set following deletion from the set due to corruption. I still don’t think this should cause the system to hang as it does. Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 04, 2006 4:30 PM To: ActiveDir.org Subject: Re: [ActiveDir] LDAP Ping What SP level are you at? I remember when I was working at a big bank we used to have this issue on certain DC's and it was escalated quite high within MS and was never fully resolved but it was something to do with RDP/TS remote admin - please excuse my vagueness but it was 4 years ago. Under SP3 it was terrible - SP4 it was bearable - some totally unrelated KB which had a snippet ie can also cause this - resolved the issue. If I can find my old Black and Red for that period, I will let you know the KB. Mark -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Fri, 4 Aug 2006 15:47:50 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping Yes, it sure is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 04, 2006 3:09 PM To: ActiveDir.org Subject: Re: [ActiveDir] LDAP Ping Is the box a windows 2000 box and it just sits at the windows 2000 blue screen - totally pingable but doing nothing else? -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Fri, 4 Aug 2006 12:47:15 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping No we cant rdp into the box when it hangs. We have tools that do everything from NetIQ Application manager to HP Openview to Ethereal, but if I get here in the morning, and I want to do a quick functions check of the system, I will need a compilation of tools that can test things up and down the OSI model, and then I will probably parse through that output for sucesses and failures. Much like the eventcomb tool that takes a list of systems and parses through their event logs and pulls out things I would want to see, its lightweight and gives me only what I request. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 04, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping You can't ask that, coz that'd be troubleshooting :-^ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 04 August 2006 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping Are you able to RDP to the DC when it hangs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: 04 Aug 2006 14:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds. If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered. Its just to do a quick check of whats going on first thing in the morning. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 04, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue? I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. My 2 penneth :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: 04 August 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Ping Hey all, Does anyone know of a command line utility that allows you to test ldap connections? We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings. I know about the rpc ping utility, but I wanted to test for ldap connectivity as well. Does anyone know of a utility like this? Thanks, Nate PLEASE READ: The information contained in this email is
RE: [ActiveDir] OT: DNS entry
Neil,thanks for your response, would you say the best way for me to view the audits wouldbe from the Event Viewer console?Jim[EMAIL PROTECTED] wrote: Neil,Are there any risks by carrying out your change listed below or is it a straight forward procedure.[Neil Ruston]The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not*
auditing this type of change. As usual, it depends upon your environment and your requirements.I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?[Neil Ruston]Yes, if the zone is stored in AD.We use MOM here, is this something I could use?[Neil Ruston]MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here.These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct
parlance :)thanksJim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspxI'll give steps to audit DNS objects:using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheetsThe above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited.hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys,could you point me to an article on how to setup audting for dns modifications and overall domain auditing ?i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams [EMAIL PROTECTED] wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help.--Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS
entryWe had a static Server DNS entry deleted over the weekend.Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domainthanksJAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b)
the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation,
solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: DNS entry
With large number of events registered in security log, it
will be more efficient if you use EventComb to extract the relevant log that
you need.
Regards,
Ai Chung
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: Tuesday, August 08, 2006
12:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DNS
entry
Neil,
thanks for your response, would you say the best way for me to view the
audits wouldbe from the Event Viewer console?
Jim
[EMAIL PROTECTED]
wrote:
Neil,
Are there any risks by carrying out your change listed below or is it a
straight forward procedure.
[Neil Ruston]The steps merely add SACL
entries to DNS objects - that will certainly result in more security events and
a slight overhead on the DCs but you need to weigh that against the risk of
*not* auditing this type of change. As usual, it depends upon your environment
and your requirements.
I don't think I have this enabled, if I do would that mean in the
future if a DNS record is deleted this can be traced?
[Neil Ruston]Yes, if the zone is stored in
AD.
We use MOM here, is this something I could use?
[Neil Ruston]MOM is aimed at systems
monitoring whilst this thread deals with security monitoring. MS don't have an
app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the
usual suspects here.These vendors offer tools that help with tracing
changes (or 'forensic analysis', to use the correct parlance :)
thanks
Jim
[EMAIL PROTECTED]
wrote:
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System
(in the domain NC)
2. Right click, choose Properties, then
select the Security tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select Apply onto and
choose dnsZone objects
6. Select'Write all properties'
Failed and 'Write all properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property sheets
The above will audit all writes to zone
objects and DNS records which are stored in AD itself.
As stated previously, if the zones are
stored as text files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats changed..
On 8/4/06, Paul
Williams [EMAIL PROTECTED]
wrote:
If you've got the necessary auditing enabled in your
domain, and you had auditing ACEs configured on the DNS zone (location depends,
generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But
you'll have to search each DCs security event log for this info.
Otherwise, you can't get this info. You can check
the whenChanged
attribute on the tombstoned record for a rough idea of when the deletion
occurred and try and move from there by looking at logon events, again if you
have auditing enabled.
If you're not using AD-Integrated DNS, then none of the
above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04,
2006 12:09 PM
Subject: [ActiveDir] OT:
DNS entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or
[ActiveDir] Basic GPO question
I have a software installation GPO (published, not assigned) that I have linked to many OUs. I now want to move it up to the domain level. Will it hurt to have it linked to both the domain level, and many sub OU levels simultaneously? I assume the login process is smart enough to see that it's already been applied at one level and not try double applying it a second time or something else weird like that. I guess once I link it at the domain level I can go ahead and kill all the OU level links? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Basic GPO question
Youll be fine Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 07, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Basic GPO question I have a software installation GPO (published, not assigned) that I have linked to many OUs. I now want to move it up to the domain level. Will it hurt to have it linked to both the domain level, and many sub OU levels simultaneously? I assume the login process is smart enough to see that it's already been applied at one level and not try double applying it a second time or something else weird like that. I guess once I link it at the domain level I can go ahead and kill all the OU level links? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] OT: DNS entry
Ive been looking to do this
too but specifically for records w/out a TTL. In other words, I want to
capture static records only since dynamic will constantly change. Any ideas?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, August 07, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DNS entry
Neil,
Are there any risks by carrying out your change listed below
or is it a straight forward procedure.
[Neil
Ruston]The steps merely add SACL entries to DNS objects - that will
certainly result in more security events and a slight overhead on the DCs but
you need to weigh that against the risk of *not* auditing this type of change.
As usual, it depends upon your environment and your requirements.
I don't think I have this enabled, if I do would that mean
in the future if a DNS record is deleted this can be traced?
[Neil
Ruston]Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?
[Neil
Ruston]MOM is aimed at systems monitoring whilst this thread deals with
security monitoring. MS don't have an app in that space (yet) altho other
vendors do. NetPro, NetIQ and Quest are the usual suspects here.These
vendors offer tools that help with tracing changes (or 'forensic analysis', to
use the correct parlance :)
thanks
Jim
[EMAIL PROTECTED]
wrote:
That's a huge subject, a useful link is here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC)
2. Right click, choose Properties, then select the Security tab and
click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select Apply onto and choose dnsZone
objects
6. Select'Write all properties' Failed and 'Write all
properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type dnsNode
9. Click OK, OK to close property sheets
The above will audit all writes to zone objects and DNS records
which are stored in AD itself.
As stated previously, if the zones are stored as text files, then
there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS entry
hey guys,
could you point me to an article on how to setup audting for
dns modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering
whats changed..
On 8/4/06, Paul Williams [EMAIL PROTECTED] wrote:
If
you've got the necessary auditing enabled in your domain, and you had auditing
ACEs configured on the DNS zone (location depends, generally you'd set it on
CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each
DCs security event log for this info.
Otherwise,
you can't get this info. You can check the whenChanged attribute on the tombstoned
record for a rough idea of when the deletion occurred and try and move from
there by looking at logon events, again if you have auditing enabled.
If
you're not using AD-Integrated DNS, then none of the above will really help.
--Paul
-
Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04,
2006 12:09 PM
Subject: [ActiveDir] OT: DNS
entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is
a Windows 2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not necessarily represent those of NIplc; (3) is
