[ActiveDir] DMZ and Trusts
Title: Message Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possiblebut not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] DMZ and Trusts
Title: Message David, The solution you require is documented by Microsoft as the perimeter network scenario in the following Microsoft document http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx One gotcha is that your admin staff have to have accounts in the DMZ domain as well as the internal domain, as you cant assign a foreign security principal to a global or universal group in another forest which precludes making your internal domain accounts into enterprise or domain admins in the dmz forest. Hope this helps __ Mike Guest| Capgemini | Sale Server Support | Outsourcing UK Office: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED] 77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience __ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 25 August 2006 11:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DMZ and Trusts Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possiblebut not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
[ActiveDir] DNS Performance Counters
Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: "Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server." Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] DNS Performance Counters
I personally thought that the referenced document is good enough for understandingDNS monitoring. Take the "secure update failure" part for an example. You'd typically want to monitor a trend in this failure over a specific period of time and then establish a benchmark. You can say: "we typically get 5-10 secure update failures a day, and we know that these are coming from misconfigured/rogue devices because we looked in the event log and we chased them down and we verified that, yeah, their requests should be rejected. Or simply, there are 5-10 such failures a day and we don't know where they are coming from, but we know how many we 'typically' get". Now that you have a baseline from your historical trend, you move onto the next stage of your monitoring. Looking for deviations. This is where you say "if we start getting 20 or more of these queries a day, then we need to drop everything and thoroughly investigate". In order words, the monitoring guideline you see in that document is intended to guide you as to what is relevant to "look for". It is not intended to tell you why what you are seeing is happening. It is a list of things pertinent to your DNS server's health. It is up to you to decide which of them you want to monitor, how you want to monitor them, and what you want to do when you come across deviations. What you do with the information is up to you. This is where digging through event log and using MOM management packs and similar tools come in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Fri 8/25/2006 9:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Performance Counters Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: "Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server." Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
Re: [ActiveDir] DMZ and Trusts
Where are you pulling the not recommended from? The issues are not typically technical, but rather procedural once you get past the, yes, but if it's a DMZ, should internal users have direct access? questions. :) One other thing to point out: the users will also have to have direct access to the application. From a network perspective, that's often seen as an issue because the firewall is then configured for any --DMZ host. That really does defeat the purpose of a DMZ in most cases. My added $0.04 anyway. -ajm On 8/25/06, Wyatt, David [EMAIL PROTECTED] wrote: Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possiblebut not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] DNS Performance Counters
Curious. What would make that sentence make sense to you? It makes perfect sense to me. The threshold is going to be dependent on your unique environment. Are there guidelines? Yes. Are they relevant to you? Not able to tell. A typical approach to this situation is to get a baseline of these counters and correlate that to normal operating behavior for your environment as you've designed it. Your tolerance for these counters and mine may very well be different. IIRC, MOM has a lot of counters and thresholds for DNS that should be based on best practice/resource kit guidelines. You might be able to reference MOM counters as a one-stop or you could go look up the best practices in the reskits etc. I'd opt for the approach of baselining. You'll end up doing that anyway at some point. Al Oh, one other thing. My tolerance for that particular counter is pretty high. Why? Because name res isa mess where I am currently while Windows domains are being consolidated and removed and legacy issues are being dealt with. Could be a while, but I'm not concerned because of 50K entities that cannot securely update their dns records. On 8/25/06, Figueroa, Johnny [EMAIL PROTECTED] wrote: Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server. Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] DNS Performance Counters
Baseline of a healthy DNS server to compare against is definitely part of the answer. I was just looking for a place to start, every environment is different but typically I know what the rules of thumb are when it comes to disk, memory, processor and similar objects that you monitor. Thanks, this will help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, August 25, 2006 9:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS Performance Counters I personally thought that the referenced document is good enough for understandingDNS monitoring. Take the "secure update failure" part for an example. You'd typically want to monitor a trend in this failure over a specific period of time and then establish a benchmark. You can say: "we typically get 5-10 secure update failures a day, and we know that these are coming from misconfigured/rogue devices because we looked in the event log and we chased them down and we verified that, yeah, their requests should be rejected. Or simply, there are 5-10 such failures a day and we don't know where they are coming from, but we know how many we 'typically' get". Now that you have a baseline from your historical trend, you move onto the next stage of your monitoring. Looking for deviations. This is where you say "if we start getting 20 or more of these queries a day, then we need to drop everything and thoroughly investigate". In order words, the monitoring guideline you see in that document is intended to guide you as to what is relevant to "look for". It is not intended to tell you why what you are seeing is happening. It is a list of things pertinent to your DNS server's health. It is up to you to decide which of them you want to monitor, how you want to monitor them, and what you want to do when you come across deviations. What you do with the information is up to you. This is where digging through event log and using MOM management packs and similar tools come in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Fri 8/25/2006 9:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Performance Counters Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: "Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server." Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
[ActiveDir] Agents on Domain Controllers
Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Agents on Domain Controllers
Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] disable 200 users
Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
Re: [ActiveDir] Agents on Domain Controllers
I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx . There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] disable 200 users
What if you modify (cn=user1) with (anr=user1) Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Ramon Linan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/25/2006 02:16 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
RE: [ActiveDir] disable 200 users
You have a list to use as input file. Read from that list and get the DN of each user. Then pass the DN to the script listed in this sample: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true Or In a batch file, do a For loop and read in the input file, then usedsquery to get the DN and pass that to dsmod to disable the accounts Something like: FOR /F %%i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -o dn|dsmod user -disabled Yes Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Fri 8/25/2006 11:16 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
RE: [ActiveDir] Agents on Domain Controllers
You seem to think I disagree with you, whereas we are both saying the same thing. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@ On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Group policy settings with Vista Beta 2
http://www.microsoft.com/downloads/details.aspx?familyid=7812c9cb-e6ca-4144-98ab-2d78587462c5displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=7812c9cb-e6ca-4144-98ab-2d78587462c5displaylang=en This spreadsheet lists the policy settings for computer and user configurations included in the administrative template files(admx/adml) delivered with Windows Vista Beta 2 (build 5384). -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Agents on Domain Controllers
Somehow I read that and got an entirely different meaning. It may be due to the mood I am in right now. Then again a quick look at some of joe's blog comments will show how often I misread things. Hmm...Sorry Deji. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: You seem to think I disagree with you, whereas we are both saying the same thing. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@ On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] disable 200 users
To add to Deji's, you would then use the same list to get a FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn|dsmove -newparent OU=NEWDEST,DC=FQDN where OU=NEWDEST,DC=FQDN is the FQDN of the new OU you want to move to.please note your list of names must be unique. Test before doing this by ensuring the command below FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn textfilename.txtgives you a list of DNs you really want to disable/move. Please check syntax and test before doing for real on production servers! RegardsM@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: You have a list to use as input file. Read from that list and get the DN of each user. Then pass the DN to the script listed in this sample: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true Or In a batch file, do a For loop and read in the input file, then usedsquery to get the DN and pass that to dsmod to disable the accounts Something like: FOR /F %%i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -o dn|dsmod user -disabled Yes Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Fri 8/25/2006 11:16 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType: 1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType: 1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
[ActiveDir] DC to DC communication
What are the various ways we can control the amount of replication between a specific DC to other DCs? We have one site that's wan bandwidth is over utilized and we see that the DC at that site is making connections to many other DCs (assumably for replication). How can we control this or reduce this traffic? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] disable 200 users
You may want to take a look at ADmodify.net http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2 Nice tools for batch AD modifs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, August 25, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
Re: [ActiveDir] DC to DC communication
For starters, is it 2003 FFL/DFL? Is it defined as it's own site? Have you seen the Branch Office Deployment guide? Specifically the parts that talk about how to limit what DC's get used for replication? Basically, you would use that to control the DC connections as well as the client connections such that they follow the physical network. There's more, but that information should get the conversation started. Al On 8/25/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: What are the various ways we can control the amount of replication between a specific DC to other DCs? We have one site that's wan bandwidth is over utilized and we see that the DC at that site is making connections to many other DCs (assumably for replication). How can we control this or reduce this traffic? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
RE: [ActiveDir] DC to DC communication
In Active Directory Sites and Services, ensure that each WAN site you want segregated is configured as an AD site. Then you can specify which servers communicate to other AD sites, as well as the schedule for replication. Create a new site. Configure the subnets for that site. Add domain controllers to that site. Then configure one server at each site as a bridgehead server. Unless a WAN link is unreliable, you will probably want to use IP instead of SMTP. Then only that server will attempt to replicate with the other sites. If you need to tune it more, change the replication schedule for the different site links. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, August 25, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC to DC communication What are the various ways we can control the amount of replication between a specific DC to other DCs? We have one site that's wan bandwidth is over utilized and we see that the DC at that site is making connections to many other DCs (assumably for replication). How can we control this or reduce this traffic? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~