RE: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution
Oddly enough today we got hit by a virus(worm actually) that had exploited MS-06-040 vulnerability. Our AV (Trend) didn't catch it in time. Though I brought it up to my boss & fellow Admins' attention more than 2 weeks ago, they decided to ignore it! We ended up going around with the helpdesk team to clean the mess up. I'm sure it'll be swept under the rug! Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, August 11, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution ..and plant that flag and get it raised. You cannot protect what is not managed. Alex Alborzfard wrote: > Yes I'm aware of both tools. WSUS requires dedicated server and > configuration. > MBSA doesn't list installed patches, date of application, versions, etc. > It basically tells you what is missing. > I was talking about a tool that I can run from my PC, which I have used > in the past. I think you could also remove the patch or roll it back > right from the interface. For some reason I thought it was Windows > Defender, but I installed it and it doesn't have that capability. > > No I'm not managing patching in our networks...well not yet anyway! > I'm just trying to raise the flags, so to speak. > > Alex > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Friday, August 11, 2006 11:53 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 > Vulnerability in DNS Resolution Could Allow Remote Code Execution > > E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : The threats and > risk level today: > http://msmvps.com/blogs/bradley/archive/2006/08/10/107303.aspx > > > Alun's "Holy Crap" post: > Tales from the Crypto : How do I rate today's patches?: > http://msmvps.com/blogs/alunj/archive/2006/08/08/107097.aspx > > > MBSA -http://www.microsoft.com/technet/security/tools/mbsahome.mspx > > WSUS - > http://www.microsoft.com/windowsserversystem/updateservices/default.mspx > > You are managing patching in your networks now right? > > Alex Alborzfard wrote: > >> Thanks John this is really helpful, though only for this >> > vulnerability. > >> Alex >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of John Singler >> Sent: Friday, August 11, 2006 11:22 AM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 >> Vulnerability in DNS Resolution Could Allow Remote Code Execution >> >> For MS06-040 you can use the tool from eeye.com to ID vulnerable >> machines: >> >> http://www.eeye.com/html/resources/downloads/audits/NetApi.html >> >> Alex Alborzfard wrote: >> >> >>> What about MS06-040? I've heard it's a nasty one like blaster. >>> DHS has already issued a recommendation to apply this patch. >>> >>> I remember using a utility tool that would list all applied patches >>> > on > >>> >>> >> a >> >> >>> Windows box with all kind of information. >>> Anyone has ever used or knows anything about it? >>> >>> Alex >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan >>> >>> >> Bradley, >> >> >>> CPA aka Ebitz - SBS Rocks [MVP] >>> Sent: Tuesday, August 08, 2006 1:55 PM >>> To: ActiveDir@mail.activedir.org >>> Subject: [ActiveDir] Microsoft Security Bulletin MS06-041 >>> >>> >> Vulnerability >> >> >>> in DNS Resolution Could Allow Remote Code Execution >>> >>> One of 12 today...but since it's DNS related >>> >>> Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution >>> Could Allow Remote Code Execution (920683): >>> http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx >>> >>> For an attack to be successful the attacker would either have to be >>> > on > >>> >>> >> a >> >> >>> subnet between the host and the DNS server or force the target host >>> > to > >>> >>> >> >> >>> make a DNS request to receive a specially crafted record response >>> > from > >>> >>> >> >> >>> an attacking server. >>> >>> (and Brett...just a FYI... in my twig forest... any attacker that >>> > ends > >>> >>> >> >> >>> up on a subnet between a host and my DNS server [aka the Kitchen sink >>> > > >>> service server] ... that attacker is dead meat and has a 2x4 aimed >>> > his > >>> >>> >> >> >>> way... one advantage of being little) >>> >>> Your patch folks may be calling up you AD guys for testing passes. >>> >>> Workarounds: >>> >>> *Block DNS related records at network gateways* >>>
Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool
this script goes through outlook.
Each user need to fire this script (or fire it via logon script).
for the Root Folder, change:
set inbox = olApp.GetNamespace("MAPI").getDefaultFolder(6)
to
set inbox = olApp.GetNamespace("MAPI").Folder("Personal Folder")
(should do the trick but i didn't test it yet)
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Monday, August 28, 2006, 11:00:14 AM, you wrote:
vwpn> Thanks Brian and Mathieu,
vwpn> I will tell a little bit more about the background of this. The
vwpn> customer has asked for a folder called "private" to be created in the
vwpn> root of every users mailbox and if possible set a quota to this folder.
vwpn> After this has been done, the customer wants to instruct his users to
vwpn> use only this folder only as their personal/private email folder and
vwpn> move everything that the users sees as being private, to the private
vwpn> folder. From that moment on, all other folders in the users mailboxes
vwpn> are no longer considered as private/personal.
vwpn> I do have some additional questions:
vwpn> - how would the script look if the requirement would be to create the
vwpn> folder in the root.
vwpn> - The way the script is set up now, do I have to set up which users
vwpn> this script will apply to, I mean will it now apply to all users in the
vwpn> entire domain which are mailbox enabled?
vwpn> - Is there any way that I can specify which users this script has to be
vwpn> applied to, I mean can I run it against all mailbox enabled users in a
vwpn> specific OU?
vwpn>
vwpn> ---
vwpn> Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via
vwpn> scripting or tool
vwpn> From: Mathieu CHATEAU <[EMAIL PROTECTED]>
vwpn> Date: Mon, 28 Aug 2006 00:24:47 +0200
vwpn>
vwpn>
vwpn> Hello Victor,
vwpn> If the folder already exist, it will simply do nothing, except going
vwpn> into errors..
vwpn> need to add a on error resume next or test if the folder exist before.
vwpn> will create in the inbox, as a subfolder
vwpn> I don't see your goal with this folder...except if you turn special
vwpn> rights on it.
vwpn> may ask them to put it [private] in the subject instead (it will work
vwpn> for the sent folders)
vwpn> Regards,
vwpn> Mathieu CHATEAU
vwpn> http://lordoftheping.blogspot.com
vwpn> Sunday, August 27, 2006, 10:26:59 PM, you wrote:
vwpn> Thanks Mathieu, nice.
vwpn> Does this create a folder in the root of the mailbox?
vwpn>
vwpn> Access all mailboxes you say, that sounds logical. I know that
vwpn> domain admins indeed dont actually have the full mailbox access (they
vwpn> have some denies).
vwpn> What if a user already has the folder, does this script take this into
vwpn> account?
vwpn> Again thanks.
vwpn> Victor
vwpn> From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED]
vwpn> Sent: zondag 27 augustus 2006 22:04
vwpn> To: Victor W.
vwpn> Cc: [EMAIL PROTECTED]
vwpn> Subject: Re: [ActiveDir] Add folder with quota to existing
vwpn> mailboxes - via scripting or tool
vwpn> Hello Victor,
vwpn> you will at least need an account that can access all mailboxes (not a
vwpn> domain admins one)
vwpn> (or give a script to everyone that they will execute)
vwpn> To my knowledge, quota is mailbox based. You may set up a special
vwpn> retention on this folder.
vwpn> sample _vbscript_ to create the private folder
vwpn> set olApp = CreateObject("Outlook.Application")
vwpn> set inbox = olApp.GetNamespace("MAPI").getDefaultFolder(6)
vwpn> set temp5 = inbox.folders.add("Private",6)
vwpn> hope it helps,
vwpn> Regards,
vwpn>
vwpn> Mathieu CHATEAU
vwpn> http://lordoftheping.blogspot.com
vwpn> Sunday, August 27, 2006, 8:57:03 PM, you wrote:
vwpn> Does anybody know what is the 'best' way to add
vwpn> automatically a folder to existing mailboxes and set a quota on that
vwpn> same folder?
vwpn> We would like all our users to get a folder called
vwpn> "private" added to the root of their mailbox and if possible, a quota
vwpn> to be set to that folder.
vwpn> Can this be done by scripting easily or is there perhaps
vwpn> even a tool which is capable of doing this?
vwpn> This also counts for new, still to be created users. I mean, every user
vwpn> that will be created will have to have that certain folder added to his
vwpn> or her mailbox.
vwpn> Offcourse this could be done by running the script a
vwpn> couple of times a day, checking if the folder exists allready and
vwpn> if not, adding it. Or perhaps it can even by realised the
vwpn> moment a user has been created.
vwpn>
vwpn> Any ideas are greatly appreciated.
vwpn> List info : http://www.activedir.org/List.aspx
vwpn> List FAQ: http://www.activedir.org/ListFAQ.aspx
vwpn> List archive: http://www.activedir.org/ml/threads.aspx
L
Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool
Hello joe, Adding the vbscript to the logon script would do the trick. For the rest, it also depends where you live. In France, you can't just open the employees mailboxes. Our laws protect individual's privacy. Companies sometimes prefers uses using the company mailboxes for personal use than having users opening mails on webmail, which may contain virus & co (going through smtp gateway allow more protection against virus, instead of just having the workstation antivirus as the only shield). Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Monday, August 28, 2006, 3:45:31 PM, you wrote: j> This sounds kooky. What does the customer intend to do with the rest of the j> mailbox or how do they intend to specially treat the private folder? What j> about the calendar and tasks? Private or not? j> Currently there really isn't a good technical solution to this. About the j> best is that you tack onto the end of the script you use to mailbox enable j> users and it logs into the mailbox so it gets instantiated and then creates j> the folder; you can't specify Exchange to create a folder once the mailbox j> is instantiated later. As Brian indicated, you also can't set a quota on the j> folder. j> Now with the above you still have the issue of people not using your script j> to mailbox enable users (or say doing a mailbox reconnect) so at some point j> you would have to be scanning mailboxes looking for that folder and adding j> it if missing. Depending on the number of mailboxes this could be something j> that has to be constantly running because it can take a long time to log in j> and check all of those mailboxes. Personally I hate writing scripts that j> loop through all mailboxes like that as they always seem to get screwed up j> after a bit. The whole programmatic aspect of Exchange mailboxes and logging j> into them, etc is flakey and slow, IMO. j> Probably the better solution is just to tell people, hi, if you get private j> or personal email, create a folder called private and put it in there. The j> rest of your mailbox is not considered private and we will be xxx. Where j> the xx is whatever it is the customer intends to do with the rest of the j> mailbox or how they expect to treat the private folder differently from the j> rest of the mailbox. j> Personally again, I say it is all kooky. IMO, when you really get down to j> it, none of a business mailbox is private/personal. The company can go into j> any part of any mailbox any time they want. They have legal obligations to j> do so in some cases and in other cases it could become necessary for j> troubleshooting. If the customer thinks administrators will just avoid those j> folders when working on mailboxes they are almost certainly wrong, if j> anything, if you have an admin who does that kind of perusing, that would be j> the first place they would go hunting in. j> -- j> O'Reilly Active Directory Third Edition - j> http://www.joeware.net/win/ad3e.htm j> j> -Original Message- j> From: [EMAIL PROTECTED] j> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] j> Sent: Monday, August 28, 2006 5:00 AM j> To: ActiveDir@mail.activedir.org j> Subject: RE: [ActiveDir] Add folder with quota to existing mailboxes - via j> scripting or tool j> Thanks Brian and Mathieu, j> I will tell a little bit more about the background of this. The j> customer has asked for a folder called "private" to be created in the j> root of every users mailbox and if possible set a quota to this folder. j> After this has been done, the customer wants to instruct his users to j> use only this folder only as their personal/private email folder and j> move everything that the users sees as being private, to the private j> folder. From that moment on, all other folders in the users mailboxes j> are no longer considered as private/personal. j> I do have some additional questions: j> - how would the script look if the requirement would be to create the j> folder in the root. j> - The way the script is set up now, do I have to set up which users j> this script will apply to, I mean will it now apply to all users in the j> entire domain which are mailbox enabled? j> - Is there any way that I can specify which users this script has to be j> applied to, I mean can I run it against all mailbox enabled users in a j> specific OU? j> j> --- j> Re[2]: [ActiveDir] Add folder with quota to existing mailboxes - via j> scripting or tool j> From: Mathieu CHATEAU <[EMAIL PROTECTED]> j> Date: Mon, 28 Aug 2006 00:24:47 +0200 j> j> j> Hello Victor, j> If the folder already exist, it will simply do nothing, except going j> into errors.. j> need to add a on error resume next or test if the folder exist before. j> will create in the inbox, as a subfolder j> I don't
Re: [ActiveDir] Auto Logon
Hello Za, try using autlogon.exe from sysinternals. Works in our case. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, August 29, 2006, 2:16:44 PM, you wrote: ZV> Domain: Windows 2003 ZV> Clients: Xp w/sp2 ZV> Problem: The autologon registry hack on 3 of my lab machines will not ZV> stay permanent. All machines restart each morning at 2:00 AM and they ZV> automatically log in to the domain. In the morning if I re-apply the ZV> auto logon registry hack the machines work fine the rest of the day, no ZV> matter how many reboots.Comments? Suggestions? ZV> Thanks, ZV> Z.V. ZV> List info : http://www.activedir.org/List.aspx ZV> List FAQ: http://www.activedir.org/ListFAQ.aspx ZV> List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] [OT] DEC 2007
I see the website has gone live and it's in Red Rock, Nevada - at another hotel that's part of the same chain as last years conference. April 22nd - April 25th www.directoryexpertsconference.com I can feel the pain already... Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Auto Logon
Have had this problem - was due to an application that provided a formated legal disclaimer - ran out side of policy and kept updating the legal disclaimer at night and stopping the autologon from working. Doubt yours is the same issue but you never know. Mark -Original Message- From: Za Vue <[EMAIL PROTECTED]> Date: Tue, 29 Aug 2006 08:16:44 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Seperate forest migration notes
Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users. I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny <[EMAIL PROTECTED]> wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] nslookup. AD beginer question
There's a rather large error in my previous message: ...get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. That should read: ...get a list of all DCs for that domain. Basically, that command returns the (Same as parent) records for the domain, which are host (A) records for the domain [name]. Apologies all. I don't know what I was thinking about when composing that mail. I'll be sure to drink my first coffee of the day _before_ replying in the future! --Paul (No I didn't spot the error; I was notified offline ;-) - Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 10:43 AM Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
If you don't have a host record (A) for the hostname "sami", then you should delete the SRV record [1]. If that isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of XP workstations registering in DNS in the past. --Paul [1] Assuming of course that you don't have a DDNS issue, i.e. you don't have a record in DNS but you do have a server with that name. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 4:06 PM Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I cant find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, August 29, 2006 10:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that arent currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they dont then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, August 29, 2006 4:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
We should be good, then. Thanks, JoeDOn 8/29/06, joe <[EMAIL PROTECTED]> wrote: Nope you should be good unless you have some special dependence on that DC. Normally you need to worry once you start to approach the TSL which is usually 60 days for most places or if you don't know why the DC is down (i.e. Mr. BlackHat is hacking your server in an offline fashion). If the machine does approach the TSL time down, just whack it out of the directory and rebuild when it comes back up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of DannySent: Tuesday, August 29, 2006 10:50 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
Good advice. Thanks, PaulDOn 8/29/06, Paul Williams <[EMAIL PROTECTED]> wrote: Not much that you can do other than filter out the replication errors from your monitoring solution, so that calls aren't needlessly raised. A couple of days won't cause you any issues. Just ensure that everything is replicating and talking properly when things come back online. --Paul - Original Message - From: Danny To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 3:49 PM Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] nslookup. AD beginer question
I am guessing, based on the port number, you have a DNS A record for this computer in gc._msdcs.domain.com . Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, August 29, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
I've had "un-plugged" NIC's register threw the active one before with a loopback. Check your DC's for 2nd or 3rd NIC's and see if you find one named what your looking for? Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] "Ramon Linan" <[EMAIL PROTECTED] com> To Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] nslookup. AD beginer question 08/29/2006 10:06 AM Please respond to [EMAIL PROTECTED] tivedir.org I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.comSRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer
[ActiveDir] Seperate forest migration notes
A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
No, it will sort itself out….. if it’s a big operation then you may want to shape the IP traffic to give the AD some priority on reconnect. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: 29 August 2006 15:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks, ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
Nope you should be good unless you have some special dependence on that DC. Normally you need to worry once you start to approach the TSL which is usually 60 days for most places or if you don't know why the DC is down (i.e. Mr. BlackHat is hacking your server in an offline fashion). If the machine does approach the TSL time down, just whack it out of the directory and rebuild when it comes back up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DannySent: Tuesday, August 29, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
Not much that you can do other than filter out the replication errors from your monitoring solution, so that calls aren't needlessly raised. A couple of days won't cause you any issues. Just ensure that everything is replicating and talking properly when things come back online. --Paul - Original Message - From: Danny To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 3:49 PM Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] nslookup. AD beginer question
I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
[ActiveDir] Site down for 36 hours so far - anything proactive to do?
One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Printers & AD GUI
good stuff, Steve, thanks. But isn't all this really a duplication of what the Browse List already does? - Original Message - From: "Steve Rochford" <[EMAIL PROTECTED]> To: Sent: Tuesday, August 29, 2006 4:46 AM Subject: RE: [ActiveDir] Printers & AD GUI I'd guess it depends why you're wanting to manage a printer but if it's in response to someone reporting some kind of problem with their printer then you can just sit at your computer and type \\ into explorer. You'll then see the "printers and faxes" folder - double click that and you'll have access to the printer(s)installed even if they're not shared. I don't think it's much more work than connecting through the AD GUI. If you don't know the name of the computers with printers then it wouldn't be too hard to use a WMI script to build a database of computers and their printers - this could then feed a web page listing them and you just click on the name to connect in the same way as typing the name above. If most of your machines are on all the time and there are not too many then the web page could even do a live query of each machine to get the printer details. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: 28 August 2006 16:11 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Printers & AD GUI I figured out where the disconnect is in this discussion. You see, I'm the sole IT of a small org, barely over the SBS size, and I have to do *everything*. I had overlooked the fact that those of you who are at the top of a large IT pyramid have to leave the management of printers to lower admins, techs, and even users. I can't do that. If an unshared printer needs management, I have to either drill through the browse list, or travel to the workstation and disrupt the user. It would be just great if the AD printer list could make printers shared but invisible (to all but the owner and Admin). Kinda like Exchange mailboxes, which can still be used and managed even when invisible. Maybe the aforementioned Printer Management Console offers something like that - I haven't checked it out yet. But surely this couldn't be an unreasonable wish. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DMZ and Trusts
Title: Message Thanks for your comments. -David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 29 Aug 2006 14:56To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DMZ and Trusts Interesting. I stick by the original note I posted. The risks are more procedural, such as the example you mentioned about the passwords being the same. The other issue noted is that it is really no longer a DMZ if the internal users can access it. I don't know of any other increased risks outside of those categories. The traffic originates only from one direction, and the risk may be tolerable for the requirements it meets in your case. For what it's worth, I personally think that the added complexity put on the users of the service is warranted as a reminder to let the user know they are administering in a higher security zone. I think this reminder outweighs the convenience and plays a part in the reliablity and stability and is in keeping with the intended purpose of a DMZ topology. My thoughts though. I'm not a security expert, but I sometimes play one on the internet so take the opinion with that knowledge. Al On 8/29/06, Wyatt, David <[EMAIL PROTECTED]> wrote: Hi Al I am "pulling" the statement from a Microsoft chat transcript found here: http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_101404.mspx One of the quotes says: Paul Rich MS (Expert):Jim, creating a trust from your internal forest to the externally facing forest is definitely something that presents security risks. Although I'm not saying it can't be done, I wouldn't do it but then I don't have a requirement to do so. Creating trust from the DMZ/external forest to the internal forest is normally done in order to allow internal folks to administer the external forest, which is a legitimate desire. However, there are risks with creating the trust in that direction. What I am trying to find out is what these "risks" are. I know the transcript goes on to say about the use of passwords that could be the same for both the internal and external forests but I am more interested in any known exploits, hijacks etc that may exist. I wouldn't configure a firewall rule with ANY>DMZ anyway. There would be a set of rules for external--->DMZ and internal--->DMZ. Each would have specific rules for the services that are required. -David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 25 Aug 2006 18:01To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ and Trusts Where are you pulling the "not recommended" from? The issues are not typically technical, but rather procedural once you get past the, "yes, but if it's a DMZ, should internal users have direct access?" questions. :) One other thing to point out: the users will also have to have direct access to the application. From a network perspective, that's often seen as an issue because the firewall is then configured for any -->DMZ host. That really does defeat the purpose of a DMZ in most cases. My added $0.04 anyway. -ajm On 8/25/06, Wyatt, David <[EMAIL PROTECTED]> wrote: Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possible but not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain vi
RE: [ActiveDir] nslookup. AD beginer question
I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
Re: [ActiveDir] DMZ and Trusts
Interesting. I stick by the original note I posted. The risks are more procedural, such as the example you mentioned about the passwords being the same. The other issue noted is that it is really no longer a DMZ if the internal users can access it. I don't know of any other increased risks outside of those categories. The traffic originates only from one direction, and the risk may be tolerable for the requirements it meets in your case. For what it's worth, I personally think that the added complexity put on the users of the service is warranted as a reminder to let the user know they are administering in a higher security zone. I think this reminder outweighs the convenience and plays a part in the reliablity and stability and is in keeping with the intended purpose of a DMZ topology. My thoughts though. I'm not a security expert, but I sometimes play one on the internet so take the opinion with that knowledge. Al On 8/29/06, Wyatt, David <[EMAIL PROTECTED]> wrote: Hi Al I am "pulling" the statement from a Microsoft chat transcript found here: http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_101404.mspx One of the quotes says: Paul Rich MS (Expert):Jim, creating a trust from your internal forest to the externally facing forest is definitely something that presents security risks. Although I'm not saying it can't be done, I wouldn't do it but then I don't have a requirement to do so. Creating trust from the DMZ/external forest to the internal forest is normally done in order to allow internal folks to administer the external forest, which is a legitimate desire. However, there are risks with creating the trust in that direction. What I am trying to find out is what these "risks" are. I know the transcript goes on to say about the use of passwords that could be the same for both the internal and external forests but I am more interested in any known exploits, hijacks etc that may exist. I wouldn't configure a firewall rule with ANY>DMZ anyway. There would be a set of rules for external--->DMZ and internal--->DMZ. Each would have specific rules for the services that are required. -David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 25 Aug 2006 18:01To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ and Trusts Where are you pulling the "not recommended" from? The issues are not typically technical, but rather procedural once you get past the, "yes, but if it's a DMZ, should internal users have direct access?" questions. :) One other thing to point out: the users will also have to have direct access to the application. From a network perspective, that's often seen as an issue because the firewall is then configured for any -->DMZ host. That really does defeat the purpose of a DMZ in most cases. My added $0.04 anyway. -ajm On 8/25/06, Wyatt, David <[EMAIL PROTECTED]> wrote: Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possible but not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] nslookup. AD beginer question
That was it, thanks so much From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 5:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question Probably because it's a secondary server. Check to see if that IP is hosting a secondary copy of the zone. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 10:04 PM Subject: RE: [ActiveDir] nslookup. AD beginer question What I actually did was nslookup domain.com…I just found out that one of the computer is a linux server that is managing a child domain child.domain.com…that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, don’t know why… Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 1:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
Re: [ActiveDir] Auto Logon
GPO is being applied, but if the problem is caused by GPO than it would also affected all the lab machines and not just three. When the machine is at the logon screen I can look at the winlogon registry remotely and see that it has not been modified. I will try what Christopher Drewery suggested first. Z.V. Kurt Falde wrote: Throw regmon on the box with a filter for that specific key to try to see when it is being overwritten. If it's every 90 min could be you have a GPO somewhere that's doing it for you. Run a RSOP using GPMC against the machine/user and check for the setting to see if a GPO is being applied to it. Kurt Falde -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, August 29, 2006 8:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Auto Logon
Throw regmon on the box with a filter for that specific key to try to see when it is being overwritten. If it's every 90 min could be you have a GPO somewhere that's doing it for you. Run a RSOP using GPMC against the machine/user and check for the setting to see if a GPO is being applied to it. Kurt Falde -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, August 29, 2006 8:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Auto Logon
I had this problem about a year ago. I got it working in the end by changing the logon name from "user" to "[EMAIL PROTECTED]" and it worked fine, give that a go and let us know what happens C. Za Vue <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 29/08/2006 13:16 Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Auto Logon
Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Printers & AD GUI
I'd guess it depends why you're wanting to manage a printer but if it's in response to someone reporting some kind of problem with their printer then you can just sit at your computer and type \\ into explorer. You'll then see the "printers and faxes" folder - double click that and you'll have access to the printer(s)installed even if they're not shared. I don't think it's much more work than connecting through the AD GUI. If you don't know the name of the computers with printers then it wouldn't be too hard to use a WMI script to build a database of computers and their printers - this could then feed a web page listing them and you just click on the name to connect in the same way as typing the name above. If most of your machines are on all the time and there are not too many then the web page could even do a live query of each machine to get the printer details. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: 28 August 2006 16:11 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Printers & AD GUI I figured out where the disconnect is in this discussion. You see, I'm the sole IT of a small org, barely over the SBS size, and I have to do *everything*. I had overlooked the fact that those of you who are at the top of a large IT pyramid have to leave the management of printers to lower admins, techs, and even users. I can't do that. If an unshared printer needs management, I have to either drill through the browse list, or travel to the workstation and disrupt the user. It would be just great if the AD printer list could make printers shared but invisible (to all but the owner and Admin). Kinda like Exchange mailboxes, which can still be used and managed even when invisible. Maybe the aforementioned Printer Management Console offers something like that - I haven't checked it out yet. But surely this couldn't be an unreasonable wish. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] nslookup. AD beginer question
Probably because it's a secondary server. Check to see if that IP is hosting a secondary copy of the zone. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 10:04 PM Subject: RE: [ActiveDir] nslookup. AD beginer question What I actually did was nslookup domain.com I just found out that one of the computer is a linux server that is managing a child domain child.domain.com that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, dont know why Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] DMZ and Trusts
Title: Message Hi Al I am "pulling" the statement from a Microsoft chat transcript found here: http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_101404.mspx One of the quotes says: Paul Rich MS (Expert):Jim, creating a trust from your internal forest to the externally facing forest is definitely something that presents security risks. Although I'm not saying it can't be done, I wouldn't do it but then I don't have a requirement to do so. Creating trust from the DMZ/external forest to the internal forest is normally done in order to allow internal folks to administer the external forest, which is a legitimate desire. However, there are risks with creating the trust in that direction. What I am trying to find out is what these "risks" are. I know the transcript goes on to say about the use of passwords that could be the same for both the internal and external forests but I am more interested in any known exploits, hijacks etc that may exist. I wouldn't configure a firewall rule with ANY>DMZ anyway. There would be a set of rules for external--->DMZ and internal--->DMZ. Each would have specific rules for the services that are required. -David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 25 Aug 2006 18:01To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DMZ and Trusts Where are you pulling the "not recommended" from? The issues are not typically technical, but rather procedural once you get past the, "yes, but if it's a DMZ, should internal users have direct access?" questions. :) One other thing to point out: the users will also have to have direct access to the application. From a network perspective, that's often seen as an issue because the firewall is then configured for any -->DMZ host. That really does defeat the purpose of a DMZ in most cases. My added $0.04 anyway. -ajm On 8/25/06, Wyatt, David <[EMAIL PROTECTED]> wrote: Hello Imagine the following scenario, you have an internal W2K3 forest and an external W2K3 forest on the DMZ. Management wish to create one-way trust between the two forests so the DMZ forest trusts the internal forest for an application. I have read that this is obviously possible but not recommended and cannot find out why. Does anyone know what the exact security issues or exploits could be? Assume we have a firewall with the rules configured to only allow trust traffic through. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. �
RE: [ActiveDir] Add folder with quota to existing mailboxes - via scripting or tool
I agree with you, this is not the best solution by far.
The customer will tell its users that all other folders, including
tasks and
the calendar, are not private and that only the private folder will be
'private/personal'
The user will perhaps, or even probably, assume that the folder will
never
be looked at by IT, while in fact it would probably indeed be the first
folder IT would look in, in case of trouble.
If it would have been my choice it would have been another solution but
I didnt have the final say in this one. Sometimes you aren't in the
position to give the definite answer and you are simply only executing
orders. We have probably all been in that position and
sometimes still are.
I am interested in the technical aspect of the matter, the script
itself and
the technical possibilities and difficulties that come to play, like not
being able to set a quota to a seperate folder in Exchange 2003.
Brian, you pointed out to me that Exchange 2007 does offer this
functionality so I checked it out and I came accross 'managed folders',
interesting:
http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/859e437b-
44b2-4203-883e-cb8c365973fd.mspx?mfr=true
Thank you also for pointing me to two 3rd party application who offer
exactly this functionality but customer chooses not to implement them
for various reasons, additional costs being the most significant one.
I agree it would indeed be better to have this tacked onto a script to
mailbox enable/mailbox connect users, but I know this will be refused
because, as you pointed out, this creates a dependency (the customers
IT department who will have to execute the script). So it will probably
come down to a script which will run a couple of times a day, checking
all mailboxes for the existence of the folder and if not present,
adding it.
We are talking about 1 server, not experiencing any performance
problems (containing two 3.6 GHz Xeon procs, 4 gig of mem and hosting
400 mailboxes).
Looking at the initial script that was suggested by Mathieu:
set olApp = CreateObject("Outlook.Application")
set inbox = olApp.GetNamespace("MAPI").getDefaultFolder(6)
set temp5 = inbox.folders.add("Private",6)
This creates a folder under the inbox folder. how would the last line
look like if the folder would have to be created in the root of the
mailbox?
I have been checking more into the details of the script myself and ran
into this article:
http://support.microsoft.com/?kbid=310244 But I cannot seem to find how
to refer to the root of the mailbox.
I am probably missing something but I dont see in this script which
users will be affected by the script, to who it will apply,
like 'domain.com' for instance. This could be particularly interesting
to use for testing, if it would be possible to apply it to only one
user for instance, by specifying a dn for instance.
Is it possible to add these additions to the script?
From: "joe" <[EMAIL PROTECTED]>
Date: Mon, 28 Aug 2006 09:45:31 -0400
This sounds kooky. What does the customer intend to do with the rest of
the
mailbox or how do they intend to specially treat the private folder?
What
about the calendar and tasks? Private or not?
Currently there really isn't a good technical solution to this. About
the
best is that you tack onto the end of the script you use to mailbox
enable
users and it logs into the mailbox so it gets instantiated and then
creates
the folder; you can't specify Exchange to create a folder once the
mailbox
is instantiated later. As Brian indicated, you also can't set a quota
on the
folder.
Now with the above you still have the issue of people not using your
script
to mailbox enable users (or say doing a mailbox reconnect) so at some
point
you would have to be scanning mailboxes looking for that folder and
adding
it if missing. Depending on the number of mailboxes this could be
something
that has to be constantly running because it can take a long time to
log in
and check all of those mailboxes. Personally I hate writing scripts that
loop through all mailboxes like that as they always seem to get screwed
up
after a bit. The whole programmatic aspect of Exchange mailboxes and
logging
into them, etc is flakey and slow, IMO.
Probably the better solution is just to tell people, hi, if you get
private
or personal email, create a folder called private and put it in there.
The
rest of your mailbox is not considered private and we will be xxx.
Where
the xx is whatever it is the customer intends to do with the rest
of the
mailbox or how they expect to treat the private folder differently from
the
rest of the mailbox.
Personally again, I say it is all kooky. IMO, when you really get down
to
it, none of a business mailbox is private/personal. The company can go
into
any
