RE: [ActiveDir] Seperate Administrator password policy
Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Seperate Administrator password policy
Come on.. You mean searching for a _vbscript_ to check password length
yields nothing on Google.com?
Here is a start:
==
Dim User
Dim UserName
Dim UserDomain
UserDomain = "DomainToManage"
UserName = "UserName"
Set User = GetObject("WinNT://" UserDomain "/"
UserName ",user")
Response.Write user.PasswordMinimumLength
==
Perhaps username can be changed to domain admins and use GPO to apply
to the admin group? Anyway, I am sure some can finish the rest.
-Z.V.
NOTE: Make sure you have the latest scripting engines on the
workstation you run this script from. Download the latest scripting
engines here: Microsoft Scripting Home Page
Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote:
Yeah thats what me and my
coworkers have been debating, what method to use to check password
length. We are looking through perl modules to see if there are any
that can actually do what we are talking about. So far no luck with
it, but the search continues. Do you know of any module that does what
we speak of?
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Thursday, August 31, 2006 7:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seperate Administrator password policy
How are you guys checking
password length after the fact?
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Katrin
Wilhelm
Sent: Thursday, August 31, 2006 6:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seperate Administrator password policy
I agree to
Za,
But adjust
the script so that it automatically locks the account should it not be
15 characters long then they have to change it.
Just and
idea from a newbie.
Kat
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Za Vue
Sent: Thursday, 31
August 2006 10:39 PM
To:
ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Seperate Administrator password policy
Would it be easier just to ask
them to use 15 characters? Run a small script to check on the numbers
of characters after the passwords have been changed. If under 15 than
ask them to change it again.
-Z.V.
Almeida Pinto, Jorge de wrote:
third
party software could be an option
for
example: http://www.anixis.com/products/ppe/default.htm
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNA
Sent: Thursday,
August 31, 2006 14:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Seperate Administrator password policy
Just wanted
to field this to see if it makes any sense to any of you guys.
We are going
to implement a mandatory 15 character password policy for all of our
administrator accounts. The only way that makes sense is a subdomain
with a separate password policy, since there is only one per domain. I
also know that I have to edit the minPwdLength attribute and the
uASCompat attribute to make this work on the subdomain. Can anyone
think of another method of doing this?
Thanks,
Nate Bahta
This
e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
What does that have to do with reading how many characters
someones password is? I know how to find out the minimum password lengths
value, but that is not what we are concerned with. We are concerned with
how long the actual password is. Be it 15 or 20 or 8 characters, that is
what we are looking for. If I wanted to read AD attributes this would be
fairly elementary, hardly worth a google search.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za
VueSent: Friday, September 01, 2006 6:28 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate
Administrator password policy
Come on.. You mean searching for a _vbscript_ to check password length
yields nothing on Google.com?Here is a
start:==Dim UserDim UserNameDim
UserDomainUserDomain = "DomainToManage"UserName =
"UserName"Set User = GetObject("WinNT://" UserDomain "/" UserName
",user")Response.Write
user.PasswordMinimumLength==Perhaps
username can be changed to domain admins and use GPO to apply to the admin
group? Anyway, I am sure some can finish the
rest.-Z.V.NOTE: Make sure you have the latest
scripting engines on the workstation you run this script from. Download the
latest scripting engines here: Microsoft Scripting Home PageBahta,
Nathaniel V CTR USAF NASIC/SCNA wrote:
Yeah thats what me and my coworkers have been debating,
what method to use to check password length. We are looking through perl
modules to see if there are any that can actually do what we are talking
about. So far no luck with it, but the search continues. Do you
know of any module that does what we speak of?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joeSent: Thursday, August 31, 2006 7:13
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Seperate Administrator password policy
How are you guys checking password length after the
fact?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006
6:05 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Seperate Administrator password policy
I agree to
Za,
But adjust the script
so that it automatically locks the account should it not be 15 characters long
then they have to change it.
Just and idea from a
newbie.
Kat
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate
Administrator password policy
Would it be easier just to ask them to use 15
characters? Run a small script to check on the numbers of characters
after the passwords have been changed. If under 15 than ask them to change it
again.-Z.V.Almeida Pinto, Jorge de wrote:
third party software could be an
option
for example: http://www.anixis.com/products/ppe/default.htm
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Bahta, Nathaniel
V CTR USAF NASIC/SCNASent:
Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate
Administrator password policy
Just wanted to
field this to see if it makes any sense to any of you guys.
We are going to
implement a mandatory 15 character password policy for all of our
administrator accounts. The only way that makes sense is a subdomain
with a separate password policy, since there is only one per domain. I
also know that I have to edit the minPwdLength attribute and the uASCompat
attribute to make this work on the subdomain. Can anyone think of
another method of doing this?
Thanks,
Nate
Bahta
This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and all copies and inform the
sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
doesn't this return the minimum password length
configuredin the password policy for the domain, and not the password
length of the actual password for that targeted user account
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za
VueSent: Friday, September 01, 2006 12:28To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate
Administrator password policy
Come on.. You mean searching for a _vbscript_ to check password
length yields nothing on Google.com?Here is a
start:==Dim UserDim
UserNameDim UserDomainUserDomain = "DomainToManage"UserName
= "UserName"Set User = GetObject("WinNT://" UserDomain "/" UserName
",user")Response.Write
user.PasswordMinimumLength==Perhaps
username can be changed to domain admins and use GPO to apply to the admin
group? Anyway, I am sure some can finish the
rest.-Z.V.NOTE: Make sure you have the latest
scripting engines on the workstation you run this script from. Download the
latest scripting engines here: Microsoft Scripting Home
PageBahta, Nathaniel V CTR USAF NASIC/SCNA wrote:
Yeah thats what me and my coworkers have been debating,
what method to use to check password length. We are looking through
perl modules to see if there are any that can actually do what we are
talking about. So far no luck with it, but the search continues.
Do you know of any module that does what we speak of?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joeSent: Thursday, August 31, 2006 7:13
PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Seperate Administrator password policy
How are you guys checking password length after the
fact?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006
6:05 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Seperate Administrator password policy
I agree to
Za,
But adjust the
script so that it automatically locks the account should it not be 15
characters long then they have to change it.
Just and idea from
a newbie.
Kat
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Za
VueSent: Thursday, 31
August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate
Administrator password policy
Would it be easier just to ask them to use 15
characters? Run a small script to check on the numbers of characters
after the passwords have been changed. If under 15 than ask them to change
it again.-Z.V.Almeida Pinto, Jorge de wrote:
third party software could be an
option
for example: http://www.anixis.com/products/ppe/default.htm
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006
14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate
Administrator password policy
Just wanted to
field this to see if it makes any sense to any of you guys.
We are going to
implement a mandatory 15 character password policy for all of our
administrator accounts. The only way that makes sense is a subdomain
with a separate password policy, since there is only one per domain.
I also know that I have to edit the minPwdLength attribute and the
uASCompat attribute to make this work on the subdomain. Can anyone
think of another method of doing this?
Thanks,
Nate
Bahta
This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or
be subject to legal privilege. It should not be copied, disclosed to,
retained or used by, any other party. If you are not an intended recipient
then please promptly delete this e-mail and any attachment and all copies
and inform the sender. Thank
you.
RE: [ActiveDir] Seperate Administrator password policy
As a side note to the other discussions, you do not need to set minPwdLength *and* uASCompat. minPwdLength is for a Win2K3 domain, and uASCompat is for a Windows 2000 domain. In Windows 2000, you can also just directly edit the GP template (.adm). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta
RE: [ActiveDir] Seperate Administrator password policy
That is what I am saying... You can't. Once a password has been checked through the filters and the change notifysent out to the hooked functions, the password length/complexity/etc is gone. The clear text password is not kept. Certainly MSFT doesn't keep a tally on what length the password is for every user, what would be the point other than to helpfolks looking for info for brute force cracking attempts - yes don't worry testing passwords of length 8-256 characters, you only have to worry about 8 or 10 or 12 or 20. Certainly that doesn't make it guaranteed the hack will succeed for long passwords 15 and greater but if someone is already aware and specifically targeting someone that may be enough to help them narrow things down enough to get you. There are two ways natively to authoritatively know password length of any new password: the first is to see it in the password filter function you implement, the second is in the password change notify function you implement. Both require DLLs that get hooked into LSASS on EVERYDC. An alternative which is less scary to many people is to disallow password changing in the domains natively and then force folks through a web site with all of the policies[1]. The beauty there is that you can feed back good info to the users when they pick a bad password. However, this is not something you implement for admins (I mean people with forest/domain IDs with admin rights, this is fine for delegated "admins") of the forest. You just can't enforce it because anything one admin puts in place, another can circumvent. But then, the 3-5 people you have for your EA/DA positions in your company are highly trusted and would do the correct thing in that case and don't need a policy like that applied to them right? joe [1] The app that does thisbecomes critical when you do this, you better make sure you have security/stability/simplicity and a whole lot of redundancy here. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Friday, September 01, 2006 4:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or
[ActiveDir] remove a site in AD
Hey, There was a site created in AD that I would like to remove. Are there any gotchas when removing a site and adding the subnet back into an existing site? The site was created for our datacenter. The datacenter houses our Exchange servers and I would like Exchange to use the DC/GCs in our office as well. DSACCESS will just pick up the DC/GCs in the office the next time it runs the discovery process right? The Datacenter is connected to the office by a DS3. Windows 2000 single domain, Exchange 2003. Thanks. Mike This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/
Re: [ActiveDir] remove a site in AD
Wouldn't it make more sense to change the site definitionsanddc/gcmemberships prior to removing the site? On 9/1/06, Mike Newell [EMAIL PROTECTED] wrote: Hey, There was a site created in AD that I would like to remove. Are there any gotchas when removing a site and adding the subnet back into an existing site? The site was created for our datacenter. The datacenter houses our Exchange servers and I would like Exchange to use the DC/GC's in our office as well. DSACCESS will just pick up the DC/GC's in the office the next time it runs the discovery process right? The Datacenter is connected to the office by a DS3. Windows 2000 single domain, Exchange 2003. Thanks. Mike This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/
[ActiveDir] DNS DOCUMENTATION
HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
That is generally not a good idea. Google: split brain DNS this should give you a good start. Chuck Robinson, MCSE: Messaging, VCP, Senior Solutions Consultant EMC Microsoft Practice tel 732-321-3644 xt.45, mobile 973-865-0394, fax 732-321-6855 email:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, September 01, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, September 01, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
[ActiveDir] Moving Contacts to Public Folders
Is there a script out there to move contacts entered in a specific OU and different distribution groups to EXCH's Public Folders? It's a weird request by a client! Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, August 29, 2006 2:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution Oddly enough today we got hit by a virus(worm actually) that had exploited MS-06-040 vulnerability. Our AV (Trend) didn't catch it in time. Though I brought it up to my boss fellow Admins' attention more than 2 weeks ago, they decided to ignore it! We ended up going around with the helpdesk team to clean the mess up. I'm sure it'll be swept under the rug! Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, August 11, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution ..and plant that flag and get it raised. You cannot protect what is not managed. Alex Alborzfard wrote: Yes I'm aware of both tools. WSUS requires dedicated server and configuration. MBSA doesn't list installed patches, date of application, versions, etc. It basically tells you what is missing. I was talking about a tool that I can run from my PC, which I have used in the past. I think you could also remove the patch or roll it back right from the interface. For some reason I thought it was Windows Defender, but I installed it and it doesn't have that capability. No I'm not managing patching in our networks...well not yet anyway! I'm just trying to raise the flags, so to speak. Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, August 11, 2006 11:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution E-Bitz - SBS MVP the Official Blog of the SBS Diva : The threats and risk level today: http://msmvps.com/blogs/bradley/archive/2006/08/10/107303.aspx Alun's Holy Crap post: Tales from the Crypto : How do I rate today's patches?: http://msmvps.com/blogs/alunj/archive/2006/08/08/107097.aspx MBSA -http://www.microsoft.com/technet/security/tools/mbsahome.mspx WSUS - http://www.microsoft.com/windowsserversystem/updateservices/default.mspx You are managing patching in your networks now right? Alex Alborzfard wrote: Thanks John this is really helpful, though only for this vulnerability. Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Friday, August 11, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution For MS06-040 you can use the tool from eeye.com to ID vulnerable machines: http://www.eeye.com/html/resources/downloads/audits/NetApi.html Alex Alborzfard wrote: What about MS06-040? I've heard it's a nasty one like blaster. DHS has already issued a recommendation to apply this patch. I remember using a utility tool that would list all applied patches on a Windows box with all kind of information. Anyone has ever used or knows anything about it? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 08, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution One of 12 today...but since it's DNS related Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683): http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server. (and Brett...just a FYI... in my twig forest... any attacker that ends up on a subnet between a host and my DNS server [aka the Kitchen sink service server] ... that attacker is dead meat and has a 2x4 aimed his way... one advantage
RE: [ActiveDir] DNS DOCUMENTATION
Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html http://transposed.org/techstuff/bind9-win2k.html or better (depending on your viewpoint[1]) http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html :) [1] B. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
Couldn't make the con-call. But we have been asking for this for some time now. Do you have any shareable info on what MS is doing along that line? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html http://transposed.org/techstuff/bind9-win2k.html or better (depending on your viewpoint[1]) http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html :) [1] B. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
[ActiveDir] OT: Servers rebooting, etrust antivirus
Anyone else out there dealing with the Computer Associates eTrust Antivirus signature thing this morning? Symptoms: The system process C:\Windows\System32\lsass.exe terminated unexpectedly with status code 0. The system will now shut down and restart. After the reboot, it once again gives the same message, over and over. Resolution: Update to the latest eTrust Antivirus signatures. The version ending in .3056 is known stable. Details: Apparently the signatures are detecting lsass.exe as a virus and trying to rename or delete it. Windows File Protection kicks in and says no. They then argue for a bit and neither wins so the server gives up and reboots. Hopefully no one else has experienced this, but if you are running ca, this should solve your problem. Almost all of my customers are running eTrust Antivirus, so it has been a very long morning. Kevin
RE: [ActiveDir] remove a site in AD
Hey Al, Yep. Sorry, I got a bit sloppy when writing that part. I don't plan to delete the site for a few days after I make the change. Do you think I should I move the DC to siteB then associate the subnet with siteB or should I change the subnet/site then move the DC? Thanks again. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 01, 2006 9:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] remove a site in AD Wouldn't it make more sense to change the site definitions and dc/gc memberships prior to removing the site? On 9/1/06, Mike Newell [EMAIL PROTECTED] wrote: Hey, There was a site created in AD that I would like to remove. Are there any gotchas when removing a site and adding the subnet back into an existing site? The site was created for our datacenter. The datacenter houses our Exchange servers and I would like Exchange to use the DC/GC's in our office as well. DSACCESS will just pick up the DC/GC's in the office the next time it runs the discovery process right? The Datacenter is connected to the office by a DS3. Windows 2000 single domain, Exchange 2003. Thanks. Mike This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Servers rebooting, etrust antivirus
CA eTrust Antivirus flagging lsass.e x e http://isc.sans.org/diary.php?nstoryid=1665 Unsubscribe: http://isc.sans.org/notify.php Yup Kevin Brunson wrote: Anyone else out there dealing with the Computer Associates eTrust Antivirus signature thing this morning? Symptoms: “The system process “C:\Windows\System32\lsass.exe” terminated unexpectedly with status code 0. The system will now shut down and restart.” After the reboot, it once again gives the same message, over and over. Resolution: Update to the latest eTrust Antivirus signatures. The version ending in .3056 is known stable. Details: Apparently the signatures are detecting lsass.exe as a virus and trying to rename or delete it. Windows File Protection kicks in and says no. They then argue for a bit and neither wins so the server gives up and reboots. Hopefully no one else has experienced this, but if you are running ca, this should solve your problem. Almost all of my customers are running eTrust Antivirus, so it has been a very long morning. Kevin -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS DOCUMENTATION
The whole call was NDA so unfortunately I have no news to share. I do have this to say though, if you or anyone feels this is something that MSFT DNS should be able to do smack your TAM on the butt and say "Hey TAM, earn your pay and listen up, we want this multiple view thing that Bind has had for like 6-7 years so go get it done." :) How many SBS'ers here use their SBS server to serve DNS to the world outside of their walls? I bet you guys would *really* like multi-view capability. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 12:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Couldn't make the con-call. But we have been asking for this for some time now. Do you have any shareable info on what MS is doing along that line? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html http://transposed.org/techstuff/bind9-win2k.html or better (depending on your viewpoint[1]) http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html :) [1] B. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] OT: Servers rebooting, etrust antivirus
Absolutely Shocking! Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 01 September 2006 17:46 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus CA eTrust Antivirus flagging lsass.e x e http://isc.sans.org/diary.php?nstoryid=1665 Unsubscribe: http://isc.sans.org/notify.php Yup Kevin Brunson wrote: Anyone else out there dealing with the Computer Associates eTrust Antivirus signature thing this morning? Symptoms: The system process C:\Windows\System32\lsass.exe terminated unexpectedly with status code 0. The system will now shut down and restart. After the reboot, it once again gives the same message, over and over. Resolution: Update to the latest eTrust Antivirus signatures. The version ending in .3056 is known stable. Details: Apparently the signatures are detecting lsass.exe as a virus and trying to rename or delete it. Windows File Protection kicks in and says no. They then argue for a bit and neither wins so the server gives up and reboots. Hopefully no one else has experienced this, but if you are running ca, this should solve your problem. Almost all of my customers are running eTrust Antivirus, so it has been a very long morning. Kevin -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS DOCUMENTATION
I misunderstood his question. Why not have the companys ISP handle external DNS? The situation he is describing is no good. Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, September 01, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the Name Server tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, Anthony Sent: Fri 9/1/2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, September 01, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
see for list of KB articles about DNS: http://blogs.dirteam.com/blogs/jorge/archive/2006/06/16/1134.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Scott, Anthony Sent: Fri 2006-09-01 19:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS DOCUMENTATION I misunderstood his question. Why not have the company's ISP handle external DNS? The situation he is describing is no good. Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, September 01, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the Name Server tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, Anthony Sent: Fri 9/1/2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] http://www.berbee.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, September 01, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: Servers rebooting, etrust antivirus
We have found varying degrees of destruction, but so far none that could not be recovered. For some reason MS KB323497 seems to resolve just about everything we have come across. We have found a few servers that get blank screens in safe mode. They never get to a logon prompt. Anyone gotten past this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, September 01, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus CA eTrust Antivirus flagging lsass.e x e http://isc.sans.org/diary.php?nstoryid=1665 Unsubscribe: http://isc.sans.org/notify.php Yup Kevin Brunson wrote: Anyone else out there dealing with the Computer Associates eTrust Antivirus signature thing this morning? Symptoms: The system process C:\Windows\System32\lsass.exe terminated unexpectedly with status code 0. The system will now shut down and restart. After the reboot, it once again gives the same message, over and over. Resolution: Update to the latest eTrust Antivirus signatures. The version ending in .3056 is known stable. Details: Apparently the signatures are detecting lsass.exe as a virus and trying to rename or delete it. Windows File Protection kicks in and says no. They then argue for a bit and neither wins so the server gives up and reboots. Hopefully no one else has experienced this, but if you are running ca, this should solve your problem. Almost all of my customers are running eTrust Antivirus, so it has been a very long morning. Kevin -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] remove a site in AD
It depends on your site topology that you have now. If you were to move the ip address definitions but have no dc in that site, then the clients would be forced to find one elsewhere according to costs etc. Is that acceptable in your environment? In the end, I doubt it really matters a whole heck of a lot in most cases. There might be a blip while the clients fall back to using one in their local site, but that won't happen until they next query for the site. Was it me, I'd go ahead and configure the subnets and then move the gc into that site. If the version of Exchange you're running is new enough, then it will check for GC's in it's own site after 15 minutes of losing it's own. Clients may notice depending on the client type. Keep in mind that Exchange will use the other servers regardless of site. They'll prefer GC's in their own site, but that's not an absolute to the exclusion of the rest of the topology. In fact, there are a lot of strong arguments for getting Exchange to use particular GC's since that's what gets handed out to the clients for directory use. AlOn 9/1/06, Mike Newell [EMAIL PROTECTED] wrote: Hey Al,Yep. Sorry, I got a bit sloppy when writing that part. I don't plan to delete the site for a few days after I make the change.Do you think I should I move the DC to siteB then associate the subnet with siteB or should I change the subnet/site then move the DC? Thanks again.From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, September 01, 2006 9:29 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] remove a site in AD Wouldn't it make more sense to change the site definitionsanddc/gcmemberships prior to removing the site?On 9/1/06, Mike Newell [EMAIL PROTECTED] wrote: Hey,There was a site created in AD that I would like to remove. Are there any gotchas when removing a site and adding the subnet back into an existing site? The site was created for our datacenter. The datacenter houses our Exchange servers and I would like Exchange to use the DC/GC's in our office as well. DSACCESS will just pick up the DC/GC's in the office the next time it runs the discovery process right? The Datacenter is connected to the office by a DS3. Windows 2000 single domain, Exchange 2003.Thanks.MikeThis message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so.This Message is subject to additional conditions and restrictions.Please read them here: http://legal.dimensional.com/email/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Seperate Administrator password policy
I know we've provided support for multiple password policies for different users of the same domain for at least one customer with our P-Synch product. Our customer in this case was doing more or less the same thing as you are asking about -- stronger password complexity rules for admin users, without needing a separate domain. I think they had more requirements than just password length, but that's really a minor detail. Joe mentioned using a password filter DLL to do this, which is precisely where we are hooking in. That said, maybe you should first consider what the underlying business problem is that you're trying to address? If it's more controlled and secure access to admin passwords, perhaps you should look at totally different approaches to managing administrator access, other than simply longer, but still static passwords. Also, does the underlying business driver pertain just to AD, or should you be thinking about other systems in your environment? One method is to periodically (frequently) randomize each and every admin password, and have admins go through a central choke point (e.g., web app) to access the admin passwords if and when they need them, as opposed to having a bunch of well-known admin passwords out there. There are products to do this (and yes, we make one too). Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com On Thu, 31 Aug 2006, Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: [EMAIL PROTECTED] Date: Wed, 30 Aug 2006 20:07:29 -0700 From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from
RE: [ActiveDir] Logging successful logons in AD security log
The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, September 01, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub ject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0v pHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mv Ifjfh29qkH O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: [EMAIL PROTECTED] Date: Wed, 30 Aug 2006 20:07:29 -0700 From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: [EMAIL
RE: [ActiveDir] Logging successful logons in AD security log
Exactly. As described in KB824245. Thanks David. That is exactly what happed to me, I was controlling the size with the GPO (or so I thought) and when I was done testing and wanted to reduce the size, the actual logs never reflected the GPO setting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 01, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, September 01, 2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub ject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding;
RE: [ActiveDir] Seperate Administrator password policy
of plans to allow setting password policies at the OU level What would be the direction theyd go to implement this? Since the setting is in the computer section of the GPO, it seems to offer all the functionality one should expect. And in fact, it is applicable at the OU level and it applies to computers [1]. It seems that the major reason people want to be able to set the policy at the OU level is so that it applies to users. The issue is that its a computer setting, not a user setting. IMHO, the only way to allow different password policies for different users, is to move the settings to the user section of the GPO. [1] It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 31, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Agree, a separate domain is certainly a very high price to pay itll cause ongoing headaches with very little benefit. Other companies add requirements for smartcard logons for Admins or also solve it via organizational rules as mentioned by ZV. Ive heard of plans to allow setting password policies at the OU level for Longhorn AD, which is due out mid next year. This could be wishful thinking (has been a request for quite some time), but I hope they make it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] DNS DOCUMENTATION
while i'm sure there are some out there; i've probably got 50+ SBS clients that we host their DNS - they don't tend to have big pipes, reliable pipes, reliable power,or technical know how (you'd be surprised how difficult it is to explain the purpose of a PTR record to someone who didn't really know that DNS turns names into "IP addresses" - whatever on earth are those?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, September 01, 2006 12:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION The whole call was NDA so unfortunately I have no news to share. I do have this to say though, if you or anyone feels this is something that MSFT DNS should be able to do smack your TAM on the butt and say "Hey TAM, earn your pay and listen up, we want this multiple view thing that Bind has had for like 6-7 years so go get it done." :) How many SBS'ers here use their SBS server to serve DNS to the world outside of their walls? I bet you guys would *really* like multi-view capability. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 12:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Couldn't make the con-call. But we have been asking for this for some time now. Do you have any shareable info on what MS is doing along that line? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html http://transposed.org/techstuff/bind9-win2k.html or better (depending on your viewpoint[1]) http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html :) [1] B. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the
RE: [ActiveDir] Seperate Administrator password policy
I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply different passwordpolicies to different domain controllers. I would like this executed for all domain/domain controller security settings in general actually. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here. >From a perf standpoint I don't think youwant to be having to do the logic to combine multiple password policies into one policy for every password change (which would be the case if you go to the user granularity level) and instead would just have an override mechanism. You can do this with regular GPOs because the clients individually are processing them, not the DCs. So for this, you would want to use the closest policy to the user as the one applied. The alternative here is if there was a builtin inheritance flowdown model like there is for ACLing where you can simply look at the one object and know exactly what the password policy iswhether the settings were higher up or directly on the object just like you can with ACLs. Either way, you need to be able to do a very simple query and very simply processing and get the decision for what the policy should be for the user. This isn't a good place in the code to be just hanging out trying to figure out what to do for a while. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? Whatever ends up getting done forpassword policy would be nice to see on kerberos and lockout policy as well. You shouldn't hopefully need to do it much with the former but there are times where I wish I had it available because the only other option was to open the policy for the entire domain regardless of the stupidity of the idea from a security standpoint. This has been a discussion point inside of MSFT for quite a long time now and I can assure you that anything that gets implemented/released went through considerable discussion by the developers inside of MSFT and to people outside outside of MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Friday, September 01, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy of plans to allow setting password policies at the OU level What would be the direction theyd go to implement this? Since the setting is in the computer section of the GPO, it seems to offer all the functionality one should expect. And in fact, it is applicable at the OU level and it applies to computers [1]. It seems that the major reason people want to be able to set the policy at the OU level is so that it applies to users. The issue is that its a computer setting, not a user setting. IMHO, the only way to allow different password policies for different users, is to move the settings to the user section of the GPO. [1] It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, August 31, 2006 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy Agree, a separate domain is certainly a very high price to pay itll cause ongoing
[ActiveDir] Steps to clean up after Etrust
The Official SBS Blog : SBS 2003 fails to boot (Gray screen after Windows splash screen): http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx ...I'm just having a hard time understanding how flagging lsass could be missed in testing...but hey...that's just me... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Steps to clean up after Etrust
You might very well find that it broke the HTTP SSL service. Since HTTPFilters runs as lsass.exe, it kinda screws things up. This is the only problem I am still dealing with. WWW pub won't run without it. So no OWA. Still trying to figure that one out. Other than that, we've fixed 30 servers at 20 sites. Only a few of us lost our sanity. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, September 01, 2006 6:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Steps to clean up after Etrust The Official SBS Blog : SBS 2003 fails to boot (Gray screen after Windows splash screen): http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx ...I'm just having a hard time understanding how flagging lsass could be missed in testing...but hey...that's just me... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Steps to clean up after Etrust
Yup that's what the PSS guys are saying too... the easiest way it to fix it is to find good parts on a server and put it back If it helps any MS runs etrust... I wonder if they got nailed... one can only hope to ensure that CA never ever does this again.. ya think? Kevin Brunson wrote: You might very well find that it broke the HTTP SSL service. Since HTTPFilters runs as lsass.exe, it kinda screws things up. This is the only problem I am still dealing with. WWW pub won't run without it. So no OWA. Still trying to figure that one out. Other than that, we've fixed 30 servers at 20 sites. Only a few of us lost our sanity. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, September 01, 2006 6:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Steps to clean up after Etrust The Official SBS Blog : SBS 2003 fails to boot (Gray screen after Windows splash screen): http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx ...I'm just having a hard time understanding how flagging lsass could be missed in testing...but hey...that's just me... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Seperate Administrator password policy
A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply different passwordpolicies to different domain controllers. I would like this executed for all domain/domain controller security settings in general actually. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here. From a perf standpoint I don't think youwant to be having to do the logic to combine multiple
Re: [ActiveDir] Separate Administrator password policy
While you guys are skinning that cat (or is it buttering it?) let me throw out the var/vap world of admin passwords... You have a bunch of managed clients... you have employees that regularly have admin rights to those servers. An employee leaves. You need to revoke rights to that DC. How is the easy and painless revokation of admin rights done quickly and easily without going through all the third party crud that needs an admin password to run on that server? Even having a secondary administrative rights account and using that for all those third party things means that the tech (or techo as they say in AU) probably knows that one as well. (and in SBSland we stupidly still have releases and SP's that require the built in admin account to install -- SBS sp1 and R2 both need the "500" account otherwise they barf) So while you guys are determining how to set password policies for adminswhat's the best way in the transitory world of vars/vaps to revoke access? Smartcards? SecureID? Other ideas to quickly disallow access with minimal disruption and maximum effects? As far as thousands of password policies.. I was chatting last weekend that you can usually tell a firm that has a old LOB app or backend NT domain when you find a web site that puts a max number of password characters of 8. As to the rest of us with modern networks.. we're doing the best we can pushing to get them half way decent and getting pushback. (personally I like the web sites these days that have the gui indicator of how sucky your password is) The first time I set a password policy I sat down with the person and explained the process of selecting a good password and then had them pretend to pick one The resulting password of "Adorable" (no quotes) meant that I obviously didn't get my message across. For the record: http://en.wikipedia.org/wiki/Buttered_cat_paradox Eric Fleischman wrote: A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not
