RE: [ActiveDir] OT: slipstreaming Win2K
The problem with applying them post-installation is that if the fix is for a network-related vulnerability, your machine will be open to compromise from the time it starts the network to the time it finishes the post-install tasks and does a reboot. This is a good few minutes, and in the case of stuff like MS03-039 it's plenty of time for the machine to be done over. I now do installs with the machine disconnected from thenetwork, and make sure that the machine is patched to a reasonable level before plugging it into anything that I cannot absolutely trust. Trustworthy Computing indeed... Steve Bennett, Lancaster University, UK. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Network AdministratorSent: 13 January 2004 19:30To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: slipstreaming Win2K Unfortunately, you cant slipstream most (any?) hotfixes into installation media, though I seem to remember reading somewhere that Microsoft intends to make all critical updates slipstreamable. In the meantime, though, you can use a workaround to install hotfixes in an unattended install. Though not quite as smooth as slipstreaming, it works just as well in the end. You can find a well-written article about that at the following URL: http://www.cheese.org/~scott/useful/Slipstreaming%20Builds.doc If I remember correctly, you simply have to rename the hotfixes, throw them in a particular directory on the installation media, and write a CMDLINES.TXT file that executes after the installation has completed. -James R. Rogers, MCSE From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, January 13, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: slipstreaming Win2K Ive successfully slipstreamed service packs into a Win2K install media before, but never looked into adding any hotfixes to it. So I started looking into how to do it, and was surprised to find dialog from one of Microsofts online tech chats, in which the rep said you cant do that. Did I misunderstand, or can I really not add hotfixes to a slipstream image? Thanksoh, and Tony thanks also from me for a great list! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
[ActiveDir] AD DOS vulnerability
I received notification about a vulnerability in AD this morning - details are at http://support.microsoft.com/default.aspx?kbid=319709 It looks like the recommended fix is to upgrade my DCs to SP4. I was planning to wait a lot longer before I inflict SP4 on any machines that I care about, but it looks like this might force my hand a bit. What's everyone else doing? Has anyone heard of *any* problems with SP4 yet? -- Steve Bennett, Systems Support Lancaster University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Upgrade with bad NetBIOS name
Title: Message We used to have an NT4 domain with a dot in it. We agonised over upgrade vs restructure -testing the upgrade showed that it worked, there were some docs (sorry, can't remember which, it was over a year ago) that warned that NetBIOS names SHOULD NOT have dots in them. We went for a restructure in the end - we didn't like the old domain name much anyway. -- Steve Bennett Systems Support, Lancaster University -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED]Sent: 26 June 2003 22:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Upgrade with "bad" NetBIOS name Ahh, that's good to hear. One good experience. Any others? :-) -Original Message-From: Jeremy Waldrop [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Upgrade with "bad" NetBIOS name I have a client that we upgrade from NT 4 to 2000 AD and their NT domain name was companyname.com and they wanted the AD name to be companyname.net so we setup a lab and did not have a single issue upgrading their domain. They have been running for over 2 years now with their NetBIOS name companyname.com and their AD name companyname.net, they also have Exchange 2000. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, June 26, 2003 2:53 PMTo: [EMAIL PROTECTED] Actually, that IS their real name. They are a "dot com" that has succeeded and is still around. -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 2:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Upgrade with "bad" NetBIOS name I dont know that its such a bad thing Most or all of the TechNet examples will be personalized for their environmentJ But Seriously, Id consider migrating to a domain that has their real name in it, if not entirely for esthetic reasons. But thats just me Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, June 26, 2003 11:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD Upgrade with "bad" NetBIOS name I've just retained a client whose NT4 domain name is company.com -- yes, their netbios domain name. I'm seriously concerned about upgrading them to AD. Do I have any worries? I've never seen this one before, and it isn't covered in any of the whitepapers I've quickly perused. Thanks.
[ActiveDir] dotty netbios domain names
Hi Folks We're currently planning a migration from our NT4 domains to AD. Our current structure is a single master, containing about 2 user accounts and some servers, and about 8 resource domains, with perhaps 4000 machine accounts between them. Most parts of the plan are pretty straightforward, except that the master domain was originally set up many years ago (it originally ran NT 3.5) and is named LANCS.CENTRAL. Over the course of time we've had several problems because the domain name contains a dot, so we originally planned to do a restructure rather than an upgrade, but we've seen several potential problems with restructuring, and there's now a thought that upgrading might be best after all. The question really boils down to this - what harm will it do to have a NetBIOS domain name with a dot in it? We've already done a trial upgrade (on an offline copy of the domain) and this appears to have succeeded (although more testing is underway!), but we already know that DCPROMO will not normally allow you to specify a dot in the NetBIOS domain name. If we can find a decisive reason why we should not simply upgrade that'll be fine, because then we can get on with sorting out the restructuring problems, but at the moment it seems extremely tempting to just upgrade. Any clues? -- Steve Bennett, Lancaster University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/