[ActiveDir] [OT] USB/PS2 monitoring software
Hey all, I am looking for an application that can monitor and alert the usage of USB/PS2 devices on the clients (mostly XP). If a user plugs in a new keyboard, disconnects a mouse or tries to use a DOK - I need to be able to record the action and trigger alerts based on different criteria. Anyone aware of something like this ? Using it ? TIA, Guy
RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
better. No commitments here, but I will be pleased to convey the message. Hope this helps a bit … PS: However, if you feel you have WMI issues, you can always use the WMI Diagnosis Tool 1.0. You can find pointers to it (+Webcast) at http://www.lissware.net. Note, we will release the version 2.0 early next year. Regards, /Alain Alain LISSOIR [cid:114265316@01122006-02BE] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Home Page: http://www.LissWare.Net Where am I? http://map.LissWare.Net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, December 01, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Thanks Susan, but I think this case is different - we are talking about different WMI class and in my case the query hangs and never returns results. The ITMU issue is probably a result of intensive load on the CPU when performing the query you pointed to, but in my case if I let it run for hours it still never finishes. I am far from being well versed in WMI, but I'd suspect that here the problem is caused by WMI not using paging in the query or very inefficient processing when using both LocalAccout=True and SidType=1 keys. Guy From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 01, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC http://www.myitforum.com/articles/8/view.asp?id=9048 http://www.myitforum.com/articles/8/view.asp?id=9284 Rod's been tracking that on myitforum and the Patch management listserve for a while now. Guy Teverovsky wrote: Hi all, Recently I had a case where we experiences high CPU utilization after deploying SMS client to DCs. By now we have identified that the issue was caused by an extension of sms_def.mof file containing the definitions of information that should be collected from the agent. The interesting part is that I was able to reproduce the behavior without SMS agent. Just execute the following WMI query on your DC and see the CPU spikes to 100% and will stay there till you kill the wmiprvse.exe process: *select * from Win32_Account where LocalAccount=True and SIDType=1* Now you do not need to explain to me that this is damn stupid to run this type of query on a DC, yet I would expect the DC to be able to handle the query, but what I see is that the query never returns - it just hangs there choking up the CPU till you kill the WMI process. Almost the same behavior is observed when executing wmic useraccount from the command line, but in this case the query does return the results after a while (~2-3 minutes on ~2K user account AD). The only thing related to the issue that I was able to find is the following KB: http://support.microsoft.com/kb/268715 (WMI Query Support for Win32_Group Is Not Optimized) where the following query SELECT * FROM Win32_Group WHERE Domain=workgroup AND Name=smith causes the identical behavior. But folks, we are talking W2K3 with SP1 and not W2K pre-SP2. Any chance anyone has stumbled upon it ? Is aware of hotfix ? Thanks, Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] 100% CPU utilization when querying Win32_Account on DC
Hi all, Recently I had a case where we experiences high CPU utilization after deploying SMS client to DCs. By now we have identified that the issue was caused by an extension of sms_def.mof file containing the definitions of information that should be collected from the agent. The interesting part is that I was able to reproduce the behavior without SMS agent. Just execute the following WMI query on your DC and see the CPU spikes to 100% and will stay there till you kill the wmiprvse.exe process: select * from Win32_Account where LocalAccount=True and SIDType=1 Now you do not need to explain to me that this is damn stupid to run this type of query on a DC, yet I would expect the DC to be able to handle the query, but what I see is that the query never returns - it just hangs there choking up the CPU till you kill the WMI process. Almost the same behavior is observed when executing wmic useraccount from the command line, but in this case the query does return the results after a while (~2-3 minutes on ~2K user account AD). The only thing related to the issue that I was able to find is the following KB: http://support.microsoft.com/kb/268715 (WMI Query Support for Win32_Group Is Not Optimized) where the following query SELECT * FROM Win32_Group WHERE Domain=workgroup AND Name=smith causes the identical behavior. But folks, we are talking W2K3 with SP1 and not W2K pre-SP2. Any chance anyone has stumbled upon it ? Is aware of hotfix ? Thanks, Guy
RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
Thanks Susan, but I think this case is different - we are talking about different WMI class and in my case the query hangs and never returns results. The ITMU issue is probably a result of intensive load on the CPU when performing the query you pointed to, but in my case if I let it run for hours it still never finishes. I am far from being well versed in WMI, but I'd suspect that here the problem is caused by WMI not using paging in the query or very inefficient processing when using both LocalAccout=True and SidType=1 keys. Guy From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 01, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC http://www.myitforum.com/articles/8/view.asp?id=9048 http://www.myitforum.com/articles/8/view.asp?id=9284 Rod's been tracking that on myitforum and the Patch management listserve for a while now. Guy Teverovsky wrote: Hi all, Recently I had a case where we experiences high CPU utilization after deploying SMS client to DCs. By now we have identified that the issue was caused by an extension of sms_def.mof file containing the definitions of information that should be collected from the agent. The interesting part is that I was able to reproduce the behavior without SMS agent. Just execute the following WMI query on your DC and see the CPU spikes to 100% and will stay there till you kill the wmiprvse.exe process: *select * from Win32_Account where LocalAccount=True and SIDType=1* Now you do not need to explain to me that this is damn stupid to run this type of query on a DC, yet I would expect the DC to be able to handle the query, but what I see is that the query never returns - it just hangs there choking up the CPU till you kill the WMI process. Almost the same behavior is observed when executing wmic useraccount from the command line, but in this case the query does return the results after a while (~2-3 minutes on ~2K user account AD). The only thing related to the issue that I was able to find is the following KB: http://support.microsoft.com/kb/268715 (WMI Query Support for Win32_Group Is Not Optimized) where the following query SELECT * FROM Win32_Group WHERE Domain=workgroup AND Name=smith causes the identical behavior. But folks, we are talking W2K3 with SP1 and not W2K pre-SP2. Any chance anyone has stumbled upon it ? Is aware of hotfix ? Thanks, Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
Using runas /user:cached id something after establishing a VPN session should do the trick. Guy From: [EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 22, 2006 9:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Updating cached credentials Thanks Al. We typically change passwords via a web app (Psynch) rather than at the workstation. One of our desktop techs thought that changing your password via the three-finger salute would cause the credentials to be updated, but in this case it didn't seem to work. We'll try the workstation lock and see if that works. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 22, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials As I understand it, The nortel vpn client is a shim that works at layer 3 and does not take effect until after the user session has begun. This prevents much of the normal node processing you'd like to see happen such as control of the windows firewall, caching of group membership and so on. Since most companies require a password change on a regular basis for user accounts, I'm kind of surprised that you see this behavior. The way to change the user credentials on a nortel client is to have the user use the three finger salute (ctrl+alt+del sequence) to lock the workstation after the vpn is established. When the user logs back on this *is expected* to re-cash the credentials. This should be a familiar sequence of events for the users every password change. Has this not addressed the problem for you to date? On 11/22/06, Ken Cornetet [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Kerberos is Killing Me!
I'll second that. Dups can be found not only across multiple domain NCs. Not long ago I stumbled upon exactly the same error and it turned out that it was a result of orphaned connection object in LostAndFoundConfig container in Config partition. All the tests came up clean, repadmin was coming up clean, but some DCs were logging the duplicate SPN error and a script that was querying replication status using WMI was coming up with non-replicating connection (interesting that repadmin did not error on this). Deleting the object from LostAndFoundConfig (it belonged to a retired DC whose metadata was cleaned properly) fixed the issue. I guess this had to do with the timing the metadata cleanup was performed and KCC re-generating the topology. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 17, 2006 6:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos is Killing Me! Yes if you want to focus on a specific domain, use the -b and the NC you want. However the SPNs are across all NCs so when you do an SPN lookup, look at the GC and search across all NCs. It is unlikely to get duped HOST entries in a single domain, usually that is a cross domain thing. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Friday, November 17, 2006 10:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Joe. if i wanted to search within a child domain i would use the -b switch ? -b dc=child,dc=domain,dc=org ? On 11/17/06, joe [EMAIL PROTECTED] wrote: adfind -gc -null -f serviceprincipalname=insert SPN here -dn That will search your entire GC which you must do, you can't just focus on a single domain like I saw a previous dsquery command do. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 2:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Joe, how do i find out if there are any duplicate SPN's ? On 11/16/06, joe [EMAIL PROTECTED] wrote: Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the error? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of hboogz Sent: Thursday, November 16, 2006 12 :09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Toolstokensz /compute_tokensize /package:negotiate /use_delegation /target_s erver:host/phmaindc1 Name: Negotiate Comment: Microsoft Package Negotiator Current PackageInfo-MaxToken: 12128 Asked for delegate, but didn't get it. Check if server is trusted for delegation. QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4 KeySize = 128 Flags = 2001c Signature Algorithm = -138 Encrypt Algorithm = 26625 QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 SEC_E_NOT_SUPP ORTED any ideas ? I keep getting the following event log message on a domain controller which prevents users from accessing it and authenticating to it. Event Type:Error Event Source:Kerberos Event Category:None Event ID:4 Date:11/16/2006 Time:12:02:37 PM User:N/A Computer:PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was host/phprint1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Help! -- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] RFMAGIC
Title: Re: [ActiveDir] Forestprep Failure [EMAIL PROTECTED] ~]# ls / -R | grep dcpromo Come on Brian ! man find + man locate/slocate. This is the most inefficient (complexity and memory wise) search you can ever do (and notice that grep is case sensitive. You should have used grep i ) [EMAIL PROTECTED] root]# service ads start ads: unrecognized service [EMAIL PROTECTED] root]# apt-get install ads Reading Package Lists... Done Building Dependency Tree... Done E: Couldn't find package ads [EMAIL PROTECTED] root]# make ads make: *** No rule to make target `ads'. Stop. Anyone knows which repository should I add to APT to get ADS ? or should I recompile it from the sources as in old days ? Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, July 07, 2006 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RFMAGIC [EMAIL PROTECTED] ~]# dcpromo bash: dcpromo: command not found [EMAIL PROTECTED] ~]# pwd /home/bdesmond [EMAIL PROTECTED] ~]# uname Linux [EMAIL PROTECTED] ~]# whereis dcpromo dcpromo: [EMAIL PROTECTED] ~]# ls / -R | grep dcpromo [EMAIL PROTECTED] ~]# Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Oytun Sent: Friday, July 07, 2006 2:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RFMAGIC FYI, San Diego company RFMagic at www.rfmagic.com looking for a Linux admin. Just FYI Robert Oytun
RE: [ActiveDir] Windows 2003 sp1 DNS problem
Another thing that is worth mentioning is the loopback check that has been enforced since W2K3 SP1. Try disabling the loopback check or specifying additional FQDNs using one of the methods in the following KB: http://support.microsoft.com/?kbid=896861 Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 8:14 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 sp1 DNS problem Thanks a lot, It did not work. I used additional names, disabled strict name checking But it is still the same. I am almost aware it´s a SP1 security function. But there must be a way to disable that. I´m still waiting new tips... Adrião. Grillenmeier, Guido [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 29/06/2006 20:40 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto RE: [ActiveDir] Windows 2003 sp1 DNS problem I wasn't aware that this was a change in SP1, but it sounds as if StrictNameChecking is enabled on your server after you've added SP1 (http://support.microsoft.com/default.aspx?scid=kb;en-us;281308) You ca disable it in general by configuring the DisableStrictNameChecking reg-key as the KB above explains. However, this would allow to access the server via _any_ name. I typically suggest to use the reg-keys to limit additional names to those you really want: DNS: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\AlternateComputerNames (Multi-SZ) NetBios: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters\OptionalNames (Multi-SZ) This can also be done via the Win2003 version of NETDOM: NETDOM COMPUTERNAME current NetBIOS or DNS name /add:additional FQDN name /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 29. Juni 2006 21:38 To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2003 sp1 DNS problem Hallow all. I need help in a problem I have after installing Service Pack 1 This is the case: I have a windows 2003 Server (I Will call it SERVER01), without service pack 1 I created a dns name like this aplicacao.mycompany.com Before installing SP1, when I called locally \\aplicacao.mycompany.com It opened shared folders perfectly Now , after SP1, if I call \\aplicacao.mycompany.com It asks for a user and password. I don´t know witch password or user is that... If I call \\SERVER01.mycompany.com, it works. What was changed after installing SP1? how can I correct that? Adrião
RE: [ActiveDir] Windows 2003 sp1 DNS problem
I have been bitten by it with databases, but my understanding is that it is relevant to any authentication attempt that tries to access a resource that does not have a registered SPN. http://support.microsoft.com/?id=887993 Now that I think about it, the right way would probably be to make sure the required SPN is registered for the server in question. The KB above can help determining whether it is an SPN issue. If it is, after registering the SPN, the DisableLoopbackCheck reg value can be set back to 0 or deleted. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abouelnasr, Jerry Sent: Friday, June 30, 2006 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 sp1 DNS problem Is it your experience that this applies to UNC file paths as well? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, June 30, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 sp1 DNS problem Another thing that is worth mentioning is the loopback check that has been enforced since W2K3 SP1. Try disabling the loopback check or specifying additional FQDNs using one of the methods in the following KB: http://support.microsoft.com/?kbid=896861 Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 8:14 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 sp1 DNS problem Thanks a lot, It did not work. I used additional names, disabled strict name checking But it is still the same. I am almost aware it´s a SP1 security function. But there must be a way to disable that. I´m still waiting new tips... Adrião. Grillenmeier, Guido [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 29/06/2006 20:40 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto RE: [ActiveDir] Windows 2003 sp1 DNS problem I wasn't aware that this was a change in SP1, but it sounds as if StrictNameChecking is enabled on your server after you've added SP1 (http://support.microsoft.com/default.aspx?scid=kb;en-us;281308) You ca disable it in general by configuring the DisableStrictNameChecking reg-key as the KB above explains. However, this would allow to access the server via _any_ name. I typically suggest to use the reg-keys to limit additional names to those you really want: DNS: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\AlternateComputerNames (Multi-SZ) NetBios: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters\OptionalNames (Multi-SZ) This can also be done via the Win2003 version of NETDOM: NETDOM COMPUTERNAME current NetBIOS or DNS name /add:additional FQDN name /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 29. Juni 2006 21:38 To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2003 sp1 DNS problem Hallow all. I need help in a problem I have after installing Service Pack 1 This is the case: I have a windows 2003 Server (I Will call it SERVER01), without service pack 1 I created a dns name like this aplicacao.mycompany.com Before installing SP1, when I called locally \\aplicacao.mycompany.com It opened shared folders perfectly Now , after SP1, if I call \\aplicacao.mycompany.com It asks for a user and password. I don´t know witch password or user is that... If I call \\SERVER01.mycompany.com, it works. What was changed after installing SP1? how can I correct that? Adrião
RE: [ActiveDir] Schema Question
Isn't it something that Exchange System Policies are supposed to take care of ? Why would you want to set mailbox quotas for each and every user account instead of setting the defaults on the stores and overriding only when necessary ? Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Self vs. the object name / effective permissions
Title: Self vs. the object name / effective permissions I just call it best effort. It's totally ineffective over cross forest trusts. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 27, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Self vs. the object name / effective permissions Without knowing the details I would start off by saying effective permissions isn't thegreatest[1]and is very likely to be incorrect because without an actualsecurity token to work from on the machine that you need to know the effective rights it is very easy to miss somethingand not get it right. I don't even bother looking at effective rights ever, I look at the ACLs myself and work it through. If you want, email me the DSACLS dump to my home address and what isn't working and I will give you a free opinion. :) joe [1] I was going to say sucks but I tried to write my own version of it once and it is really really really hard. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Tuesday, June 27, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Self vs. the object name / effective permissions Someone came by my cube and said they were having permission issues. They assigned Self some rights for computer objects and in ADUC the effective permissions are correct. However, they also did effective permissions on the name of the computer object and it has different results.Why is this?? I know Self represents the objectso where is it getting different permissions from? DSAcls is retrieving correct information for me, but this seems like a bug to me. -Brandon
RE: [ActiveDir] pw reset domain account
If I had a self service web service for resetting password, and wanted to let the users access it from anywhere, I'd not be using domain accounts for logging into the workstation. Probably the best would be having dedicated workstations in kiosk mode, but if that is not an option, I'd push a local account to the end-user workstations (making sure I do not push it to servers, etc) and let them logon locally. Personally I do not see any reason for using domain account the self service web site should not require authentication to access it in any case. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AWS Sent: Monday, June 26, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe [EMAIL PROTECTED] wrote: Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. eg Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS Sent: Sunday, June 25, 2006 6:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] pw reset domain account There's a proposal at my company fora self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intentis to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect,but my position is that there are too many unknown vectors for such an account to beabused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain accountcould be hacked upon? Conversely, is there any way such an account could be effectively locked down? Thanks, AW
[ActiveDir] Recieved X out of Y objects
Title: Recieved X out of Y objects Could be that I never took a better look at it and this is a well know issue, but when dcpromo-ing W2K SP4 to a DC I get Replicating DC=domain,dc=tld: received X out of Y objects., where X is larger than Y. Could it be that X counts tombstones and Y does not ? Cheers, Guy
RE: [ActiveDir] DDNS in Unix environment
All good and valid points, Al. The problem with DNS in this case is that DNS servers responsible for the AD zone must be located on the same segment as the application/DCs - this is client's requirementthat I am totally agreeing with - we want to keep all the resources related to the application under strict control and behind the firewall. As for DNS redundancy - DRP site also has 2 DCs with DNS installed, so if the primary is down, the DCs in the DR site will be able to answer the queries. People accessing the applicationcan resolve the DNS name of the service using their local DNS servers thatcan utilize conditional forwarding to both primary and DR site's DNS servers. The point with the whole setup is that each node at primary or DR site is already HA and the main purpose of the DR site is to come up when the primary site as a whole is down. Yet I do not like making assumptions and would like to be able to deal with all the edge cases. I'll ask ~Eric if I can borrow his huge DIT for a while, use it on the Unix guys and see how it goes ;).Relying on DNS in this case to me sounds too opportunistic... Guy From: Al MulnickSent: Tue 6/20/2006 3:53 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment Guy, I think the concern I have (I'll limit to one for this sentence) is that if you update the DNS, what does that do for the client? I.E. how does the client know to look at some other DNS? Or, more simply, how does the DNS get updated if that site the client was using for DNS goes to the dogs? I'm wondering how that mechanism works in your scenario because the client has to be able to find the information and if the DNS went with the solution, then it's going to be difficult to make that work. On the other hand, if DNS is hosted outside this solution, then you're only real hope is to use a load balancer IMHO. Why? Because the people already have a signifcant investment in making this work and to do otherwise would be the equivalent of puttingHuffy tires on a Mazerati; sure it might work andit'll drastically cheaper up front, but would you really want to do that and would you really be happy about it? Would you want your friends to see you in that car? Anyhow, the solution lies with Veritas and by taking a good hard look at all 8 layers of the stack and comparing/contrasting that with your deliverables. HA doesn't occur at the application layer alone; rather it's a system that comes together and takes into account all 8 layers of the computing stack. To do otherwise is without question a waste of time and resources. Keep your head low, walk softly and carry a very large Windows appliance. ;) Al On 6/19/06, Guy Teverovsky [EMAIL PROTECTED] wrote: I will try to address all the points raised. Al: You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values. Mike: I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu. Willem: If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics,another IT group, single point of failure...) Disclaimer: have no idea about Veritas HA Unix cluster either ;) Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster andlook into hardware load balancer, the life wouldbe much easier... Bottom line: Unix people are evil ! do notlet them near your AD ;) (ducking and getting on a plane) Thanks all for the input ! Guy From: Willem KasdorpSent: Mon 6/19/2006 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DDNS in Unix environment Guy, Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I'd take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. -- Cheers, Willem (disclaimer: I know nothing about Veritas HA clusters) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al
RE: [ActiveDir] DDNS in Unix environment
I will try to address all the points raised. Al: You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values. Mike: I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu. Willem: If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics,another IT group, single point of failure...) Disclaimer: have no idea about Veritas HA Unix cluster either ;) Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster andlook into hardware load balancer, the life wouldbe much easier... Bottom line: Unix people are evil ! do notlet them near your AD ;) (ducking and getting on a plane) Thanks all for the input ! Guy From: Willem KasdorpSent: Mon 6/19/2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DDNS in Unix environment Guy, Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? Id take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. -- Cheers, Willem (disclaimer: I know nothing about Veritas HA clusters) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 19, 2006 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? What does Veritas recommend? (it is there product after all). Al On 6/17/06, Guy Teverovsky [EMAIL PROTECTED] wrote: Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Veritas cluster node. Primary and DR site are at different physical locations and on different subnets.The only problem with this setup is that the cluster needs to register it's DNS name when failing over to DR site and it does not support secure DDNS. The best thing it can do is T-SIG DDNS with pre-shared key. Enabling non-secure DDNS is not an option.I can disable the DNS registration requirement in the cluster resource group, but this has some issues, while one of them is the fact that accessing the application at the DR site (from internal LAN) will require using FQDN different from the FQDN of the primary site. An alternative would be to somehow enable DDNS only from a predefined set of IP addresses, but from what I know the MS DNS is not capable of it (correct me if I'm wrong).Switching to BIND presents the same issue: while it can solve the dynamic registration of the cluster service using T-SIG DDNS, yet non-secure registration of SRV records is not acceptable and I would like to avoid having statically registered SRV records for the DCs. Not sure whether the solution is in the MS DNS, but there are some knowledgeable folks over here that might have stumbled upon something like this.Any help is greatly appreciated.Thanks,Guy
[ActiveDir] DDNS in Unix environment
Howdy all, I am banging my head over this trying to come up with a solution for a client. To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down. Primary site: 2 DCs with SFU (R2) + Veritas cluster node DR site: 2 DCs with SFU (R2) + Veritas cluster node. Primary and DR site are at different physical locations and on different subnets. The only problem with this setup is that the cluster needs to register it's DNS name when failing over to DR site and it does not support secure DDNS. The best thing it can do is T-SIG DDNS with pre-shared key. Enabling non-secure DDNS is not an option. I can disable the DNS registration requirement in the cluster resource group, but this has some issues, while one of them is the fact that accessing the application at the DR site (from internal LAN) will require using FQDN different from the FQDN of the primary site. An alternative would be to somehow enable DDNS only from a predefined set of IP addresses, but from what I know the MS DNS is not capable of it (correct me if I'm wrong). Switching to BIND presents the same issue: while it can solve the dynamic registration of the cluster service using T-SIG DDNS, yet non-secure registration of SRV records is not acceptable and I would like to avoid having statically registered SRV records for the DCs. Not sure whether the solution is in the MS DNS, but there are some knowledgeable folks over here that might have stumbled upon something like this. Any help is greatly appreciated. Thanks, Guy
RE: [ActiveDir] FYI: Failing to create a trust
Title: RE: [ActiveDir] FYI: Failing to create a trust May be I am shooting blanks into the great wide open, but I have lately been beaten on various occasions by LSA's loopback check that has been enabled by default in W2K3 SP1 (mainly installing MOM Reporting Services or having MOM's DB on remote machine – all W2K3SP1 related). I currently do not have an environment to test this, but it could be worth a shot to try disabling the loopback check as per: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861 I guess this could be related to the way the VM's network stack is implemented… Cheers, Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 19, 2005 17:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: Failing to create a trust Hi Tony, While creating my test environment that I will use at DEC, I also tested the following: ADCORP.LAN - DC01 (W2K3SP1) - DC02 (W2K3) promoting to DC and use DC01 (W2K3SP1) as source - NO ISSUES! BRANCH.ADCORP.LAN - DC11 (W2K3SP1) promoting to DC and use DC01 (W2K3SP1) as source - ISSUES FOUND! (changing pwd solved issue) - DC12 (W2K3) promoting to DC and use DC11 (W2K3SP1) as source - NO ISSUES! SUBSIDIARY.ADCORP.LAN - DC21 (W2K3SP1) promoting to DC and use DC02 (W2K3) as source - ISSUES FOUND! (changing pwd solved issue) - DC22 (W2K3SP1) promoting to DC and use DC21 (W2K3SP1) as source - ISSUES FOUND! (changing pwd solved issue) It looks like if the DC to be promoted = w2k3SP1 then the issues mentioned occur Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, December 18, 2005 21:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: Failing to create a trust Hi Tony, R2 does not change core binaries so there should be no change there. I can save you time when it comes to the R2 test as I found it first in R2, then tried SP1. Both with the same issues I have not tried pre-SP1 myself I'm not sure, but I think it does not occur in pre-SP1 because I had never seen it before until working with R2 and SP1. Jorge From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Sun 12/18/2005 9:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: Failing to create a trust Hi Jorge Ok, I’m back at work and the workaround using the same username and password combination does the trick. I found one other interesting glitch. Here’s the sequence. 1. Cross-forest trust setup fails with RPC connection failure. 2. Change ForestA administrator name and password to same as ForestB 3. Set up one side of the trust in ForestA. All ok. 4. Attempt to set up ForestB side of trust. Fails with RPC connection failure. 5. Remove trust in ForestA. 6. Go back to ForestB and set up one side of the trust. All ok. 7. Go back to ForestA and set up the other side of the trust. All ok. Weird. If I have time, I’ll do the same thing with Windows 2003 (no SP1) and with Windows 2003 R2. I’ll also see if the behaviour is different with Virtual PC. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, 19 December 2005 2:05 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: Failing to create a trust Just before going to a party yesterday, I was playing with 2 VMs. Each Vm was a DC in its own forest/doman and I wanted to create a trust between the two. How difficult is that? Well, not that difficult, until you get the error... ;-(( default tests: nslookup, mappings, etc and everything OK There is a big difference here. With the DCPROMO thing I goes wrong after entering the credentials to dcpromo the DC With the TRUST thing I goes wrong as soon as you enter target domain The fun part is (quote from the DCPROMO story I wrote): QUOTE To test permissions and credentials I created a mapping (to the ADMIN$ share) from the stand alone server to the forest root DC and used username administrator and password CORP. result = OK To test permissions and credentials I started LDP on the stand alone server and connected to the forest root DC and used username administrator and password CORP. result = OK. I was able to anything in the directory. To test permissions and credentials and joined the stand alone server and made it a member server of the forest root domain using the username administrator and
RE: [ActiveDir] Internet Explorer Home Page Question
If I am not mistaken, newly created profiles take the defaults from: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] Set the Start Page and Search Page there and the newly created profiles will pick the settings from there. If you want to automate it, create a custom administrative template to deploy the registry settings to all your workstations with a GPO and you are done. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Tuesday, November 22, 2005 16:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question Excellent. Thanks for the tip. I totally forgot about setting permissions on the group. On the delete of the group I actually meant to say delete from the group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, November 21, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Explorer Home Page Question Nice to know, that it worked out for you. I also tried using the /delete to delete the group but if the person isnt in that group the script just hangs. I am just curious, Why would u delete the group? also why you require password in the script ? If you just give add/remove self as member accessit doesn't work thru GUI. You have to specifically go to propery level permission and assign WRITE access on members attribute,then members will be able to manage their membership of group. Give that right to SELF security principal. (I just tested that again) Also, one caveat, If you have an AD2000 forest or an AD2003 forest running on the Windows 2000 functional level, you should take into account the following warning: If you delegate group management to members, it might create problem if user update their membership on different DC.All members of a group are stored in one multivalued property. If that member list is modified on two domain controllers simultaneously (within replication latency), one of the two changes will be lost. - Kamlesh On 11/22/05, Craig Gauss [EMAIL PROTECTED] wrote: Been working on this one most of the day.have it sort of working. Needed to use CPAU from joeware, but there is one problem. The password is displayed in the batch which is pretty much unsecure and goes against any password policy. Anyways, I have it adding the user to the correct group upon logon. It takes a little while though for the user to show in the group. I also tried using the /delete to delete the group but if the person isnt in that group the script just hangs. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal S. Mand Sent: Monday, November 21, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question Craig, Quoting what Kamlesh said before your email: To remove logged-in user, I would use something like if new-users is Domain Local group then net localgroup new-users %username% /delete /domain if new-users is Domain Global group then net group new-users %username% /delete /domain His email was sent 11/19/2005 10:37 AM. If you didn't get it I can forward that to you. Thanks, Micheal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Gauss Sent: Monday, November 21, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Internet Explorer Home Page Question How would you go about removing the user from the group in a login script? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Friday, November 18, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Explorer Home Page Question Building on what James said, You can make it automatic, create a group New-Users and assign the intranet homepage GPO to this group. and importantly, Allow members to remove themselves from group. When you create a new user, just make her member of this group. Make a login script, in the same GPO, which will remove the logged in user from this group. When user logs in first, time, she is member of this New-Users group, so this GPO applies and her homepage is set to intranet. At the same time, login script runs and removes user from that group. This makes sure that, this GPO is never applied again, as user no longer member of New-Users group. And intranet was set for first login only. - Kamlesh On 11/18/05, Blair, James [EMAIL PROTECTED] wrote: Michael, You could create a new user security group and a GPO for the homepage. Use security filtering so that group only gets the policy. Remove the new users from the group after x days. James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Friday, 18 November 2005 12:29 PM To:
RE: [ActiveDir] IAS, Radius AD
Sorry, that should be: netsh ras set tracing * ENABLED Also take a look at the authentication flow over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> (it's W2K specific, but from my experience is not different from W2K3) It will help you correlate the logs with what is going on. The error you are getting is quite generic several times I have seen IAS trying to look for a non-existing domain (based on incorrect mapping of user account to account's domain) and resulting in this exact error. Remember that IAS receives a RADIUS authentication request, which (depending on the auth method: MSCHAPv2, EAP-TLS, PEAP, PAP, CHAP, etc) might have the user/account pair in different forms. The result is that IAS needs to apply additional logic to figure out the account's domain. Have you tried to authenticate with UPN or Kerb principal instead of domain\username ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, November 18, 2005 00:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD The problem is the IAS server cannot find any DCs in those domains. Also, I get the following error with the netsh command: C:\netsh ras tracing * ENABLED The following command was not found: ras tracing * ENABLED. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, November 17, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD Are members in those 2 domains having UPN suffix no in the namespace of the forest root ? Example: Forest root suffixes: @company.net Child suffixes: @child.forest.com Are the users trying to logon using UPN or domain\samaccountname ? Have you tried implicit Kerberos principal ([EMAIL PROTECTED]) IAS is rather touchy when it comes to mapping UPNs to correct domains You can also enable IAS debugging by issuing on the IAS server: netsh ras tracing * ENABLED You will find detailed logs at %SystemRoot%\Tracing Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 20:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD No replication errors at all. Directory Service logs are clean. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD Hmm... Any replication problems with those servers in the past (or currently)? Any Kerberos errors? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD I ran DNSLint and it returned SRV records for all DCs in that domain. I also ran ntdsutil to do a metadata cleanup of any possible orphaned server an noticed that I get the following RPC error when trying to connect to one of the existing DCs: DsBindW error 0x6ba(The RPC server is unavailable.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 9:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD DC's are located by querying DNS. Check and make sure the proper SRV records for the two domains in question appears on the server that your IAS is using for DNS. DNSLint may help you with this task. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IAS, Radius AD I have 15 child domains in my AD forest. When using IAS (Nortel VPN) as a Radius server on my root AD server, I can get clients to successfully authenticate against all domains but 2. On these two domains, I get an IAS event id error of 5052, There is no domain controller available for domain SWSNM. Ive ran DCDIAG and NETDIAG against these domain and the tests passes. How does IAS locate domain controllers for authentication? How can I troubleshoot this? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the inten
RE: [ActiveDir] IAS, Radius AD
Are members in those 2 domains having UPN suffix no in the namespace of the forest root ? Example: Forest root suffixes: @company.net Child suffixes: @child.forest.com Are the users trying to logon using UPN or domain\samaccountname ? Have you tried implicit Kerberos principal ([EMAIL PROTECTED]) IAS is rather touchy when it comes to mapping UPNs to correct domains You can also enable IAS debugging by issuing on the IAS server: netsh ras tracing * ENABLED You will find detailed logs at %SystemRoot%\Tracing Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 20:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD No replication errors at all. Directory Service logs are clean. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD Hmm... Any replication problems with those servers in the past (or currently)? Any Kerberos errors? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD I ran DNSLint and it returned SRV records for all DCs in that domain. I also ran ntdsutil to do a metadata cleanup of any possible orphaned server an noticed that I get the following RPC error when trying to connect to one of the existing DCs: DsBindW error 0x6ba(The RPC server is unavailable.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 9:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius AD DC's are located by querying DNS. Check and make sure the proper SRV records for the two domains in question appears on the server that your IAS is using for DNS. DNSLint may help you with this task. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IAS, Radius AD I have 15 child domains in my AD forest. When using IAS (Nortel VPN) as a Radius server on my root AD server, I can get clients to successfully authenticate against all domains but 2. On these two domains, I get an IAS event id error of 5052, There is no domain controller available for domain SWSNM. Ive ran DCDIAG and NETDIAG against these domain and the tests passes. How does IAS locate domain controllers for authentication? How can I troubleshoot this? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] OT: MIIS, ADAM, AD
I wonder whether anyone has tried the ADAM Synchronizer for similar scenarios: http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19edisplaylang=en The documentation is pretty vague about the way the target objects are created. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, July 29, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: MIIS, ADAM, AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A firstglance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists?
RE: [ActiveDir] Windows - MIT Cross-realm auth to domains not in the same dns hierarchy
The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. [Guy] There is a similar bug when changing passwords over cross forest trust when the UPN suffix of the account you logon with to trusting forest is different from the trusted forest's DNS name. In this case the DC resolves the domain to \\first_part_of_upn_suffix i.e.: [EMAIL PROTECTED] is AD account in internal.local forest and logs on to other.local forest over cross-forest transitive trust. When trying to change password (when logged on with UPN), the target domain is resolved to COMPANY and not INTERNAL (or internal.local) There is a hotfix that you might want to try (it addresses the way the domains are located when using UPN - might also resolve the MIT Kerb issue): http://support.microsoft.com/?kbid=890953 Also try to logon from W2K3 box in OTHER.AD.SCHOOL.EDU domain with MIT Kerberos principal as it is not experiencing the above behavior. Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group
Try for /F delims=* %i in ('dsquery * -filter ((objectcategory=person)(objectclass=user)(memberof=SourceGroupDN)) ') @do dsmod group TargetGroupDN -addmbr %i (all at one line) It could be that you have stumbled upon dsmod's limitation when it can not have more than one DN piped in as a parameter. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 23, 2005 11:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Hi, Task - to copy members of an AD email distribution group to another email distribution group I have looked at both adfind and dsquery and while I can output all of the properties of the source email distribution group (including members), I can't see how to restrict the output just to members in order to pipe them to another email distribution group. Any thoughts? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group
Oopps... Should be: for /F delims=* %i in ('dsquery * -filter ((objectcategory=person)(objectclass=user)(memberof=SourceGroupDN)) ') do @dsmod group TargetGroupDN -addmbr %i -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, June 24, 2005 1:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Try for /F delims=* %i in ('dsquery * -filter ((objectcategory=person)(objectclass=user)(memberof=SourceGroupDN)) ') @do dsmod group TargetGroupDN -addmbr %i (all at one line) It could be that you have stumbled upon dsmod's limitation when it can not have more than one DN piped in as a parameter. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 23, 2005 11:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Hi, Task - to copy members of an AD email distribution group to another email distribution group I have looked at both adfind and dsquery and while I can output all of the properties of the source email distribution group (including members), I can't see how to restrict the output just to members in order to pipe them to another email distribution group. Any thoughts? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a normal migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido winmail.dat
RE: [ActiveDir] LDAPS question
Title: LDAPS question Hi Joseph, The thing with the GUID is that DCs use the GUIDs to locate and identify each other; hence a cert without a GUID would break the replication, so its quite natural that the cert was rejected by the DC (good to know that certs that can break things are rejected) I was too trying to edit the inf file directly and was failing. Just skipped that and used certreq with arguments. Cool that you managed to figure out that part. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 20, 2005 2:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question I think I may have figured it out. I was able to repro this on my Microsoft CA. The certificate will not load unless you provide a valid host name and GUID in the SAN. In my case I also added my alias. Guy, I know you said to include the GUID so shame on me for not listening. It appears you also need to include the DC host name, even if the host name appears in the subject which is in contrast to the Microsoft documentation which states that the host name can be in the subject OR the SAN. I haven't tried this out with our external CA yet but I'm thinking it's going to work this time. Crossing my fingers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, May 19, 2005 2:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question After a lot of time spent testing I finally figured out how to make this work with an external CA. The main issue is that the third party CA does not allow you to use the certreq.exe utility to submit the request. Instead I had to paste the CSR directly into their web form which meant thatI needed to include all extensions in the .inf file the reqDCcert.vbs creates. I found out the hard way that you can't simply add these extensions to the .inf. The data has to be converted and encoded. In the end I had to modify reqDCcert.vbs in the following way: aASNsubstring(0, ASCIIDATA) = sDNShostname aASNsubstring(0, HEX_TYPE) = 82 ' ' Convert DNS name into Hex ' For i = 1 to Len(aASNsubstring(0, ASCIIDATA)) aASNsubstring(0, HEXDATA) = aASNsubstring(0, HEXDATA) _ Hex(Asc(Mid(aASNsubstring(0, ASCIIDATA), i, 1))) Next aASNsubstring(0, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(0, HEXDATA)) / 2) ' ' Build the ASN.1 blob for DNS name ' sASN = aASNsubstring(0, HEX_TYPE) _ aASNsubstring(0, HEX_DATA_LENGTH) _ aASNsubstring(0, HEXDATA) ' ' This is the section I added. I'm basically adding a second DNS name to the INF file. ' I'm adding it here in the script instead of the .INF file because it needs to be converted. ' aASNsubstring(1, ASCIIDATA) =ldap.company.net aASNsubstring(1, HEX_TYPE) = 82 For i = 1 to Len(aASNsubstring(1, ASCIIDATA)) aASNsubstring(1, HEXDATA) = aASNsubstring(1, HEXDATA) _ Hex(Asc(Mid(aASNsubstring(1, ASCIIDATA), i, 1))) Next aASNsubstring(1, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(1, HEXDATA)) / 2) sASN = sASN aASNsubstring(1, HEX_TYPE) _ aASNsubstring(1, HEX_DATA_LENGTH) _ aASNsubstring(1, HEXDATA) ' ' ' Append the GUID as other name ' 'if (sType = E) then ' aASNsubstring(2, HEXDATA) = sGUID ' aASNsubstring(2, HEX_TYPE) = A0 ' aASNsubstring(2, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(2, HEXDATA)) / 2) ' sASN = sASN _ ' A01F06092B0601040182371901 _ ' aASNsubstring(2, HEX_TYPE) _ ' 120410 _ ' aASNsubstring(1, HEXDATA) 'end if I basically added another section that added a second DNS name. I also commented out the GUID because I did not need it. It may be possible to uncomment it. Now run the reqDCcerts.vbs to create the .inf file. Then run: certreq -new servername.inf yourNewRequest.csr Now you can paste the contents of yourNewRequest.csr directly into the third party request form. Now for the bad news. After all of that it still doesn't work! :-) It added the SAN to my cert; however, I still can't use ldp.exe to connect using the LDAPS when I use the alternate name. The alternate name shows up just as it did when I used the Microsoft CA; however, when I used the Microsoft CA LDAPS worked. Now it doesn't I'm going to keep at it. I let everyone know If I get it to work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 10, 2005 6:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question Have never tried that and do not have the environment handy to give it a shot, but as long as you meet the requirement for the DCs cert and the CSR contains the desired SANs, you should be fine. Just make sure that DCs GUID, FQDN and the alias are in the SAN. Not sure if you will need to specify the template have no idea if 3rd party CA will reject the CSR or just ignore that part. Guy From: [EMAIL PROTECTED
RE: [ActiveDir] LDAPS question
Title: LDAPS question Have never tried that and do not have the environment handy to give it a shot, but as long as you meet the requirement for the DCs cert and the CSR contains the desired SANs, you should be fine. Just make sure that DCs GUID, FQDN and the alias are in the SAN. Not sure if you will need to specify the template have no idea if 3rd party CA will reject the CSR or just ignore that part. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 11, 2005 2:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question Thanks Guy. That is a really helpful blog. After a little fuss I was able to get the cert to recognize and honor the Subject Alternative Name using your steps. Do you know if these same steps will work against a third party CA? In any case I plan on trying it out on a third party CA tomorrow. I'll let you know how it goes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, May 09, 2005 8:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question It turned out to be a bit more complicated than I thought I made some notes over here: http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html I have not yet verified that LDAPS works with aliases when querying, but the cert installs fine and in theory has all the requirements If you want to automate the process, you will probably want to tweak reqdccert.vbs to generate valid Subject in the [NewRequest] section. At least should give you a direction. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, May 09, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question Thanks Guy, I've spent about 12hours trying to write a script that will include the Subject Alternative Name in the CSR. I found the ICEnroll COM interface on MSDN and am using it to generate my request. The request works fine; however, the Subject Alternative Name never seems to take when I request the cert. Here's what I added to my script: Call Request.addExtensionToRequest(True, 2.5.29.17, ldap.company.net) The call goes through without generating an error; however, it doesn't seem to take. Has anyone out there successfully created a CSR using this extension? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 06, 2005 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question You will need to issue new certificates to the DCs with the ldap.company.net in the Subject Alternative Name section. The certificate requirements for DCs are specified in the following KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010 Though it is about 3rd part CAs, the requirements still apply even if you are using MS CA. The key point is that the certificate can not be issued to an alias (ldap.company.com) in the Subject field the alias should be part of the Alternative Name together with DCs GUID. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Saturday, May 07, 2005 1:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS question We currently provide LDAPS to our customers. Right now the certificates that we load on our DC uses the DC name and the clients connect using that name. We'd like to set up a DNS alias like: ldap.company.net. I tried generating a cert named ldap.company.net and loaded it on a DC; however, the clients were unable to connect. Does anyone know if MS has a restriction that will not allow a cert to be loaded for LDAPS if the name on the cert is not the same as the DC? Thanks
RE: [ActiveDir] LDAPS question
Title: LDAPS question It turned out to be a bit more complicated than I thought I made some notes over here: http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html I have not yet verified that LDAPS works with aliases when querying, but the cert installs fine and in theory has all the requirements If you want to automate the process, you will probably want to tweak reqdccert.vbs to generate valid Subject in the [NewRequest] section. At least should give you a direction. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, May 09, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question Thanks Guy, I've spent about 12hours trying to write a script that will include the Subject Alternative Name in the CSR. I found the ICEnroll COM interface on MSDN and am using it to generate my request. The request works fine; however, the Subject Alternative Name never seems to take when I request the cert. Here's what I added to my script: Call Request.addExtensionToRequest(True, 2.5.29.17, ldap.company.net) The call goes through without generating an error; however, it doesn't seem to take. Has anyone out there successfully created a CSR using this extension? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 06, 2005 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS question You will need to issue new certificates to the DCs with the ldap.company.net in the Subject Alternative Name section. The certificate requirements for DCs are specified in the following KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010 Though it is about 3rd part CAs, the requirements still apply even if you are using MS CA. The key point is that the certificate can not be issued to an alias (ldap.company.com) in the Subject field the alias should be part of the Alternative Name together with DCs GUID. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Saturday, May 07, 2005 1:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS question We currently provide LDAPS to our customers. Right now the certificates that we load on our DC uses the DC name and the clients connect using that name. We'd like to set up a DNS alias like: ldap.company.net. I tried generating a cert named ldap.company.net and loaded it on a DC; however, the clients were unable to connect. Does anyone know if MS has a restriction that will not allow a cert to be loaded for LDAPS if the name on the cert is not the same as the DC? Thanks
RE: [ActiveDir] userenv bug in w2k3?
I just wonder whether W2K3 gets confused and tries to treat authenticating against MIT Kerberos realm as fully bloated cross-forest logon. Do you have loopback enabled in this GPO ? W2K3 and W2K behave a bit differently when doing cross-forest logons. W2K by default does not process the user policies, roaming profiles and logon scripts from the user account domain when authenticating over cross forest trust (but does not default to loopback). W2K3 (by default) disables the cross-forest GPO processing and defaults to loopback. Now if you explicitly disable the loopback, W2K still fails to process the logon scripts (I believe there is an open bug regarding this one). I'd suggest you to explicitly set Allow cross-forest User Policies and Roaming Profiles in the computer part of the GPO to Disabled and also check whether disabling/enabling loopback changes things. Well... Just my 2 mumbling cents. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, February 16, 2005 8:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userenv bug in w2k3? Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?
Why second forest ? We are RD, have to be special and love to push the technology to its limits ;) Now seriously... Being RD, we have some requirements that can not be provisioned using corporate forest both from the point of procedures and flexibility. While we do use user accounts from the corporate forest, we need to have control over the hosts and have environment flexible enough to host projects that require level of control that corporate forest can not provide us. The result is that we have our own forest for hosts and project related accounts. As for Kerberos, this is rather an issue, as we need to provide simultaneous access to users from different Kerberos realms, meaning that switching host's realm is not an option. As for 3rd party apps - those currently are not an option (sigh), so I came up with idea of collapsing/synching relevant user accounts (those RD folks) from multiple domains to a single LDAP partition the hosts will be pointed to. The intension is to use LDAPS for authentication. As I see it, this is much easier to provision: you do not need to join hosts to Kerberos realms and the end user can have his boxes be easily configured by following short instructions. The authentication chain is basically: [*nix host] = (LDAPS) = [OpenLDAP] = (Kerberos) = [DC in one of user account domains] In any case, I would be glad to hear what guys on this list think about this kind of setup. Thanks, Guy From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 1/29/2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? I am trying to understand why you have a second forest for resources at all? Is it strictly to hold the non-MS kerberos princs? I understand the issue with the multiple realms with the current UNIX kerb implementations. They don't seem to be in a hurry to correct that shortcoming either from the talks I have heard about. One of the companies I admin'ed for previously had that issue for about 5000 UNIX hosts. It got to the point that they had a system set up where they scripted the process so they could quickly move UNIX machines to point from one realm to another in the event it was needed which wasn't terribly often. However, it took admin interaction. In the backend they had a little perl daemon they wrote on the machines that would get the keytab files as needed and manage that whole process. It would use sockets to communicate to a member server (one server in the whole forest was fine, but two offered failover) which it would call out to get the keytabs generated. They were thinking at one point about setting up a custom PAM to handle it so you could specify what domain/realm to auth the user in which would switch which sys files were used but the concern was writing the custom code for that as it would have had to work on Solaris, HPUX, DEC, various Linux blends, IRIX, and probably eventually mainframes, etc. Anything not smart enough to handle an Enterprise Kerberos implementation [1]. You might consider looking at the Centrify and Vintela solutions. They will get you far more than just auth. I know Centrify will handle multi-realm. joe [1] Let's face it, a single kerberos realm is small or medium centralized business or university class, it isn't enterprise class. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Saturday, January 29, 2005 2:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? Hi Eric, Guess what google has come up with ? http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx :-) Second paragraph from the bottom is exactly my scenario, so looks like I'm stuck with another directory. Will probably end up with OpenLDAP to make our Unix geeks happy, if this can not be done using the existing environment. Btw, it's quite interesting how OpenLDAP handles the simple bind authentication: the userPassword value contains the mechanism used to authenticate the account. For example: Dn: uid=guy,ou=test,dc=company,dc=com ... userPassword: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Or this could be: userPassword: {crypt}ijFYNcSNctBYg The part in the parenthesis can be CRYPT, MD5, KERBEROS, SASL, etc... Thanks a bunch ! Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, January 29, 2005 2:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? We actually do have this in AD, sorta. :) The point of bind redirection is allowing a simple bind to work in such a manner. If you're open to other sorts of binds, this works in ADAM w/o this mechanism. In AD, the same logic applies.use a secure
[ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?
Hello all, In ADAM there is a nice feature, called bind redirects, which is implemented using ms-DS-Bind-Proxy auxiliary class. Now it appears that in AD there is no alternative for something like this. What I would like to do is, given 2 AD forests (resource forest where hosts reside and account forest where the user accounts are): have the resource forests schema extended to utilize posixAccount (I need those uidNumber, gidNumber) configure Linux/Unix clients to use LDAP authentication against resource forest (cant use Kerberos as the account forest is multi-domain and *nix can point to only one Kerberos realm) create proxy accounts in resource AD have the resource AD proxy the authentication request to the users real accounts in account forest: [EMAIL PROTECTED] = [EMAIL PROTECTED] [EMAIL PROTECTED] = [EMAIL PROTECTED] I have this setup currently successfully working by using OpenLDAP instead of resource AD, but I would really like to avoid deploying another directory. Your thoughts ? Thanks, Guy
RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?
Hi Eric, Guess what google has come up with ? http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx J Second paragraph from the bottom is exactly my scenario, so looks like Im stuck with another directory. Will probably end up with OpenLDAP to make our Unix geeks happy, if this can not be done using the existing environment. Btw, its quite interesting how OpenLDAP handles the simple bind authentication: the userPassword value contains the mechanism used to authenticate the account. For example: Dn: uid=guy,ou=test,dc=company,dc=com userPassword: [EMAIL PROTECTED] Or this could be: userPassword: {crypt}ijFYNcSNctBYg The part in the parenthesis can be CRYPT, MD5, KERBEROS, SASL, etc Thanks a bunch ! Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, January 29, 2005 2:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? We actually do have this in AD, sorta. :) The point of bind redirection is allowing a simple bind to work in such a manner. If youre open to other sorts of binds, this works in ADAM w/o this mechanism. In AD, the same logic applies..use a secure bind, and this will work just fine. The mechanism as it exists in ADAM, though, does not exist in AD. Sorry. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, January 28, 2005 12:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? Hello all, In ADAM there is a nice feature, called bind redirects, which is implemented using ms-DS-Bind-Proxy auxiliary class. Now it appears that in AD there is no alternative for something like this. What I would like to do is, given 2 AD forests (resource forest where hosts reside and account forest where the user accounts are): have the resource forests schema extended to utilize posixAccount (I need those uidNumber, gidNumber) configure Linux/Unix clients to use LDAP authentication against resource forest (cant use Kerberos as the account forest is multi-domain and *nix can point to only one Kerberos realm) create proxy accounts in resource AD have the resource AD proxy the authentication request to the users real accounts in account forest: [EMAIL PROTECTED] = [EMAIL PROTECTED] [EMAIL PROTECTED] = [EMAIL PROTECTED] I have this setup currently successfully working by using OpenLDAP instead of resource AD, but I would really like to avoid deploying another directory. Your thoughts ? Thanks, Guy
RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security
What we did in our environment was: - disabled the links of DDP/DDCP to domain object and Domain Controllers OU - remove Group Policy Creator Owners from the ACL of CN=Policies,CN=System,DC=domain,DC=com and added our own group with permissions to create objects in the container. - changed the defaultSecurityDescriptor attribute of Group-Policy-Container object, trimmed the Domain Admins to read-only and introduced a new security group with full permissions over newly created GPOs (SDDL is an ugly thing to work with, so if you are interested in quick and dirty SDDL parser I wrote, grab it from here: http://www.petri.co.il/forums/download.php?id=43 ). This way the GPOs are created with ACL which does not allow default groups to change it (see http://www.jsiinc.com/SUBL/tip5500/rh5528.htm for details) - created new GPOs to replace DDP/DDCP (those were created with the adjusted ACL) Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp Sent: Monday, November 08, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security I have had similar issues before at customer sites with apps modifying the DDP and DDCP, although none this bad. ADMT is a notorious offender. I am seriously tempted to fix it in the following way: - create a new DDP/DDCP (new name of course) with highest prio. Edit any additional settings in the new policies. - Remove write for Domain Admins on the DDP/DDCP, and instead create an additional group for write permissions. This group is empty by default. This story might just trigger me to do it -- Regards, Willem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, November 08, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security Hello folks, I've just had a very curious issue at a customer, which took us a while to figure out. You should all be aware of this as it could hurt you as well. After testing everything successfully in the lab (and ADPREPing the production forest + domains), we've inplace-upgraded the first production DC from Win2000 to Win2003 and it failed with errors such as a crashing LSASS and a DHCP service, which couldn't start due to access violation etc. It turns out that this was caused due to a lengthy list of policy settings on the Def Domain and Def DC Policy, which configured Security (ACL) over one hundred registry keys and File System folders and files. The resultingpermissions wereok for Windows 2000, butincompatible with Windows Server 2003 - e.g. the DHCP Client Service and the TCPIP Service require specific permissions on their respective registry keys for the DHCP service to start via the new Network Service account. I see other's in this listhave also had issues with the DCHP service, which may be related to the same thing. Although we nowfixed the issue by cleaning the policies and un-promoting the DC and reinstalling it from scratch(since the 2003 OS's default permissions were effectively overwritten due to the policy), I am looking for cluesonhow these weird settings were introduced to the Def Dom and the Def DC policy in the first place? The settingswere definitely not added manually by accident - more likely by somewhacky setup routine.Does anybody have an ideas or experience with respect to services/apps which could have changed the domain policies in this way? Thanksfor any feedback, Guido
RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS)
If anyone here is interested, I have been able to nail the issue. After deeper investigation, I found that moving the W2K3 servers into client's OU (different GPOs that force the client to Send NTLMv2 response only) resolved the issue. The problem was caused by domain member servers of forestA.com not being able to negotiate NTLM dialect with forestA.com DCs. forestA.com DCs are configured to Send NTLMv2 response only. Windows servers (if not explicitly configured) default to Send LMNTLM responses (see http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp for details) forestB.com DCs are using less strict Domain Controllers GPO, hence servers in forestA.com were able to negotiate NTLM dialect with forestB.com DCs, but not with forestA.com DCs. The interesting part is that apparently Task Scheduler is not capable of doing Kerberos and tries only NTLM (and I was trying to chase Kerberos) So for the sake of others: if you configure your DCs to Send NTLMv2 only, the default settings of W2K3 member servers will prevent them from talking to DCs using NTLM. Forcing the clients to Send NTLMv2 will make the problem disappear. Guy From: [EMAIL PROTECTED] on behalf of Guy Teverovsky Sent: Thu 10/28/2004 5:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Hi Eric, All W2K3. And yes, as I wanted to eliminate any other issues, I was using forestA's domain accounts, which are members of local Administrators group (and the member servers GPO regarding user rights is at defaults). I even tried forestA's Admnistrator account. 2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode. forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule the job on host.forestA.com) forestA.com is a single domain (this is where the W2K3 hosts are) forestA.com trusts forestB.com The problem is observed only on W2K3 member servers. The following works against W2K member server or XP (with the same RSoP), but fails against W2K3 (Standard and Enterprise): C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X X.X.X.X is a host in ForestA.com. Tell me if you need more info (DC's RSoP, member servers RSoP ?). Thanks a lot ! Guy On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote: Silly question perhaps: does the acct in question have log on as a batch job (and any other rights required, perhaps log on locally?) that it needs for the job to run? I can set this up in my lab tomorrow to see if it works/fails and take a peak, just let me know what OSs are involved (all 2003, since it is a forest trust I think you said below?). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box. Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: Hey! I am not aware of the account domain you are trying to make me look at ! (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name test1 already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task test1 has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: I have to say that seems to be a weird one... But I am glad that cpau helps it work for you. :o) Are you doing this remotely? What happens if you sit down on host.forestA.com with a forestA userid and try to schedule the task? Also can you try to schedule it remotely with just the IP address? If that works, the issue is probably somewhere in kerberos and I would start looking for ker errors and verify SPN's
[ActiveDir] A weird one (or Joeware vs. MS)
Here is a weird one: 2 forests with one way forest trusts: forestA.com trusts forestB.com I try to schedule a a task on host.forestA.com with account FORESTA\user (tried everything up to member of Enterprise Admins, Domain Admins, BUILTIN\Administrators) and I get 0x80070005 Access Denied error - bad credentials, when submitting the task (tried both GUI and schdtasks.exe) The same task can be scheduled using CHILD_OF_FORESTB\user account (notice that the host is in forestA and forestB accounts are OK, but it's own accounts are denied). Local machine's accounts are also fine - the problem is only with host's forest accounts. This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine). Wrapping the same task with joe's CPAU resolves the issue and the task is executed correctly. I tried to sniff the traffic, but it looks like the task scheduler does not even try to authenticate the forestA accounts. In our test environment the scheduled tasks do work as expected, but there we currently have 2-way forest trust and some other things not yet implemented in production, so I can not rely on the test environment regarding this issue. I am starting to run out of ideas here... Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A weird one (or Joeware vs. MS)
Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box. Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: Hey! I am not aware of the account domain you are trying to make me look at ! (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name test1 already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task test1 has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: I have to say that seems to be a weird one... But I am glad that cpau helps it work for you. :o) Are you doing this remotely? What happens if you sit down on host.forestA.com with a forestA userid and try to schedule the task? Also can you try to schedule it remotely with just the IP address? If that works, the issue is probably somewhere in kerberos and I would start looking for ker errors and verify SPN's are properly registered and time between the machines is correct, etc. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] A weird one (or Joeware vs. MS) Here is a weird one: 2 forests with one way forest trusts: forestA.com trusts forestB.com I try to schedule a a task on host.forestA.com with account FORESTA\user (tried everything up to member of Enterprise Admins, Domain Admins, BUILTIN\Administrators) and I get 0x80070005 Access Denied error - bad credentials, when submitting the task (tried both GUI and schdtasks.exe) The same task can be scheduled using CHILD_OF_FORESTB\user account (notice that the host is in forestA and forestB accounts are OK, but it's own accounts are denied). Local machine's accounts are also fine - the problem is only with host's forest accounts. This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine). Wrapping the same task with joe's CPAU resolves the issue and the task is executed correctly. I tried to sniff the traffic, but it looks like the task scheduler does not even try to authenticate the forestA accounts. In our test environment the scheduled tasks do work as expected, but there we currently have 2-way forest trust and some other things not yet implemented in production, so I can not rely on the test environment regarding this issue. I am starting to run out of ideas here... Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A weird one (or Joeware vs. MS)
Hi Eric, All W2K3. And yes, as I wanted to eliminate any other issues, I was using forestA's domain accounts, which are members of local Administrators group (and the member servers GPO regarding user rights is at defaults). I even tried forestA's Admnistrator account. 2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode. forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule the job on host.forestA.com) forestA.com is a single domain (this is where the W2K3 hosts are) forestA.com trusts forestB.com The problem is observed only on W2K3 member servers. The following works against W2K member server or XP (with the same RSoP), but fails against W2K3 (Standard and Enterprise): C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X X.X.X.X is a host in ForestA.com. Tell me if you need more info (DC's RSoP, member servers RSoP ?). Thanks a lot ! Guy On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote: Silly question perhaps: does the acct in question have log on as a batch job (and any other rights required, perhaps log on locally?) that it needs for the job to run? I can set this up in my lab tomorrow to see if it works/fails and take a peak, just let me know what OSs are involved (all 2003, since it is a forest trust I think you said below?). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box. Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: Hey! I am not aware of the account domain you are trying to make me look at ! (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\schtasks /Create /RU ForestA\administrator /RP password /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name test1 already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task test1 has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: I have to say that seems to be a weird one... But I am glad that cpau helps it work for you. :o) Are you doing this remotely? What happens if you sit down on host.forestA.com with a forestA userid and try to schedule the task? Also can you try to schedule it remotely with just the IP address? If that works, the issue is probably somewhere in kerberos and I would start looking for ker errors and verify SPN's are properly registered and time between the machines is correct, etc. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, October 27, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] A weird one (or Joeware vs. MS) Here is a weird one: 2 forests with one way forest trusts: forestA.com trusts forestB.com I try to schedule a a task on host.forestA.com with account FORESTA\user (tried everything up to member of Enterprise Admins, Domain Admins, BUILTIN\Administrators) and I get 0x80070005 Access Denied error - bad credentials, when submitting the task (tried both GUI and schdtasks.exe) The same task can be scheduled using CHILD_OF_FORESTB\user account (notice that the host is in forestA and forestB accounts are OK, but it's own accounts are denied). Local machine's accounts are also fine - the problem is only with host's forest accounts. This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine). Wrapping the same task with joe's CPAU resolves the issue and the task is executed correctly. I tried to sniff the traffic, but it looks like the task scheduler does not even try to authenticate the forestA accounts. In our test environment the scheduled tasks do work as expected, but there we currently have 2-way forest trust and some other things not yet implemented in production, so I
Re: [ActiveDir] OT: Wireless EAP-TLS, IAS, and certificates
Ken, If you are lucky enough to have all your clients with XP, you can use GPO to configure the Wireless policies. Check it out under Computer Configuration\Security Settings\Wireless network (IEEE 802.11) policies The link below should answer your questions regarding computer/user authentication (check the Notes section): http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/define_8021x_inGP.asp If you run into issues with XP pre-SP2, also take a look at the following wireless update rollup for XP: http://support.microsoft.com/default.aspx?scid=kb;en- us;826942Product=winxp. It did resolve some issues I was having. Not sure all this will work with W2K though - have not tested that yet. Cheers, Guy On Fri, 2004-10-08 at 11:06 -0500, Ken Cornetet wrote: Is there any way to force EAP-TLS wireless authentication to use machine certificates exclusively (instead of user certs) for client side authentication? Or better yet, require BOTH user and machine certs? Here's the setup: IBM Thinkpads with either integrated cisco 802.11b or Cisco cards. Running XP. Cisco access points MS Internet Authentication Server running on a non DC 2k3 box. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Fun with Kerberos
I have been trying to reproduce the behavior in our test forest, but meanwhile in vain. I can only speculate that you need more than one DC on site (at least 1 DC and 1 GC maybe ?). In any case, meanwhile another issue popped up and it looks like it might be related. As I have already mentioned, we have 2 forest in our environment: 1) myad.com (empty root + domains: child.myad.com, anotherchild.myad.com) 2) rd.company.com (well yes, we are RD and have to be special :-) ) For myad.com we have alternative UPN suffix in the form of company.com == my account in child.myad.com would be [EMAIL PROTECTED] The rd.company forest is resource forest: all user accounts are located in child domains of myad.com forest. Now user CHILD\guy (Kerberos principal: [EMAIL PROTECTED]) logs on to host mycomp01.rd.company.com (the host is in rd.company.com forest) using UPN ([EMAIL PROTECTED]) The trust is one-way forest trust. Now user guy decides to change his password, hits ALT+CTRL+DEL, fills in his UPN, types the new password, hits Enter, and The system can not change your password now because domain is not available. OK... I do some searching and come up with this KB: Cannot Change Password if You Use the UPN Suffix: http://support.microsoft.com/default.aspx?scid=kb;en-us;321074 http://support.microsoft.com/default.aspx?scid=kb;en-us;321074 The cause is, I quote: This behavior may occur when the built-in Authenticated Users group was removed from the organizational unit where the user account resides. By default, the computer account is a member of the Authenticated Users group. If you use the Change Password dialog box, the local computer account is used to resolve the UPN. If the Authenticated Users group was removed from the organizational unit that contains the user account, you cannot successfully change the password. ok... this makes sense... but there is a slight problem: This is one-way trust and the computer account can not have access to the OU the user accounts are located in even if Authenticated users group has read access - this is Authenticated Users group from the wrong forest ! I guess the answer would still be the behavior is by design, but this is rather confusing for the users - object picker wants Kerberos principals in W2K, if you logon using DOMAIN\Username you end up with messed up cached credentials, UPN almost works, but you can't change your password using UPN and the list goes on... We have started to document what actions can be done using UPN, explicit Kerb principal and DOMAIN\username and we can't figure out a rule of thumb that can work for the end-users. Ideas ? Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Fri 9/10/2004 6:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fun with Kerberos Al, realize that the user accounts Guy is talking about are all in one forest - so the issue is not related to UPNs being unique accross more than one forest. They're just logging in from a machine in a different forest. I've already discussed offline with Guy that the clash is between the implicit UPN of the regular account (which would be [EMAIL PROTECTED]) and the explicit UPN of the supplemental account (which had previously been set to [EMAIL PROTECTED]) = fixing the explicit UPN of the supplemental account fixed the clash and the related problems... BTW, we're thinking that the account lockouts and the XP request for credentials is likely related to Kerberos preauthentication. During preauth, AD looks up accounts using the UPN - so if it hits the wrong account, and uses the wrong password hash for validation of the Kerberos preauth data this may have the same effect as logging on with the wrong password. Here's a nice article that explains Kerberos preauthentication in more detail http://www.windowsitlibrary.com/Content/617/06/6.html http://www.windowsitlibrary.com/Content/617/06/6.html /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, September 10, 2004 4:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fun with Kerberos No, that sounds about right. Across two forests? Be tough for any administrative program to enforce uniqueness unless it was authoritative for both forests. That said, that's something you want your admin processes to compensate for and ensure that all accounts are unique across forests that can talk to each other. Al From: Guy Teverovsky [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, September 09, 2004 8:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fun with Kerberos ok... this starts to be more interesting. If the implicit UPN is constructed from samaccountname and AD DNS name, I do not see how Kerberos principals could clash. This is what I initially had (names changed to protect
RE: [ActiveDir] Fun with Kerberos
ok... this starts to be more interesting. If the implicit UPN is constructed from samaccountname and AD DNS name, I do not see how Kerberos principals could clash. This is what I initially had (names changed to protect the innocent): Regular account: dn:[EMAIL PROTECTED],OU=Accounts,DC=child,DC=myad,DC=com sAMAccountName: guy userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Supplemental account: dn:CN=Teverovsky\, Guy (Supplemental),OU=Accounts,DC=child,DC=myad,DC=com sAMAccountName: guysu userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The regular account was programmatically created as disabled and was renamed+enabled when user migrated from NT domain. Supplemental account was created beforehand for administrative purposes (the user is member of IT staff) Renaming the UPN of supplemental account to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] was the fix. Now I am totally confused and can't understand why the lockouts happened. It is almost as if [EMAIL PROTECTED] and [EMAIL PROTECTED] UPNs were somehow resolved to the same account. P.S.: it's worth to mention that the machine the user was logged to was in another forest which has Kerberos trust with myad.com forest. Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 9/9/2004 11:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fun with Kerberos that's correct - even if you configure an additional UPN suffix for the forest (or for an OU) and assign this to an account when you create the account (e.g. via ADUC), every account will still have an implicit UPN suffix that is made up of his samAccountName + the domain-suffix of his AD domain. So even though your first user had an explicit UPN of [EMAIL PROTECTED], he also had an implicit UPN of [EMAIL PROTECTED] Looks like the reason for your problem was mainly caused due to the special char in your ADM accounts (as it only used the first part of the name to create) - or did you configure your 2nd account like this on purpose? I assume that the accounts were created programmatically, as the ADUC UI will check for duplicate UPNs by querying a GC - so usually this is only a problem if accounts are created at roughly the same time on differnt DCs (even in different domains). But I'm not sure if ADUC only queries for the explicit UPN that you've assigned at creation and ignores the implicit UPN (seems to be the case). But I'm quite sure that this check is not performed when you programmatically add accounts to AD. As a result the duplicate UPNs caused a Kerberos conflict as you well noticed - interesting to read how your users noticed this on their XP clients. Can you elaborate on the Once in a while... - i.e. how often? and did this only occurr if they were also logged on as the guy$adm at the same time? And when did the 2nd account get locked out - at the time the kerberos ticket of #1 was getting refreshed (i.e. after 10 hours past logon of #1)? Or at logon of #1? I'll have to check out this sort of attack a little closer... BTW - the same risk applies with machine-accounts in AD, wich register an SPN (service principal name) that must also be unique: if they're able to register the same name as another machine (e.g. when DDNS is not secured sufficiently well), they can hinder both machines from receiving kerberos tickets and (if the attacked server was set to allow kerberos delegation e.g. for some web-application) could thus cause a DOS for applications running on the other server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, September 09, 2004 6:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Fun with Kerberos Stumbled upon an issue couple of days ago and wanted to hear what you guys think about it. Suppose that your AD is called myad.com and you also configure additional UPN suffix company.com. Now I create 2 users in child.myad.com child domain: 1) sAMAccountName: guy userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 2) sAMAccountName: guy$adm userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (Notice that in ADUC the userPrincipalName is constructed from 2 fields: W2K username and suffix) From AD point of view this is all nice and legit and UI will be happy to create both. But if you look at the users explicit Kerberos principals, both look the same: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (checked with klist tgt). In our environment, if you are logged on with account #1, two things happened: 1. Once in a while LAN users had XP pop up a baloon in systrey with XP needs your user credentials 2. The corresponding account #2 was getting locked out. Renaming UPNs of supplemental accounts fixed the issue (the name clash was not intentional from the beginning as you might guess). Still I am wondering why AD allowed creation of account with Kerberos principal that already
[ActiveDir] Fun with Kerberos
Stumbled upon an issue couple of days ago and wanted to hear what you guys think about it. Suppose that your AD is called myad.com and you also configure additional UPN suffix company.com. Now I create 2 users in child.myad.com child domain: 1) sAMAccountName: guy userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 2) sAMAccountName: guy$adm userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (Notice that in ADUC the userPrincipalName is constructed from 2 fields: W2K username and suffix) From AD point of view this is all nice and legit and UI will be happy to create both. But if you look at the users explicit Kerberos principals, both look the same: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (checked with klist tgt). In our environment, if you are logged on with account #1, two things happened: 1. Once in a while LAN users had XP pop up a baloon in systrey with XP needs your user credentials 2. The corresponding account #2 was getting locked out. Renaming UPNs of supplemental accounts fixed the issue (the name clash was not intentional from the beginning as you might guess). Still I am wondering why AD allowed creation of account with Kerberos principal that already existed in AD. If AD check for sAMAccountName collisions, is there any special reason not to check Kerberos principals ? How can I prevent this from happening ? (the implications would mean that anyone with permissions to create user accounts can do some very nasty things) Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
Thanks ! This is exactly what I needed. And if anyone is interested, here is an ADM I wrote to deploy the settings (works the same on W2K3): (might wrap) ### Cut here #if version = 3 CLASS MACHINE CATEGORY !!System CATEGORY !!EventViewer #if version = 4 EXPLAIN !!EventViewer_Help #endif POLICY !!AutobackupSecLog #if version = 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!AutobackupSecLogHelp KEYNAME SYSTEM\CurrentControlSet\Services\EventLog\Security VALUENAME AutoBackupLogFiles VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!AutobackupAppLog #if version = 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!AutobackupAppLogHelp KEYNAME SYSTEM\CurrentControlSet\Services\EventLog\Application VALUENAME AutoBackupLogFiles VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!AutobackupSysLog #if version = 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!AutobackupSysLogHelp KEYNAME SYSTEM\CurrentControlSet\Services\EventLog\System VALUENAME AutoBackupLogFiles VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY ; Event Viewer END CATEGORY ;; System #endif [strings] System=System EventViewer=Event Viewer EventViewer_Help=Event Viewer specific settings AutobackupSecLog=Automatically clear a full security event log and back up the log file AutobackupSecLogHelp=Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the CrashOnAuditFail policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes. AutobackupAppLog=Automatically clear a full application event log and back up the log file AutobackupAppLogHelp=Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the CrashOnAuditFail policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes. AutobackupSysLog=Automatically clear a full system event log and back up the log file AutobackupSysLogHelp=Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the CrashOnAuditFail policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes. SUPPORTED_Win2k=At least Microsoft Windows 2000 ### Cut here Guy On Tue, 2004-08-24 at 11:48, Ulf B. Simon-Weidner wrote: Hi Guy, took me a while to find the Article again, here it is: 312571 The Event Log Stops Logging Events Before Reaching the Maximum Log Size http://support.microsoft.com/?ln=enid=312571 It describes how you are able to configure a feature to automatically dump the eventlog into a file if it reaches it's maximum length. You do have to take care what to do with those dumps and delete them from the machine, but this helps to keep the filespace used by dumps somewhat dynamic but not to big. I've included this in some of the backup jobs at customers to move the dumpfiles away daily, so no worries if the events logged at a specific day would be more than the memory allowed for the log, and no events are lost. HTH Gruesse - Sincerely, Ulf B. Simon-Weidner -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Saturday, August 21, 2004 2:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] By design or configurable ? In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication
RE: [ActiveDir] By design or configurable ?
I know... should be renewed after 10 hours if I remember correctly. It is a remote site I'll be visiting next week and will give a good look at the logs when it happens. When I actually think of it, logging in with cached creds does not use Kerberos provider, so the user should not have any tickets. Any idea if sidHistory is also obtained from the ticket's PAC the same way as SIDs of security groups the user is member of ? +Guy On Tue, 2004-08-24 at 00:03, Mulnick, Al wrote: Kerb tickets have a lifetime, but not sure that's your issue necessarily. How's your name resolution working? Anything in the event logs when this occurs? Especially the security logs on the clients/dc's/resources being accessed? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking: We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like XP needs your credentials. Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, August 20, 2004 8:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] By design or configurable ? In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication from breaking again). And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ? Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
Interesting... I have Audit: Shutdown system immediately if unable to log security audits set to disabled and security log size configured to 128Mb (DCs GPO) We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: I suppose in theory, setting it to crash on full is also a security risk since it could be used to cause a denial of service. I'd guess that if you have something that siphons off the logs on submit event, then it could be a workable solution. I'd have to say I'm not impressed with a lot of the tools currently out there that do this due to the overhead they place on the machine, but it could be done. MOM Server is a good way to get this done IIRC. I'm guessing that's what you had in mind, Rick? Something that clears it as it is written, vs a timed deal? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Monday, August 23, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? I have had the same problem, but setting the logs to overwrite is bad system administration. IF a person attempt to break passwords, thy can just flood the server with requests and eventually the log will clear. The best solution is to have the logs cleared by a script or third party utility to clear and archive the logs every night. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Monday, August 23, 2004 6:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Guy, One way to avoid the problems of a full security log is to set the logs to overwrite as needed. You can set this via group policy. I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, August 20, 2004 8:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] By design or configurable ? In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication from breaking again). And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ? Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point
RE: [ActiveDir] By design or configurable ?
I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking: We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like XP needs your credentials. Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, August 20, 2004 8:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] By design or configurable ? In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication from breaking again). And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ? Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
Right, but this feature was turned off in GPO, so the box was not supposed to crash. And how would you explain the working replication (with full security logs) till the box is rebooted manually and only then enters the crashed state ? We indeed have a policy for keeping 3 months of security logs and meanwhile it takes between one to two weeks to fill the logs, but this is a new forest and users keep arriving, so eventually we will need to implement a more serious approach. Guy On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/46686.asp?frame=true This link is the documented behavior. Sounds like that is what you're getting. I think there may be some misnaming involved in that it should actually restart if it says crashondump but whatever. As for your situation, I know in some environments, 128mb wouldn't last two hours. A process to collect the data at the end of the day would be too late. That's what makes me suggest other methods. IMHO, there's a balance between collecting the data and self-configured denial of service. The key is to figure out how important that logging data is. If it's important, such as in regulatory environments, then that indicates you really should have a process of collecting that data whenever it's written to the logs or very soon after. If for security reasons, you have to stop service if unable to log security events, then so be it. Just make sure you never run into that situation, right? If you have that requirement, but don't prevent your systems from ever running into that situation, then it is by default acceptable to have occasional DoS events. Your system did crash when it was full. Normal operations failed to continue and the LSA stopped for that particular DC. It's a testament to your architecture if the users never noticed :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Interesting... I have Audit: Shutdown system immediately if unable to log security audits set to disabled and security log size configured to 128Mb (DCs GPO) We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: I suppose in theory, setting it to crash on full is also a security risk since it could be used to cause a denial of service. I'd guess that if you have something that siphons off the logs on submit event, then it could be a workable solution. I'd have to say I'm not impressed with a lot of the tools currently out there that do this due to the overhead they place on the machine, but it could be done. MOM Server is a good way to get this done IIRC. I'm guessing that's what you had in mind, Rick? Something that clears it as it is written, vs a timed deal? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Monday, August 23, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? I have had the same problem, but setting the logs to overwrite is bad system administration. IF a person attempt to break passwords, thy can just flood the server with requests and eventually the log will clear. The best solution is to have the logs cleared by a script or third party utility to clear and archive the logs every night. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Monday, August 23, 2004 6:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Guy, One way to avoid the problems of a full security log is to set the logs to overwrite
RE: [ActiveDir] By design or configurable ?
I have been able to reproduce the behavior in both our test and production forests on several DCs. GPO has been applied a while ago, boxes have been rebooted more than once and RSoP shows the right settings. More than that, when I look at c:\windows\security\templates\policies\gpt1.inf (which contains the settings pulled from DC's GPO, I see line like this: MACHINE\System\CurrentControlSet\Control\LSA\CrashOnAuditFail=4,0 and the registry has CrashOnAuditFail set to 0 (disabled). void *Guy; (you guys are contagious ;) ) On Tue, 2004-08-24 at 00:05, Mulnick, Al wrote: Sounds like the feature isn't working as expected if the box continues to work until reboot. It's also possible it was triggered prior to the GPO being applied, but you'd have to repro to know IMHO. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 5:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Right, but this feature was turned off in GPO, so the box was not supposed to crash. And how would you explain the working replication (with full security logs) till the box is rebooted manually and only then enters the crashed state ? We indeed have a policy for keeping 3 months of security logs and meanwhile it takes between one to two weeks to fill the logs, but this is a new forest and users keep arriving, so eventually we will need to implement a more serious approach. Guy On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/ all/de ployguide/en-us/46686.asp?frame=true This link is the documented behavior. Sounds like that is what you're getting. I think there may be some misnaming involved in that it should actually restart if it says crashondump but whatever. As for your situation, I know in some environments, 128mb wouldn't last two hours. A process to collect the data at the end of the day would be too late. That's what makes me suggest other methods. IMHO, there's a balance between collecting the data and self-configured denial of service. The key is to figure out how important that logging data is. If it's important, such as in regulatory environments, then that indicates you really should have a process of collecting that data whenever it's written to the logs or very soon after. If for security reasons, you have to stop service if unable to log security events, then so be it. Just make sure you never run into that situation, right? If you have that requirement, but don't prevent your systems from ever running into that situation, then it is by default acceptable to have occasional DoS events. Your system did crash when it was full. Normal operations failed to continue and the LSA stopped for that particular DC. It's a testament to your architecture if the users never noticed :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Interesting... I have Audit: Shutdown system immediately if unable to log security audits set to disabled and security log size configured to 128Mb (DCs GPO) We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: I suppose in theory, setting it to crash on full is also a security risk since it could be used to cause a denial of service. I'd guess that if you have something that siphons off the logs on submit event, then it could be a workable solution. I'd have to say I'm not impressed with a lot of the tools currently out there that do this due to the overhead they place on the machine, but it could be done. MOM Server is a good way to get this done IIRC. I'm guessing that's what you had in mind, Rick? Something that clears
[ActiveDir] By design or configurable ?
In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication from breaking again). And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ? Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous bind (here we go again)
Thank you all for your replies. Unfortunately our BIND does not accept dynamic updates. Digging some more I have found the following article about third party certs on DC: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx Indeed not for the faint of heart, though doable. I'll catch a chat with our BIND guru and see where we go from here. Thanks for the ideas. Guy On Fri, 2004-08-13 at 16:26, Mulnick, Al wrote: Personally, I prefer the latter FWIW. Have the workstations update their own data in the BIND zone. It would be no more (or less) secure than if you pulled that data from Active Directory really, just more IP addrs to watch. Otherwise, I think the certs on the DC's are the wrong path to go down. But if you must, there is some docs out there about putting certs on DC's without installing PKI into the forest. It's not for the faint of heart from what I remember. It's handled for you with certificate services if you install it into the forest. If you don't, why not stand up a standalone CA and generate your certs that way? Not a great long term solution, but that's why I don't favor it. If you stood a server up in the forest and used it to grab the records and do the conversion, you have no more error probability than if you have the BIND server fetch the data itself that I can see. That's just a customized solution is all. Just a few thoughts. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 12, 2004 11:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I like the idea if having some Windows machine that is part of the domain run a task as the system or network service account and grab the info and jam it into your BIND setup. Do you allow unsecured dynamic updates? If so you could should be able to pretty easily do this with perl, adfind, and nsupdate without changing your AD security or trying to cobble certs together on the DC. Another possible solution is to take the workstations that are the issue themselves and have them run a script to update the foreign DNS. This assumes again open dynamic updates. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, August 12, 2004 7:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm l/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: OK, understood. While the original idea does accomplish the desired outcome, I think there are still other alternatives. For example, why not create a script that runs based on a schedule on a machine that is a member of the forest, runs in or uses the proper security context to access the desired information in the OUs, writes that information into the zone files on the BIND server, and then completes the appropriate action to ensure that the data is available in BIND DNS (i.e. restarting the DNS daemon)? With this example, you do not need to modify the security around AD. If for some reason you can not perform the desired BIND tasks remotely, you can transfer a file containing the data to an appropriate location and allow a scheduled script on the BIND server to perform the import, etc. - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 10:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) Well, I know where the hosts should be in AD, but those hosts can change. The idea is that if host resides in one of the OUs in question, it gets to get CNAME in company.com, but the hosts can come and go, so I do not know what records should get CNAMEs without looking in the OUs. Guy On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: Since you must already know what records you want to transform
RE: [ActiveDir] Anonymous bind (here we go again)
I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: OK, understood. While the original idea does accomplish the desired outcome, I think there are still other alternatives. For example, why not create a script that runs based on a schedule on a machine that is a member of the forest, runs in or uses the proper security context to access the desired information in the OUs, writes that information into the zone files on the BIND server, and then completes the appropriate action to ensure that the data is available in BIND DNS (i.e. restarting the DNS daemon)? With this example, you do not need to modify the security around AD. If for some reason you can not perform the desired BIND tasks remotely, you can transfer a file containing the data to an appropriate location and allow a scheduled script on the BIND server to perform the import, etc. - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 10:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) Well, I know where the hosts should be in AD, but those hosts can change. The idea is that if host resides in one of the OUs in question, it gets to get CNAME in company.com, but the hosts can come and go, so I do not know what records should get CNAMEs without looking in the OUs. Guy On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: Since you must already know what records you want to transform into CNAME records in the BIND environment, why not build your scripts on the linux system to query the AD hosted DNS servers and then create the CNAME records based on this DNS query instead of an LDAP query? - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 2:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anonymous bind (here we go again) We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a subset of workstations (located in pre-configured OUs) that need to be resolvable using the company.com suffix (company.com zone is managed by BIND, while ad.company.com is managed by MS DNS). One of the ideas was to run (from Linux) LDAP queries against AD for the machines in question, query the MS DNS for the registration and build CNAME entries for BIND based on the query. Caveat: our AD is configured with LDAP signing requirement: Negotiate, which means that any attempt for simple bind will be forced to use SSL/TLS (and we do not run CA or have certs installed on DCs) and otherwise will fail. From here two options have been proposed: 1) flip the 7th bit of dsHeuristics to allow anon access and grant anonymous access to the required attributes (dnsHostName) cons: this exposed the AD to potential DoS of LDAP service by anonymous (am I right here ?) 2) install 3rd party certs on DCs and have scripts use embedded service account for LDAP binds/queries. cons/pros: I have no experience with 3rd party certs on DCs. Are there any caveats or gotchas here ? Is it possible/reasonable ? In any case, nothing that is not already exposed by DNS is going to be exposed. If you can think of any other way of achieving the desired result (up-to-date mapping from client.ad.company.com to client.company.com using CNAMEs), I would be happy to hear. Zone transfers are out of the question - we do not want all the hosts from AD DNS, only the certain subset of them. Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Anonymous bind (here we go again)
We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a subset of workstations (located in pre-configured OUs) that need to be resolvable using the company.com suffix (company.com zone is managed by BIND, while ad.company.com is managed by MS DNS). One of the ideas was to run (from Linux) LDAP queries against AD for the machines in question, query the MS DNS for the registration and build CNAME entries for BIND based on the query. Caveat: our AD is configured with LDAP signing requirement: Negotiate, which means that any attempt for simple bind will be forced to use SSL/TLS (and we do not run CA or have certs installed on DCs) and otherwise will fail. From here two options have been proposed: 1) flip the 7th bit of dsHeuristics to allow anon access and grant anonymous access to the required attributes (dnsHostName) cons: this exposed the AD to potential DoS of LDAP service by anonymous (am I right here ?) 2) install 3rd party certs on DCs and have scripts use embedded service account for LDAP binds/queries. cons/pros: I have no experience with 3rd party certs on DCs. Are there any caveats or gotchas here ? Is it possible/reasonable ? In any case, nothing that is not already exposed by DNS is going to be exposed. If you can think of any other way of achieving the desired result (up-to-date mapping from client.ad.company.com to client.company.com using CNAMEs), I would be happy to hear. Zone transfers are out of the question - we do not want all the hosts from AD DNS, only the certain subset of them. Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous bind (here we go again)
The company.com suffix for clients is something we would like to get rid of in the (sigh not so close) future. This is only needed to support the legacy habits till the transition from NT to W2K3 is completed and users are comfortable with the new namespace. At least during the transition period we need to have the machines in question in both zones. Guy On Thu, 2004-08-12 at 00:38, joe wrote: Why not just have the workstations in the company.com suffix? Is there a requirement for them to be in the ad.company.com zone? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 5:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anonymous bind (here we go again) We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a subset of workstations (located in pre-configured OUs) that need to be resolvable using the company.com suffix (company.com zone is managed by BIND, while ad.company.com is managed by MS DNS). One of the ideas was to run (from Linux) LDAP queries against AD for the machines in question, query the MS DNS for the registration and build CNAME entries for BIND based on the query. Caveat: our AD is configured with LDAP signing requirement: Negotiate, which means that any attempt for simple bind will be forced to use SSL/TLS (and we do not run CA or have certs installed on DCs) and otherwise will fail. From here two options have been proposed: 1) flip the 7th bit of dsHeuristics to allow anon access and grant anonymous access to the required attributes (dnsHostName) cons: this exposed the AD to potential DoS of LDAP service by anonymous (am I right here ?) 2) install 3rd party certs on DCs and have scripts use embedded service account for LDAP binds/queries. cons/pros: I have no experience with 3rd party certs on DCs. Are there any caveats or gotchas here ? Is it possible/reasonable ? In any case, nothing that is not already exposed by DNS is going to be exposed. If you can think of any other way of achieving the desired result (up-to-date mapping from client.ad.company.com to client.company.com using CNAMEs), I would be happy to hear. Zone transfers are out of the question - we do not want all the hosts from AD DNS, only the certain subset of them. Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC not replicating out
The error was Access Denied... My colleague has found a workaround for the replication issue by adding the accounts of the DCs that were trying to pull to Builtin\Administrators group. After that the replication started to flow. More investigation showed that the DC was rejecting any connection of accounts that are not members of Administrators group as a result of local security settings corruption. It looks like WMI db corruption was not along there. Restoring the local security settings solved the issue. Guy On Fri, 2004-05-28 at 01:53, joe wrote: I doubt the GPO is it, could be wrong, but doubt it. However what did you change in the GPO? What does repadmin /showreps say on the DC trying to pull? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 26, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC not replicating out Both come up clean, despite the fact that the A record for the DC initially didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead of BAD_DC$. I adjusted that manually and the change replicated to all DCs. Still the netdiag and dcdiag do not show any DNS related problems - only FRS and AD outbound replication is failing. All other tests are fine. Other DCs that participate in the replication with bad DC come up with KCC errors (eventid 1311: there is insufficient site connectivity, blabla...) - it's the only DC at site. It looks almost like island DNS, but it's W2K3 and that should not happen. Guy On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote: Would be relatively easy to check DNS. DCDIAG and NETDIAG would be two tools to use to check to see that all is well from the bad dc and good dc perspectives. I'd say go the easy part first. Invalid Checksum? Hmmm... Anything in the security logs that gives an indication? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DC not replicating out I am banging my head against the wall the whole day. In pilot environment we applied a GPO to replace the Default DC GPO. Apparently one of the DCs had some issues when the GPO was applied. The result was: the inbound replication on the DC works, but no other DC can pull from the sick one. Closer examination showed total WMI repository corruption. I have rebuilt it and it looks that WMI is back (not sure it's related, but worth mentioning) Since than, the new GPO has been unlinked and replaced with default (and as the inbound replication on the DC in question is working, it has replicated to it). But that has not resolved the issue. From faulty DC issued: repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force Traced the session with network monitor from the good DC... What I see is: - LDAP bind - some searches performed and answered correctly - MSRPC session initiated - RPC request from good DC, RPC response from bad DC - RPC bind request from good DC and RCP Bind Ack from bad DC - again RPC request from good DC, RPC response from bad DC - again RPC bind request from good DC and RPC Bind Nack from bad DC with Provider Reject Reason: Invalid checksum I was about to blame the DNS till I got this Invalid checksum in the trace... Now the question is: am I complicating the whole thing and should look closer into DNS or this is something else ? Thanks, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous bind
I have went over the Vintela's white paper you posted a link some time ago. Looks very promising. But give the Open Source folks some time... go figure, maybe they will come up with something even better :oP Guy On Fri, 2004-05-28 at 01:28, joe wrote: Nothing free. :oP However Vintela and other companies are working on making this A LOT easier for a price. I expect in another year or so *nix machines will hardly be any more hassle to manage in an Enterprise than Windows machines. I doubt anyone will do something in this arena for free. It isn't exactly the kind of thing the Open Source people really care do to I don't think. More of a corporate thing and I don't visualize any company going through writing this up for themselves and then giving it away. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind LDAP with SSL/TLS is way better than NIS. As for environment, it's two W2K3 forests with Kerberos forest trust. Forest A has several child domains and holds user accounts. Forest B is where my hosts are (We are relatively small organization in the enterprise, but we are RD and want to have control at least over the hosts). So users can come from any child domain of forest A and logon to hosts in forest B. Now Linux does not play well, when the host is in one realm, and users are from several other realms... The only workaround is to map uid to Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is not an option, and it's quite reasonable considering the small size of our division. So here I am, stuck with LDAP authentication ... If you have any better idea, I am all ears ;) Guy On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote: Just for curiousity... You don't want to use NIS because it's less secure, yet you are going to use LDAP for authentication? Isn't that a counter? Can you give an overview of your topology and what you're wanting to accomplish in the end? I think we tried to help with the original post without all of the topology information. Sounds like an interesting problem though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 21, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.ht ml 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without
RE: [ActiveDir] DC not replicating out
Both come up clean, despite the fact that the A record for the DC initially didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead of BAD_DC$. I adjusted that manually and the change replicated to all DCs. Still the netdiag and dcdiag do not show any DNS related problems - only FRS and AD outbound replication is failing. All other tests are fine. Other DCs that participate in the replication with bad DC come up with KCC errors (eventid 1311: there is insufficient site connectivity, blabla...) - it's the only DC at site. It looks almost like island DNS, but it's W2K3 and that should not happen. Guy On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote: Would be relatively easy to check DNS. DCDIAG and NETDIAG would be two tools to use to check to see that all is well from the bad dc and good dc perspectives. I'd say go the easy part first. Invalid Checksum? Hmmm... Anything in the security logs that gives an indication? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DC not replicating out I am banging my head against the wall the whole day. In pilot environment we applied a GPO to replace the Default DC GPO. Apparently one of the DCs had some issues when the GPO was applied. The result was: the inbound replication on the DC works, but no other DC can pull from the sick one. Closer examination showed total WMI repository corruption. I have rebuilt it and it looks that WMI is back (not sure it's related, but worth mentioning) Since than, the new GPO has been unlinked and replaced with default (and as the inbound replication on the DC in question is working, it has replicated to it). But that has not resolved the issue. From faulty DC issued: repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force Traced the session with network monitor from the good DC... What I see is: - LDAP bind - some searches performed and answered correctly - MSRPC session initiated - RPC request from good DC, RPC response from bad DC - RPC bind request from good DC and RCP Bind Ack from bad DC - again RPC request from good DC, RPC response from bad DC - again RPC bind request from good DC and RPC Bind Nack from bad DC with Provider Reject Reason: Invalid checksum I was about to blame the DNS till I got this Invalid checksum in the trace... Now the question is: am I complicating the whole thing and should look closer into DNS or this is something else ? Thanks, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous bind
LDAP with SSL/TLS is way better than NIS. As for environment, it's two W2K3 forests with Kerberos forest trust. Forest A has several child domains and holds user accounts. Forest B is where my hosts are (We are relatively small organization in the enterprise, but we are RD and want to have control at least over the hosts). So users can come from any child domain of forest A and logon to hosts in forest B. Now Linux does not play well, when the host is in one realm, and users are from several other realms... The only workaround is to map uid to Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is not an option, and it's quite reasonable considering the small size of our division. So here I am, stuck with LDAP authentication ... If you have any better idea, I am all ears ;) Guy On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote: Just for curiousity... You don't want to use NIS because it's less secure, yet you are going to use LDAP for authentication? Isn't that a counter? Can you give an overview of your topology and what you're wanting to accomplish in the end? I think we tried to help with the original post without all of the topology information. Sounds like an interesting problem though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 21, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.html 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without posixAccount and posixGroup objectClasses) or have a cut down functionality (sendmail LDAP mail routing is great, but I would not extend the AD's schema just to make sendmail happy). And if you are still short on the $$$, you are starting to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in this area. 2) Small *heterogeneous* environments. If all you have is Windows, there is no reason to bring in more overhead. Long live and prosper AD ! 3) a) Linux clients logons require uid, uidNumber, gidNumber and etc... (SFU sounds nice at first, till you hit the non-RFC compliance barrier of uid attribute in SFU and realize that NIS is by no means not a secure environment) [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but painless (if memory serves me correctly, no PAS extensions there). b) a lot of *nix services can be easily managed through LDAP backend, though the interoperability issues with AD force the creation of another directory. I totally agree with you here - it IS overhead, but if I extend
RE: [ActiveDir] Domain Controller Security...
You can restrict access to Task Scheduler using GPO (Admin Templates\Windows Components\Task Scheduler) and by changing permissions on %SYSTEMROOT%\Tasks folder, but there are other ways around. BTW, I remember reading somewhere that at command uses old style API which is not enforced by GPO, and therefore the only way around is to change the ACL on Tasks folder. Anyone remembers the details ? Guy On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote: The problem, as you're most likely aware, is that server admins have access to the Task Scheduler, which means they can kick things off as LocalSystem, which means the DC is then 0wn3d.(owned) Not sure what I'd do in your shoes. I'm fortunate enough to have really good IT folk in my remote locations with DCs. I'm also fortunate enough to be 6'5 tall, built like an NFL lineman, and have an expense account with which I can purchase plane tickets to their location to engage in what my ex-Army junior admin refers to as wall to wall counseling. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Lynch [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I know. I agree that this isn't good security practice. I wouldn't recommend this as well. But, for the lack of space in most locations (and we are only talking about 4 locations), we would just like to give the local tech access to that DC only and no other DC in the domain. I can restrict them to log onto that DC local to them only (via GPO). I might just give them Server Operators rights, restrict them to log onto that DC only, and call it a day. Thanks, Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, May 21, 2004 10:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... True... I musta read half the question (again). -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... I am not sure that fits his requirements for this one... Sounds like he is file sharing from the DC (not something I personally recommend) and obviously it would be a bit much to dcpromo down and back up to add a new share. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, May 21, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... I like Joe Richard's option - DCPromo it out, let the tech work on it, and DCPromo it back in -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Lynch [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 11:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Security... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm wondering if anyone has accomplished the following: Provided different security policies to multiple DC's within the same domain, but different OU's for field techs to manage resources on just that DC without giving Server Operators rights. I have almost all of the requirements resolved, except the ability to create shares. I have modified the security on the HKLM\System\CurrentControlSet\Services\LanManserver and HKLM\System\ControlSet001\Services\LanManserver with no success. Every document I have read about where the shares definitions are stored are located in these two reg keys. I know the simple way would be to deploy another server to that location and give them local Administrator rights. But, management doesn't want to do this. Thanks for any input, Chris Lynch -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 BT+9sM9+/PU1ca4fioHgTuMm =k33B -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Anonymous bind
You are of course right about LDAP being primary a directory and not authentication protocol, but Linux's support for multiple Kerberos realms is not good enough and it is what I have in my environment (two W2K3 forests with cross forest Kerberos trust). I would prefer using Kerberos for authentication, but there are cases when the overhead and complication of Kerberos for Linux client authentication is not worth it, as compared to LDAP authentication. As for open source LDAP synchronization tool: I am not aware of one. This is something I would really love to put my hands on. Commercial solutions exist, but not always you have the bucks for it. Guy On Thu, 2004-05-20 at 00:13, joe wrote: Why use LDAP for Linux client authentication instead of Kerberos? I am seriously asking. I don't know why someone would avoid an authentication protocol for authentication and instead would use a directory protocol for authentication. Especially when you have to go through an extra step then to secure the communication. I don't really even like that people do it for apps but if you have one application running on one server handling multiple users, I can see the draw of LDAP Auth. I am not a huge fan of multiple directories that you have to keep synced. The larger the environment more likely the better chance it is something that would have to be done. The smaller the environment the less things you want to have to deal with as they are less likely to have the people to manage the syncing plus more than likely it means yet another piece of software to do the syncing though I could be completely wrong and there is a beautiful open source free directory syncer out there somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 19, 2004 2:26 PM To: [EMAIL PROTECTED] Cc: ADS Customer Feedback Subject: RE: [ActiveDir] Anonymous bind Eric, It looks like I was not clear enough. See my comments below. And as others have already stated, the solution should be in the app's code. The problem is that it's not always that easy to change the code even if it's open source. Guy On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote: Im going to respectfully disagree with the approach being taken here. It is, IMHO, misguided. What has been described as a security hole (opening your AD for a subset of operations being allowed by ANONYMOUS) has somehow been justified in the OpenLDAP world. Make no mistake about it: anonymous is anonymous on any platform. Allowing ANONYMOUS to read from one directory vs. another is the same threat. Why they are being viewed is a mystery to me. My point was that you are only syncing with OpenLDAP the uid-sAMAccountName(or upn) and user's Kerberos principal. ACL-ing OpenLDAP to allow read access by attribute is one-liner. That said, from an order of complexity perspective, a sync solution will be substantially harder to set up and maintain over the long haul. Indeed. But it gives several advantages, like using the same OpenLDAP for Linux clients logons, without tweaking AD's schema by installing SFU (which is rather dumb and not flexible enough to my taste). What I described might be a good solution for a small heterogeneous network. In larger scale, I would not be even considering deploying an application which by default does anonymous binds. If this were my project, I would do the following: 1) Flip 7th bit of dsHeuristics to 2, enabling the ability to have anonymous binds to the DS (part one of the solution) 2) We need to now ACL things to ANONYMOUS has access to the data required. Fundamentally, there are two approaches: a. Target the objects that your auth client will be searching (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum required perms for itmy bet is that just read to a subset of attributes is sufficient. only 2 attributes are needed. The equivalent of uid (sAMAccountName or upn ?) and userPassword. b. You can try to flip the reg value EveryoneIncludesAnonymous to 1 on a single DC and see if that satisfies your needs. NOTE: this approach, if it works, is particularly advantageous as it is localized to a single DC, IE only a subset of DCs would have increased abilities for ANONYMOUS. Many comments Guy made confuse me, especially this one: You will definitely not want that in production So you want to have a second directory with ANONYMOUS able to read it, but not a single one? How is OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? I fail to see the difference here. If your difference was the localization problem, my EveryoneInludesAnonymous solution might do that for you a bit more gracefully. I was not aware of that approach and I
RE: [ActiveDir] Anonymous bind
If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.html 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without posixAccount and posixGroup objectClasses) or have a cut down functionality (sendmail LDAP mail routing is great, but I would not extend the AD's schema just to make sendmail happy). And if you are still short on the $$$, you are starting to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in this area. 2) Small *heterogeneous* environments. If all you have is Windows, there is no reason to bring in more overhead. Long live and prosper AD ! 3) a) Linux clients logons require uid, uidNumber, gidNumber and etc... (SFU sounds nice at first, till you hit the non-RFC compliance barrier of uid attribute in SFU and realize that NIS is by no means not a secure environment) [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but painless (if memory serves me correctly, no PAS extensions there). b) a lot of *nix services can be easily managed through LDAP backend, though the interoperability issues with AD force the creation of another directory. I totally agree with you here - it IS overhead, but if I extend the schema with app-specific *nix extensions I put myself in danger of that specific extension colliding with future (no offense) MS insights :) and I do not want mangled attributes in AD. [EFLEIS] - So we think it is easier to sync over a subset of data to the other directory, extend there and populate there? Rather than just putting it all in the main directory? I'm sorry, I just disagree. :) c) I am writing these lines right after bachelor's party of one of my friends, so my apologies for not coming up with more. Promise to be back to my senses tomorrow. [EFLEIS] - Hehe, I can't help you here. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 19, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind Inline is fine by me ;) Cheers, Guy [snip] [EFLEIS] - So you don't like anonymous access on AD because it is hard? It's two stepsone to allow the bind, one to give access to the resources. It's like a light switch + a dimmer. Turn it on, then tell me how much you want. Click in, then turn the knob. I actually like it this waynow you can wholesale turn the whole thing off with one flip of a flag in dsHeuristics and not have to touch your ACLs until later when you see fit to do so. Or is there more to what you're trying to say here that I'm missing? [Guy] As I have already said, this is something I was not aware of. Thanks for pointing that out. btw, KB 326690
RE: [ActiveDir] Anonymous bind
the creation of another directory. I totally agree with you here - it IS overhead, but if I extend the schema with app-specific *nix extensions I put myself in danger of that specific extension colliding with future (no offense) MS insights :) and I do not want mangled attributes in AD. [EFLEIS] - So we think it is easier to sync over a subset of data to the other directory, extend there and populate there? Rather than just putting it all in the main directory? I'm sorry, I just disagree. :) c) I am writing these lines right after bachelor's party of one of my friends, so my apologies for not coming up with more. Promise to be back to my senses tomorrow. [EFLEIS] - Hehe, I can't help you here. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 19, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind Inline is fine by me ;) Cheers, Guy [snip] [EFLEIS] - So you don't like anonymous access on AD because it is hard? It's two stepsone to allow the bind, one to give access to the resources. It's like a light switch + a dimmer. Turn it on, then tell me how much you want. Click in, then turn the knob. I actually like it this waynow you can wholesale turn the whole thing off with one flip of a flag in dsHeuristics and not have to touch your ACLs until later when you see fit to do so. Or is there more to what you're trying to say here that I'm missing? [Guy] As I have already said, this is something I was not aware of. Thanks for pointing that out. btw, KB 326690 still mentions 7th bit. [snip] [EFLEIS] - Wow, many corrections to be made here: 1) I don't recall seeing any mention in this thread of a schema extension, only change in ACLs to facilitate a client. There's been no discussion here about schema extensions, but if I'm missing the point where there was please point it out ot me. 2) What I found interesting is that you said you like this for small enterprises and a single directory for large. Many customers would argue that the ideal is the other way around, since the small shop has fewer resources to invest in settting up and maintaining the sync mechanisms. While I wish everyone had a single directory, if forced to pick a group of people to sync, I'd rather it be the big guys than the little ones. 3) You said many advantages, but only cited: a) same OpenLDAP for Linux client logs - same as what? I'm not sure I follow. It sounds like the Linux client config would be the same. Where are the others I missed? [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without posixAccount and posixGroup objectClasses) or have a cut down functionality (sendmail LDAP mail routing is great, but I would not extend the AD's schema just to make sendmail happy). And if you are still short on the $$$, you are starting to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in this area. 2) Small *heterogeneous* environments. If all you have is Windows, there is no reason to bring in more overhead. Long live and prosper AD ! 3) a) Linux clients logons require uid, uidNumber, gidNumber and etc... (SFU sounds nice at first, till you hit the non-RFC compliance barrier of uid attribute in SFU and realize that NIS is by no means not a secure environment) b) a lot of *nix services can be easily managed through LDAP backend, though the interoperability issues with AD force the creation of another directory. I totally agree with you here - it IS overhead, but if I extend the schema with app-specific *nix extensions I put myself in danger of that specific extension colliding with future (no offense) MS insights :) and I do not want mangled attributes in AD. c) I am writing these lines right after bachelor's party of one of my friends, so my apologies for not coming up with more. Promise to be back to my senses tomorrow. If this were my project, I would do the following: 1) Flip 7th bit of dsHeuristics to 2, enabling the ability to have anonymous binds to the DS
RE: [ActiveDir] Anonymous bind
Eric, It looks like I was not clear enough. See my comments below. And as others have already stated, the solution should be in the app's code. The problem is that it's not always that easy to change the code even if it's open source. Guy On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote: Im going to respectfully disagree with the approach being taken here. It is, IMHO, misguided. What has been described as a security hole (opening your AD for a subset of operations being allowed by ANONYMOUS) has somehow been justified in the OpenLDAP world. Make no mistake about it: anonymous is anonymous on any platform. Allowing ANONYMOUS to read from one directory vs. another is the same threat. Why they are being viewed is a mystery to me. My point was that you are only syncing with OpenLDAP the uid-sAMAccountName(or upn) and user's Kerberos principal. ACL-ing OpenLDAP to allow read access by attribute is one-liner. That said, from an order of complexity perspective, a sync solution will be substantially harder to set up and maintain over the long haul. Indeed. But it gives several advantages, like using the same OpenLDAP for Linux clients logons, without tweaking AD's schema by installing SFU (which is rather dumb and not flexible enough to my taste). What I described might be a good solution for a small heterogeneous network. In larger scale, I would not be even considering deploying an application which by default does anonymous binds. If this were my project, I would do the following: 1) Flip 7th bit of dsHeuristics to 2, enabling the ability to have anonymous binds to the DS (part one of the solution) 2) We need to now ACL things to ANONYMOUS has access to the data required. Fundamentally, there are two approaches: a. Target the objects that your auth client will be searching (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum required perms for itmy bet is that just read to a subset of attributes is sufficient. only 2 attributes are needed. The equivalent of uid (sAMAccountName or upn ?) and userPassword. b. You can try to flip the reg value EveryoneIncludesAnonymous to 1 on a single DC and see if that satisfies your needs. NOTE: this approach, if it works, is particularly advantageous as it is localized to a single DC, IE only a subset of DCs would have increased abilities for ANONYMOUS. Many comments Guy made confuse me, especially this one: You will definitely not want that in production So you want to have a second directory with ANONYMOUS able to read it, but not a single one? How is OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? I fail to see the difference here. If your difference was the localization problem, my EveryoneInludesAnonymous solution might do that for you a bit more gracefully. I was not aware of that approach and I stand corrected. Obviously there is a good reason I am subscribed to this list - I learn something new every day. Thanks guys ! I dont recall all of the ACLs that Everyone has in 2k03 out of the box, but if there is a problem there send me a trace of a failure and I can show you what need change to make it work. I bet it is small though. ~Eric __ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol Naberan Burgaa Sent: Wednesday, May 19, 2004 1:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous bind OK, I will try the second approach. So I have to copy (sync) all the AD data into my local openLDAP??? creating a local schema with the user info??? -- Aitzol Naberan Burgaa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943 82 17 80 Guy Teverovsky(e)k dio: There are several solutions to that: 1) Grant Everyone read permissions (this object and all child objects) to the domain object. The drawbacks are obvious: you are opening a HUGE security hole. You will definitely not want that in production. 2) Setup OpenLDAP and sync the needed attributes from AD. From what I can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ), you will need to use top, account and simpleSecurityObject objectClasses. userPassword attribute can be a pointer to the user's Kerberos principal in AD Kerberos realm in the following form: userPassword: [EMAIL PROTECTED] In that way you can allow anonymous searches in OpenLDAP while exposing the bare minimum data and yet authenticate the users through LDAP. What happens in such a configuration is something like this: 1) OpenGroupware binds anonymously to OpenLDAP and performs the search for user object. 2) After the user object is found, OpenGroupware tries to bind as user to OpenLDAP (you should configure SSL/TLS if you do not want the passwords to travel
Re: [ActiveDir] Default printer logon script OT
Printers are user specific. The script needs to run in user context. Guy On Tue, 2004-04-20 at 23:19, Kern, Tom wrote: Sorry for the off topic. I'm running a VBscript to set the default printer to always be the same printer on a workstation( we have a legacy Paradox dos app and it always prints to the default printer) regardless of the user. When i run it from the current session, it works fine. However, when I put it into a local policy machine startup script, it can't find the printer. I'm guessing the printers don't get loaded at the computer account logon phase. Anyway to automatically set a specific printer as default no matter who logs onto a machine? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Effective permission
I will try to make the long story short: 2 W2K3 forests with transitive forest trust (abc.com and xyz.com) xyz.com is resource forest abc.com is user accounts forest (child.abc.com is a child domain) I logged on to forest xyz.com DC with account from child domain of forest abc.com ([EMAIL PROTECTED]) which is a member of local Administrators group in xyz.com domain I created a new GPO and edited the GP object's ACL: - domain local group XYZ\NewGPOOwner contains a domain global group from the child domain of the other forest: CHILD\xyzGPOOwners - Account I am logged on with is a member of CHILD\xyzGPOOwners which makes me also a member of ABC\NewGPOOwners - Added a domain local group XYZ\NewGPOOwners with Full permissions except Apply Group Policy (this makes it Read/Write and Create/Delete child objects) - Removed myself from the ACL - Changed the owner of the object to XYZ\NewGPOOwners domain local group. Now the funny part: All permissions behave as expected: I can modify the GPO, change permissions, change owner, etc... BUT if I go to Effective permissions tab and select my [EMAIL PROTECTED] account, it shows me that I have read only permissions (just like Authenticated Users). If I select CHILD\xyzGPOOwners group from account forest (member of XYZ\NewGPOOwner group), the UI shows that the group has no permissions. If I select XYZ\NewGPOOwner group, I get the correct permissions. A little bit confusing and quite inconsistent I would say... To me it looks like security principals are not processed correctly by UI, but the OS enforces the correct permissions. From wht I understand, this behavior is similar to partial SID filtering: the SIDs of user groups from another forest are not enumerated by UI (despite the fact that the OS enumerates the group membership correctly) Any ideas ? Thanks, Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Wlan AD Security
I would say that the link below gives a pretty good reason for not plugging APs into internal LAN: http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml Guy On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote: That's a pretty valid argument to put any access to your network into an untrusted network segment, isn't it? Remote access, wired access (what about vendors that jack-in?)etc. There's some talk about using the reskit stuff to quarantine the network access. Some of the AP providers offer this type of usage as well. One of the better ways to accomplish authorized access only is to use strong authentication. WEP isn't it. Cracking WEP is published and pretty quick. MAC layer isn't all that great either since you can spoof the MAC address to gain access. Certificates are nice, except that some of your downlevel and handheld devices won't like it. I'd say this is a pretty valid argument to rethink security (for many companies) from a keep out the bad guys and we'll be fine mentaility to a let's figure out what we need to protect on our network and add security to those parts to protect from outside the firewall as well as the inside of the firewall mentality. When you can sip coffee or favorite hot beverage of choice downstairs and wander a company's network two floors above or across the street, the possibilities are limitless. I favor the certificate method and VPN for wireless access, but that only addresses part of the issue IMHO. Al -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wlan AD Security Chris, We sometimes become off-topic city. No worries there This is an interesting topic, and one that I will fall clearly on one side of it because of my experiences at my company. Treat your access points like untrusted computers in the public DMZ. There is really no way that one should treat an access point in any other way. Given that the signals coming into an AP cannot truly be verified, then one must add extra methods to insure security. The way that I prefer to see this accomplished is by placing the AP's into an untrusted are of the network, applying a 128-bit WEP key, then using some added methods consistent with 802.1x. This can either be PEAP (using RADIUS / IAS), Cisco's LEAP, or other secure methods for providing strong authentication. Obviously, stronger the better, and two-factor (RSA fob, smart card, what have you) is magnitudes better than a single factor authN. I'm still fighting to get my APs at work in the DMZ. They are, at present, on our internal network. They are PEAP protected, but somehow I'm just not all that heartened by the simple addition of PEAP to untrusted devices. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Monday, April 12, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Wlan AD Security This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access points for our users to access our AD. I am currently reading the white paper from Microsoft named Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows. Has anyone else implemented this? I have also read about putting the AP's outside of the network and using VPN to access any AD related resources. Sounds easier, but is it as secure? Does anyone else have any other solutions? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy
Darren, now I am puzzled... I would have sworn that what I have described once worked with W2K (if I am not mistaken, it was SP1), but So I checked... 2 DCs in the test domain (W2K native): 1 W2K3 (holds all FSMOs) 1 W2K SP4 (GC) Test 1: On W2K3: 1) Defined Default Domain Policy with 6 chars password length. 2) Defined Default DC Policy with 8 chars length. 3) ReACL-ed the Default Domain Policy and denied it to Enterprise Domain Controllers 4) gpupdate + gpresult shows that default domain policy is not applied at DCs. 5) Trying to set user's password to 6 chars works (just as you have said) == Default DC password complexity settings are indeed ignored 6) Canceled the Deny for enterprise DCs on default domain policy + gpupdate + gpresult 7) Default Domain Policy (6 chars) is enforced (meanwhile everything as expected) Test 2 (things stop making sense): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 5 chars 3) W2K local machine policy set to 6 chars 4) sync the domain gpupdate secedit /refreshpolicy 5) on W2K setting 5 char password works (local policy set to 6) 6) on W2K3 5 char password works (local policy set to 5) 7) trying 4 chars fails on both DCs Test 3 (the other way around): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 6 chars 3) W2K local machine policy set to 5 chars 4) sync the domain gpupdate secedit /refreshpolicy 5) on W2K3 setting 5 char password fails (local policy set to 6) 6) on W2K 5 char password fails ! (local policy set to 5) 7) trying 4 chars fails on both DCs Now I've been lurking this mail list for quite a while and been listening to Joe :), so I fire up Network Monitor on W2K3 (local=6) while trying to set 5 char password on W2K (local=5) and I see nothing, accept some LDAP chatter about cn=configuration,dc=domain,dc=com... and yet the password reset to 5 chars fails. What is going on here ??? What am I missing ? Test 4 (back to reality): 1) set default domain policy to 6 chars + sync the DCs + check that GPO setting have replicated) 2) gpupdate secedit /refreshpolicy 3) local policies are overridden as expected and 6 char passwords are enforced Guy On Tue, 2004-03-16 at 07:08, Darren Mar-Elia wrote: Yea, that's the right way to do it Joe. Guy, I'm kinda surprised you actually saw that behavior. I was under the impression that password complexity was one of those account policies that was completely ignored by DCs unless its linked to a domain policy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 15, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy I would think you could do this by simply linking another policy for the member machines at a lower OU level that still encompasses all of those machines. I know I did this for lockout policy once. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, March 15, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Actually I did it once. This way you can enforce different password complexity requirements for domain accounts vs. machine local accounts by applying stricter password complexity to GPO that is linked to Domain Controllers OU. This is rather simple: in Default Domain Controller Security policy you block inheritance and define different password length/complexity then in default domain policy. Standalone computers will receive the security settings from default domain policy and DC from it's own. Of course you must watch out for other settings defined in the default domain GPO. Never found any use for this, but it was one of those nice-to-know things. Guy -- Smith Wesson - the original point and click interface On Mon, 2004-03-15 at 07:56, joe wrote: Yes they do. The default domain policy is where your domain security policy is located at. What implications are there for blocking it... I am not sure, never tried... Let us know. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Thursday, February 26, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Do W2k domain controllers need to process default domain policy as well as default dc policy? If so and the DC's OU is set to block default domain policy what implications will/can this have? thanks in advance. This E-mail, including any attachments, may be intended solely for the personal
RE: [ActiveDir] Group Policy
Actually I did it once. This way you can enforce different password complexity requirements for domain accounts vs. machine local accounts by applying stricter password complexity to GPO that is linked to Domain Controllers OU. This is rather simple: in Default Domain Controller Security policy you block inheritance and define different password length/complexity then in default domain policy. Standalone computers will receive the security settings from default domain policy and DC from it's own. Of course you must watch out for other settings defined in the default domain GPO. Never found any use for this, but it was one of those nice-to-know things. Guy -- Smith Wesson - the original point and click interface On Mon, 2004-03-15 at 07:56, joe wrote: Yes they do. The default domain policy is where your domain security policy is located at. What implications are there for blocking it... I am not sure, never tried... Let us know. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Thursday, February 26, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Do W2k domain controllers need to process default domain policy as well as default dc policy? If so and the DC's OU is set to block default domain policy what implications will/can this have? thanks in advance. This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local Admin to Domain Admin escalation
Joe Guido, thanks for clearing this up. I was helping out someone and came up with the solution described below and when it worked I was totally sure I was missing something. I know that the topic is rather controversial and I am sorry for blowing the whistle, but I just had to know it for sure. Thanks again, Guy On Tue, 2004-03-09 at 08:43, joe wrote: I agree with Guido. Its all about physical security. Consider if they fixed that little loophole... What would you do? You obviously have done this enough you have worked up a nice little process. You have probably described a method that 10% or better of the people on the list read and said, no kidding and another 10% said don't say it out loud, I don't want that fixed as it saves my butt all of the time. The only realistic fix from MS would be to make it so it isn't possible to get into the box even if you have physical access and could do the screensaver, at, service, gina, you name it, hack. Its like why don't they take away the whole creator/owner loophole on ACLs Because the second they do someone is going to start screaming they can't get at their stuff when they or someone else screwed up. Personally I am all for tough love and security, you screwed up and can't get in, rebuild. You screwed up and locked yourself out of a file or directory object, tough love. I have DCs all over the world and this is one thing that I don't even start to take the time to worry about because I have zero control over how physical security will in the end really be handled and zero compensating controls I can feasibly put into place to prevent anything bad if someone got the idea they wanted to do something bad. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 3:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation no need to install a new service at all = scheduling an at command in DSRM mode to execute the right script is sufficient, as the task scheduler is configured to run as Local System. And even though I agree that it would be nice to see new services being pre-configured to be run with the Local Service account an admin can change it to run as local system anyways. Also, how is Windows supposed to know, if the service doesn't require network access and should thus use the Network Service instead... In summary: the default install account of a service should be the least of your worries. Better to concentrate on physically securing the DC. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Freitag, 27. Februar 2004 17:56 To: [EMAIL PROTECTED] Subject: [ActiveDir] Local Admin to Domain Admin escalation Hi all, Recently I have been playing around with an idea of how do you deal with a situation when you must have a Domain Admin access to AD but do not have Domain Admin password (this can happen in small outsourced companies or when the only Domain Admin is suddenly unavailable). In W2K this was easy. You use one of those tools that reset the Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe over logon.scr, reboot, wait and get a shell running in Local System context. As this is a DC and LSA has enough privileges to reset Domain Admin password, you are all set. In W2K3 this behavior has been changed. The screensaver runs in Local Service account context and has no access to AD. This sounds nice and dandy, BUT if I boot into DS Restore Mode, install a service (using resource kit utilities) that will spawn a shell, which will run a script, which will reset Domain Admin password, I still get access to the AD (tested successfully at home). The problem I see here is the fact that in DS Restore Mode (actually it does not really matter in which mode), when you install a new service, it will run by default in LSA context. I know that you will all say: physical access = Domain Admin and will be right, but what bothers me more is the fact that local account has a way to escalate it's rights by taking advantage of the fact that new services default to run under Local System account. Your thoughts ? Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
[ActiveDir] Local Admin to Domain Admin escalation
Hi all, Recently I have been playing around with an idea of how do you deal with a situation when you must have a Domain Admin access to AD but do not have Domain Admin password (this can happen in small outsourced companies or when the only Domain Admin is suddenly unavailable). In W2K this was easy. You use one of those tools that reset the Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe over logon.scr, reboot, wait and get a shell running in Local System context. As this is a DC and LSA has enough privileges to reset Domain Admin password, you are all set. In W2K3 this behavior has been changed. The screensaver runs in Local Service account context and has no access to AD. This sounds nice and dandy, BUT if I boot into DS Restore Mode, install a service (using resource kit utilities) that will spawn a shell, which will run a script, which will reset Domain Admin password, I still get access to the AD (tested successfully at home). The problem I see here is the fact that in DS Restore Mode (actually it does not really matter in which mode), when you install a new service, it will run by default in LSA context. I know that you will all say: physical access = Domain Admin and will be right, but what bothers me more is the fact that local account has a way to escalate it's rights by taking advantage of the fact that new services default to run under Local System account. Your thoughts ? Guy -- Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DCPromo
The machine in question was the first DC in site C (which was already pre-configured in Sites and Services). The dcpromo.log confirms that it properly recognized it's site. I saw the LDAP session to PDCE (site A) when initiating the dcpromo by running netstat (a saw a new LDAP session). The replication was performed from a DC in site B (Infrastructure Master). dcpromo.log and dcpromogui.log do not show initial query to PDCE. All the machines are W2K3. Domain and forest functional levels are 2003. What is interesting is that the DC the replication was performed from is actually much closer from the network and latency point of view. It would be pretty smart of W2K3 to replicate from the nearest partner... Guy On Sat, 2004-02-14 at 04:37, joe wrote: What site was the machine that was being promoted to in? I would expect it was in site B. The change should be done on the machine that it did its initial replication with. How do you know that it did that replication with the PDC? Is this info from the dcpromo log? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, February 13, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DCPromo Yesterday, while dcpromoing a machine (which was already domain member), I have noticed that while the LDAP session was initiated against PDCE in site A, the computer account move to Domain Controllers OU was performed on a DC in site B. Although after the replication everything was nice and dandy, but any insight on at which DC the changes should take place during the dcpromo process is more than welcome. Thanks, Guy - - - Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- - - - Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DCPromo
Yesterday, while dcpromoing a machine (which was already domain member), I have noticed that while the LDAP session was initiated against PDCE in site A, the computer account move to Domain Controllers OU was performed on a DC in site B. Although after the replication everything was nice and dandy, but any insight on at which DC the changes should take place during the dcpromo process is more than welcome. Thanks, Guy - - - Smith Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Integrate Linux with AD
You might also want to look at the following solution: http://laaad.sourceforge.net/en/index.html The idea behind the project is to apply SFU schema extensions, and making the clients authenticate using LDAP/SSL instead of NIS as opposed to vanilla SFU. if you want, you can also make clients authenticate against AD's Kerberos realm. Actually the problem is not authentication, but having a single store for user account properties in AD (Posix account properties in the case of Linux/Unix) and that is what SFU schema extensions do in this case. Guy On Sat, 2004-02-07 at 02:27, [EMAIL PROTECTED] wrote: Jennifer, The first solution that was presented to you by Tom [AD4Unix] is a solution that we've implemented in the past. It uses the schema extensions from SFU, and it's a fairly easy to manage and easy to install solution. Not lots of bells and whistles, and does require that all of your systems are a part of NIS - which can be arbitrarilly defined. IOW, it doesn't have to be an official and stringent NIS, just something for AD to know who is and who isn't playing in your ballpark. As to SFU 3.5, I believe that Rod Trent or Jackson suggested it, and you can certainly use it to great advantage as well. The VAS solution is a fantastic product, but many folks are put off by the cost. It all depends on how 'seamless' you want the solution, obviously offset by the 'pocket book' factor. Good luck! Rick Kingslan Microsoft MVP - Active Directory From: Jennifer Fountain [EMAIL PROTECTED] Date: 2004/02/06 Fri PM 05:11:49 EST To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD Hot off the press. Solution Guide for Windows Security and Directory Services for UNIX Using Active Directory and Kerberos for authentication and identity store in a heterogeneous UNIX and Windows IT environment. http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 B82-65CF-4105- B60C-44515299797Damp;displaylang=en Could I use Services for Unix? Would that work instead of buying VAS? Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
You can try the following shell command: RunDll32.exe Shell32.dll,SHExitWindowsEx 0x1 http://www.borncity.com/WSHBazaar/WSHExitWin3.htm for details. Guy On Tue, 2004-01-20 at 21:41, Creamer, Mark wrote: I noticed that there is a WMI core install for Win9x and I installed it on my test Win95 machine. However, I can't get the WMI script to reboot that machine. Is it possible that even though WMI core is installed, it doesn't give me access to all of the features I'd have on a Win2K machine? The error I receive on the script is: Microsoft VBScript runtime error: The remote server machine does not exist or is unavailable: 'GetObject' Thanks, Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Remotely Boot into DS Restore Mode?
Use /SAFEBOOT:DSREPAIR /SOS switches in boot.ini: http://support.microsoft.com/?kbid=256588 Guy On Wed, 2004-01-14 at 03:26, David Adner wrote: Without using a lights-out type adapter or something else that will allow me to remotely view the bootup process, is there a way to reboot a server and have it automatically enter DS Restore Mode? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding the time of last update of SRV record
Thanks Marcus, The dwTimeStamp attribute is also accessible by checking View--Advanced in the DNS snap-in. The thing is that the timestamp is not the precise time the RR has been refreshed - the hour is rouned (i.e.: update performed at 15:17 12/25/2003 is rounded to 15:00 12/25/2003). The command line returns the same... Thanks, Guy On Wed, 2003-12-24 at 22:01, marcus wrote: I got this tidbit from Robbie ... I suppose you could point it at the SRV record in question: There are a couple of ways you can get it. If you are a command line hacker, you could use this: dnscmd . /enumrecords rallencorp.com foobar /detail | findstr dwTimeStamp If you are looking to do it via VBScript or Perl, then you'll want to look at the MicrosoftDNS_ResourceRecord WMI class. It has a Timestamp property: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns /mic rosoftdns_resourcerecord.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dn s/mi crosoftdns_resourcerecord.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Wednesday, December 24, 2003 6:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding the time of last update of SRV record Hello all, I am looking for a way to get the time of last successful SRV record update. We are having a DNS related replication problem and I basically want to check when a specific SRV record has been last updated at a given DNS server. And another related question: from what I understand, the default frequency of DNS records re-registration at W2K Server is one hour by default and can be controlled by DefaultRegistrationRefreshInterval registry key under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Does the same apply to W2K3 ? (The W2K3 registry reference does not mention the key). Has anyone stumbled into a situation when he had to change the default settings ? Thanks and happy holidays, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding the time of last update of SRV record
Joe, I'm puzzled. Should I be looking under CN=MicrosoftDNS,CN=System,DC=foobar,DC=com in the Domain naming context ? Because I can only see there the child sub-domains (like child.foobar.com), but not the _msdcs.foobar.com, _sites.foobar.com, etc - zones which are AD integrated too. The interesting thing is that not all AD integrated sub-domains show in there (a.foobar.com, b.foobar.com are there but c and d are not). Should I be worried ? (It is a pilot domain after all) Thanks, Guy On Thu, 2003-12-25 at 23:10, Joe wrote: If you are using AD Integrated Windows DNS you should be able to find the actual AD object associated with the record and look at the whenchanged attribute with any LDAP tool or the objects metadata via repadmin. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Wednesday, December 24, 2003 6:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding the time of last update of SRV record Hello all, I am looking for a way to get the time of last successful SRV record update. We are having a DNS related replication problem and I basically want to check when a specific SRV record has been last updated at a given DNS server. And another related question: from what I understand, the default frequency of DNS records re-registration at W2K Server is one hour by default and can be controlled by DefaultRegistrationRefreshInterval registry key under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Does the same apply to W2K3 ? (The W2K3 registry reference does not mention the key). Has anyone stumbled into a situation when he had to change the default settings ? Thanks and happy holidays, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Backup Problem: Data Protector 5.10
Michael, I have DP 5.1 setup with local system account on a member server. Guess it should work the same on a DC. P.S.: Looks like I should look at the change log more frequently :-) Cheers, Guy On Wed, 2003-12-10 at 22:39, Donovan, Michael wrote: Hi- I have a DC locally attached to a DLT Tape device running with Data Protector 5.1. When I boot into DS Restore Mode, the Cell Manager Service won't start, even though it's configured to use the local Administrator account. However, I can directly log into the machine as local Administrator. Has anyone seen this behavior before? Should DC's not be backup servers as well? I have found no documentation in the Data Protector manuals, or from MS that DC's can not be backup servers, so I'm terribly confused at this point. Any help would be greatly appreciated. Thanks! Michael Donovan [EMAIL PROTECTED] (617)551-7644(voice) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO change management
Hi all, My organization is currently running a W2K3 pilot and i have been assigned the task of defining GPO change management, backup and restore procedures. I have divided this into 3 sub-categories: 1) Procedures for tasks related to changes in the Group Policies (testing new GPOs, archiving, establishing new baseline, backup, etc..) 2) Documentation of changes 3) GPO management tools. Now, as I was used to W2K environment, I started by looking into third party tools: FAZAM 2000, Directory Administrator by Small Wonders and ActiveRoles by Quest without totally being aware of the existence of GPMC. I have dedicated some time to investigating this tool and meanwhile have not noticed any features I might benefit of by buying third party software. Except GPO merging, restoring GPO links, exporting GPO to a database, comparing GPOs and some other minor features, it seems that a bunch of automated scripts can do a pretty good job. Any insights on this ? Am I missing something here ? Second question: have anybody encountered GPO change management best practices anywhere ? I do not mind reinventing the wheel, but additional insights are always welcome. Thanks in advance, Guy -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/