[ActiveDir] Decommissioning a DC
We have several DC’s in our environment all of which are 2003 SP1 servers except for one. I am preparing to demote this one through DCPromo this weekend. All of our DC’s are also GC’s, including this last remaining 2000 server. It does not own any FSMO roles. The Exchange RUS services are not using this DC. We are a single site and domain. Is there anything unique about demoting the last 2000 DC, given there are plenty of other 2003 DC/GC’s available? Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] Support services from Microsoft
We have always just handled support by purchasing the 5-packs and paid our $250. Generally this has been very good, but more and more I am finding the first level team isn’t getting the job done. I am considering the Premier Plus, granted it is expensive, and would like to know if any of you have any of these support offerings and what your impressions are. http://www.microsoft.com/services/microsoftservices/srv_busi.mspx Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] DC crashing / LSASS --> memory leak
Thanks for that link, I've wanted something like this for a while now. Yeah maybe not a week... just a day or two, which feels like a week when it's a critical server ;) Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 04, 2006 11:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC crashing / LSASS --> memory leak http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx Then do it yourself... and they've never taken a week to call me back. Lucas, Bryan wrote: > > I went that route actually. I unplugged, rebooted and it was fine. > After I browsed some file properties, LSASS sucked up a bunch of RAM > (caching I presume) and then stabilized ~500MB. After 30 minutes, I > plugged it back in and it got drilled during replication but then > returned to normal and so far so good. Been about an hour now. > > Its an older slower single CPU box and our only 2000 DC left, it will > be demoted very soon after this incident ;) > > Thanks for the suggestion. > > I did call PSS btw and they wanted the typical dump and analyze and > we'll call you in a week or so. No time for that unfortunately. > > Bryan Lucas > > Server Administrator > > Texas Christian University > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Roger Longden > *Sent:* Saturday, November 04, 2006 8:09 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] DC crashing / LSASS --> memory leak > > Assuming you have a Premier support agreement I suggest calling PSS > and/or your TAM. I'd be curious if you see the same issue with the DC > unplugged from the network. In other words, I'd suspect malicious > activity (could be viral/worms/Trojans) as a prime candidate. I don't > recall seeing many memory leaks in lsass.exe in 2000 SP4. > > - Roger > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Lucas, Bryan > *Sent:* Saturday, November 04, 2006 2:50 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] DC crashing / LSASS --> memory leak > > I've got a Win2000 SP4 box that I believe has LSASS crashing leading > to a huge run on memory causing the system to page and yield a Virtual > Memory is too low... type error and all access to the server is cutoff > essentially (other than local logon). > > After rebooting twice and watching TaskMgr, I see LSASS spike for > about 4-8 seconds, then flatline and memory starts going nuts. The box > becomes extremely unresponsive. I'm rebooting to safe mode now to > review the logs, but in the mean time does anyone have any ideas? > > The box has been fairly stable for a long time now. > > Bryan Lucas > > Server Administrator > > Texas Christian University > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DC crashing / LSASS --> memory leak
I went that route actually. I unplugged, rebooted and it was fine. After I browsed some file properties, LSASS sucked up a bunch of RAM (caching I presume) and then stabilized ~500MB. After 30 minutes, I plugged it back in and it got drilled during replication but then returned to normal and so far so good. Been about an hour now. Its an older slower single CPU box and our only 2000 DC left, it will be demoted very soon after this incident ;) Thanks for the suggestion. I did call PSS btw and they wanted the typical dump and analyze and we’ll call you in a week or so. No time for that unfortunately. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Longden Sent: Saturday, November 04, 2006 8:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC crashing / LSASS --> memory leak Assuming you have a Premier support agreement I suggest calling PSS and/or your TAM. I’d be curious if you see the same issue with the DC unplugged from the network. In other words, I’d suspect malicious activity (could be viral/worms/Trojans) as a prime candidate. I don’t recall seeing many memory leaks in lsass.exe in 2000 SP4. - Roger From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Saturday, November 04, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC crashing / LSASS --> memory leak I’ve got a Win2000 SP4 box that I believe has LSASS crashing leading to a huge run on memory causing the system to page and yield a Virtual Memory is too low… type error and all access to the server is cutoff essentially (other than local logon). After rebooting twice and watching TaskMgr, I see LSASS spike for about 4-8 seconds, then flatline and memory starts going nuts. The box becomes extremely unresponsive. I’m rebooting to safe mode now to review the logs, but in the mean time does anyone have any ideas? The box has been fairly stable for a long time now. Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] DC crashing / LSASS --> memory leak
I’ve got a Win2000 SP4 box that I believe has LSASS crashing leading to a huge run on memory causing the system to page and yield a Virtual Memory is too low… type error and all access to the server is cutoff essentially (other than local logon). After rebooting twice and watching TaskMgr, I see LSASS spike for about 4-8 seconds, then flatline and memory starts going nuts. The box becomes extremely unresponsive. I’m rebooting to safe mode now to review the logs, but in the mean time does anyone have any ideas? The box has been fairly stable for a long time now. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] OT: Issue with remote assistance offers
I snagged this from my notes on when we deployed XP/GPO's and RA. It was a beating to get this to work, maybe something in this will spark a thought on your part. Edit the new custom GPO to have the following settings 1. CompConfig, Windows Settings, Local Policies, Security Options: a. DCOM: Machine Access Restrictions b. DCOM: Machine Launch Restrictions Grant TCURAP-XYZ full control on all these rights when you define this setting. 2. CompConfig, Windows Settings, Local Policies, User Rights Assignments: a. Access this computer from the network (add the TCURAP-XYZ group) 3. CompConfig, Administrative Templates, System, Remote Assistance a. Offer Remote Assistance - Add the TCURAP-XYZ group (be sure to include the TCU\) 4. Make sure the department has a TCU WinXP Firewall GPO with the following entries: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enabl ed:Helpctr.exe %systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enabled:Helpctr.exe SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enabl ed:helpsvc.exe %systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enabled:helpsvc.exe SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe %systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe Bryan Lucas Server Administrator Texas Christian University > > PS: forgot to mention. XP box is a domain member, windows firewall > disabled > > Mike Guest > IT Solutions > *HML > *Padiham DDI: +44 (0)1282 682550 > Internal Extension: (61) 2550 > > > > *From:* Mike Guest > *Sent:* 24 October 2006 10:30 > *To:* activedir@mail.activedir.org > *Subject:* [ActiveDir] OT: Issue with remote assistance offers > > Anyone seen this before? > > I have an xp box sitting behind an internal firewall (long story) that > I want to be able to offer unsolicited remote assistance to. I can > already RDP to the box, but the session on that box I want to offer > assistance to is already an RDP session, so that solution's out. > > I have opened TCP135 and 3389. I can create an offer on the remote > system (as a file), move it to my machine and successfully initiate an > RA session. > > However, when I try to initiate an RA session without an invite, the > help and support center window freezes for about 30 seconds then tells > me "The remote machine does not exist or is unavailable" - I've tried > both by name and by IP > > I've double-checked with a port scanner and 135 is definitely open (as > is 3389, but I couldn't do the invited RA or RDP without that) > > Anybody? > > Thanks > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged information, if you are > not the named addressee or receive this message in error, please > notify us immediately, delete it and do not make use of or copy it. > > This message is protected by copyright. HML accepts no responsibility > for viruses found in this message or any file attachment. > > Homeloan Management Limited > Registered in England No. 2214839 > 1 Providence Place, Skipton, North Yorkshire BD23 2HL > > ** > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged information, if you are > not the named addressee or receive this message in error, please > notify us immediately, delete it and do not make use of or copy it. > > This message is protected by copyright. HML accepts no responsibility > for viruses found in this message or any file attachment. > > Homeloan Management Limited > Registered in England No. 2214839 > 1 Providence Place, Skipton, North Yorkshire BD23 2HL > > ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Blocking IE7
1) We do use restricted groups and we do it with local accounts. The
UID is the same "local_admin" but the password is unique for each
machine. Yes, I realize they can add themselves, but as I said not
having it by default is a huge advantage.
2) I agree with your assessment of need. It is a political issue, not a
function of special software/hardware needs in an academic environment.
It might make more sense if I used the phrase academic freedom. It just
simply isn't the same as a corporate environment where policy can be
mandated more easily.
3) We have a number of enterprise products that have not certified IE7
yet. If we roll it out, we move into "unsupported" territory.
3a) We also need to complete our compatibility and deployment testing.
Bryan Lucas
Server Administrator
Texas Christian University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, October 23, 2006 7:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
If they have local admin rights, it's a trivial task to add their
non-admin (are you referring to non-domain-admin?) domain account to the
local administrator's group and be done with silly restrictions. Unless
you're controlling local admin group membership via GPO - but since
you're using unique local administrative accounts I'm thinking you're
not controlling membership via GPO.
You stated that they have local admin rights because taking them away is
not an easy thing to do - since you are an academic environment. Well,
I think that's a political thing, not something related to the
environment you're in. Everyone "needs" admin access, just ask them.
It's not just an academic thing. Of course, you didn't ask us (or me)
an opinion on admin rights. I just wanted to point out that if you have
problems related to that, you might want to revisit the issue and know
that [IMHO] the "need" for admin rights is not a special academic
environment need.
Anyway I probably missed a post somewhere, but why the Herculean efforts
to block IE7? I'm just curious.
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Sunday, October 22, 2006 1:32 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
Yes but my point was that the moment you decide "We're gonna give
{someone} admin rights" you've totally conceeded control of the machine
and you're reliant on their co-operation. If someone wants IE7 on their
machine in your environment, they *will* have it.
As you can see from the sig in my last message, I'm quite familiar with
academic environments.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
Being an academic environment, taking administrative rights away from
users is not an easy thing to accomplish. The compromise was to have
their domain account (which they are logged in as 99% of the time) a
non-admin, but then give them the admin rights in the form of a separate
local account unique to their workstation.
This makes them safer while browsing and requires them to go through a
very conscious extra set of steps to install new hw/sw.
It has worked very well, cut down on spyware/junkware as well as served
as a training ground both for us and the users for the upcoming Vista
model.
Bryan Lucas
Server Administrator
Texas Christian University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
And now I'm really confused. Why make your users admins and then lock
down the ways they can admin the system?
--
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
>
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account. We use restricted groups to enforce.
>
> Bryan Lucas
> Server A
RE: [ActiveDir] Blocking IE7
Being an academic environment, taking administrative rights away from users is not an easy thing to accomplish. The compromise was to have their domain account (which they are logged in as 99% of the time) a non-admin, but then give them the admin rights in the form of a separate local account unique to their workstation. This makes them safer while browsing and requires them to go through a very conscious extra set of steps to install new hw/sw. It has worked very well, cut down on spyware/junkware as well as served as a training ground both for us and the users for the upcoming Vista model. Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Friday, October 20, 2006 6:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 And now I'm really confused. Why make your users admins and then lock down the ways they can admin the system? -- Robert Moir Senior IT Systems Engineer Luton Sixth Form College > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: 20 October 2006 01:11 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Yes/No - Because we are an academic environment, the best we could do > was to make our users domain account a "user" but give them their own > local admin account. We use restricted groups to enforce. > > Bryan Lucas > Server Administrator > Texas Christian University > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Kevin Brunson > Sent: Thursday, October 19, 2006 4:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Are your users local admins? Only admins can approve IE7 for install. > > -Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 2:49 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > I must be missing something, I read: > > * "The Blocker Toolkit will not prevent users from manually installing > Internet Explorer 7 as a Recommended update from the Windows Update or > Microsoft Update sites, from the Microsoft Download Center, or from > external media. > > So it seems to me a hash rule combined with a filename rule should work > unless they change both on me. > > Bryan Lucas > Server Administrator > Texas Christian University > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Laura A. Robinson > Sent: Thursday, October 19, 2006 12:40 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > You might want to re-read the page that you linked to below, since it > answers all of your questions. > > 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, > you would simply not approve the update. > 2. That toolkit *is* designed to block both the executable and > automatic update installations. > > Laura > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 12:55 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Blocking IE7 > I see how to block IE7 from deploying through WSUS, but what I don't > see is a way to block a user from manually installing it. > > (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7- > 5D44-482B-9DBD-869B4A90159C&displaylang=en) > > Our users are 90% XP SP2 and managed through GP. What about building a > restricted software GPO that has a hash of iesetup7.exe (if that even > exists)? > > I want to restrict them from getting it through microsoftupdate.com as > well. > > Bryan Lucas > Server Administrator > Texas Christian University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Blocking IE7
Yes/No - Because we are an academic environment, the best we could do was to make our users domain account a "user" but give them their own local admin account. We use restricted groups to enforce. Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, October 19, 2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Are your users local admins? Only admins can approve IE7 for install. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 I must be missing something, I read: * "The Blocker Toolkit will not prevent users from manually installing Internet Explorer 7 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media. So it seems to me a hash rule combined with a filename rule should work unless they change both on me. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 19, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 You might want to re-read the page that you linked to below, since it answers all of your questions. 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you would simply not approve the update. 2. That toolkit *is* designed to block both the executable and automatic update installations. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Blocking IE7
I must be missing something, I read: * "The Blocker Toolkit will not prevent users from manually installing Internet Explorer 7 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media. So it seems to me a hash rule combined with a filename rule should work unless they change both on me. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 19, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 You might want to re-read the page that you linked to below, since it answers all of your questions. 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you would simply not approve the update. 2. That toolkit *is* designed to block both the executable and automatic update installations. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Blocking IE7
I see how to block IE7 from deploying through WSUS, but what I don’t see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Isolating a DC
I should probably expand on my reasoning. We have 5 DC’s now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just don’t collect the logs from that DC but I don’t isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange don’t ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC". On 9/13/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote: Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a "keep it simple" perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec? Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: > I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 > > Then, as a fall-back option, look for the isolation using IPSec > whitepapers on Microsoft site. I can't find them now, but I know that > they exist. They show you how to restrict communication with a specific > server or network using IPSec. > I think what you're referring to is the excellent "Server and Domain Isolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also "Using IPSec to Lock Down a Server" from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Isolating a DC
Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a "keep it simple" perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec? Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: > I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 > > Then, as a fall-back option, look for the isolation using IPSec > whitepapers on Microsoft site. I can't find them now, but I know that > they exist. They show you how to restrict communication with a specific > server or network using IPSec. > I think what you're referring to is the excellent "Server and Domain Isolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also "Using IPSec to Lock Down a Server" from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Isolating a DC
I’d like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DC’s. I don’t have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Replication from ASP
Anyone have any thoughts on this? Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 31, 2006 4:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication from ASP Does anyone know how I force replication through ASP 2.0? My DC’s are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didn’t create his account there it doesn’t work right away. Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] Replication from ASP
Does anyone know how I force replication through ASP 2.0? My DC’s are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didn’t create his account there it doesn’t work right away. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Adding the first Win2003 R2 DC
Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, July 27, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan < [EMAIL PROTECTED]> wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] Adding the first Win2003 R2 DC
I have 4 DC’s that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I’d like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
Thanks to all for the helpful feedback so far. Great, I’ll look at changing the Everyone to down to READ and perhaps pursue the Authenticated Users as well. Yes, we’re currently only replicating the hierarchy of shares and not doing file-replication. Our few tests of file replication a long time ago did not go very well so we’ve never pursued it since. I glanced over the improvements in R2 and it certainly makes sense to upgrade. Is it possible to upgrade/migrate or does it require building a new root. Here is our we are setup. We currently have 5 DC’s. DC3 is the sole Win2000 SP4 and houses only DFS root we have: \\tcu.edu\dfs1 There is no replication of the root structure at the moment. DC4 through DC7 are Win2003 SP1 All of our users and processes reference that root path (e.g. \\tcu.edu\dfs1\sharename) and changing the name would be a nightmare. Maximum downtime would probably be 48-72 if the new root couldn’t be brought up with the same name simultaneously on another DC. Upgrading DC3 is potentially an option, however it is much older hardware. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 25, 2006 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS Good call, if not using replication then 2000 does a dfs root just fine From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time. as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots. Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them. Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, July 24, 2006 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] Securing DFS
We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Log On To...
We use this setting heavily for certain classes of users and it works great. We do exactly what you’re saying, only put the workstations they should use in the list and it does restrict them from logging in elsewhere. Maybe replication is your culprit? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster Sent: Thursday, July 13, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Log On To... On the Account tab of the User Properties window in ADUC there is a 'Log On To...' button which - I thought - limited the user's ability to logon to only workstations specified. I applied restrictions to an account in our domain and they did not work. In other words, the restricted account was able to logon to a workstation not specified in the list. What did I miss? Is there a group policy setting that may be over-riding the setting? How do I go about troubleshooting this? Thank in advance. Tim
RE: [ActiveDir] SFTP with AD Auth
We’re just now rolling into production with Globalscape’s product. Mixed feelings about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn Sent: Wednesday, July 12, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference. The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used. Thanks, Paul -- *** "I've got a fever and the only prescription is more cowbell."--Christopher Walken ***
[ActiveDir] DFS Roots insecure
The actual physical file folder of the DFS root has "Everyone" with full control. This is how it was by default which has led to a small amount of garbage files being placed there by uneducated users. 1) Can I change the NTFS perms on the root? If so, how or can you point me to a KB, google isn't turning anything up so far. 2) There are a few files in the 30 or so that are there that might potentially be system created. Is it safe to delete any files (not folders) in the DFS root or are there some system files there. Any known listing of them I can compare against? E.g. 121202b.HAF (142MB) DFSLinknamePOSB1CHK1PM.txt (41KB) DFSLinknamePOSB1CHK2PM.txt (31KB) AcTpCatalog.atc (1kb) The others are .xls, .doc, etc that are obviously user created. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
The paper on running a DC on a VM is interesting, particularly this section. What is Virtual Machine Additions and where do you get it? Why wouldn’t they just include this in the default install? You can improve performance by installing Virtual Machine Additions as soon as the guest operating system is up and running. Virtual Machine Additions is a set of features that improves the integration of the host and guest operating systems. It also improves the performance and manageability of the guest operating system. You must install Virtual Machine Additions on all virtual machines. Virtual Machine Additions adds the following enhancements to a guest operating system: · Improved mouse cursor tracking and control. · Greatly improved overall performance. · Virtual machine heartbeat generator. · Optional time synchronization with the clock of the physical computer. This feature is enabled by default and must be disabled for domain controllers that are running in virtual machines. · Increased small computer system interface (SCSI) controller performance. · Support for two-node clustering between virtual machines for testing and development scenarios. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, June 12, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server There's this: http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en And then http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx And http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en But now that you mention it, I don't think a collective best practice for general usage is something I've seen. On 6/12/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote: Re-post Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.actived
Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
Title: Virtual DCs Re-post Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load – they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info I’d say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if you’re going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently – Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual D
[ActiveDir] Client Side Group Policy / fixing secedit.sdb
We have discovered several machines that were spitting out SceCli 1202 warnings (Security policies were propagated with warning. 0x4b8) in the Event Log. We found that our secedit.sdb on one of our sysprep’d image was corrupted. On the problematic PC’s, we did a esentutl /p %SystemRoot%\security\database\secedit.sdb which repaired the security database and upon reboot the warning disappeared and policies began taking effect. My questions: 1) Is there something inherently dangerous with imaging (even following the SysPrep rules) that caused our secedit.sdb to become corrupted or did we just get unlucky? I.e. Has anyone seen any problems with imaging and secedit.sdb? 2) Are there any additional steps to take with the database (I just read that repair command out of an article) or anywhere else? I noticed a edbtemp.log in the ..\windows\security folder but it eventually disappears and that entire folder looks back to normal. What is update.sdb in the database folder and why isn’t it being updated? 3) PSEXEC – If you are familiar with this utility from sysinternals, can you help me take the command above and make it work? I tried all variations of quotes and full path names, but I couldn’t get it to work. Closest I got was esentutl would start but hang. Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load – they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info I’d say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if you’re going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently – Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Just because it’s a VM, doesn’t mean you can stop managing it. You still have to patch it, monitor it, upgrade it, etc. Only thing it buys you from a management perspective is less hardware to manage. How often are you managing your physical hardware? If the answer is a lot, then maybe you’d should look at better hardware ;) IMHO, I think VM’s are a great thing, but I’m not sure I’d turn *all* of my DC’s into VM’s. Typically we use them for DEV/TEST and lightly used web/app servers. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, June 06, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I would agree with your comments whole heartedly. I don’t think this is a good idea. Add to the fact that we are running Exchange 2003 and all of our DCs are also GCs. As to why “management” is directing us to do this, one can only surmise…My guess is they are thinking of this as a way to save on hardware costs and reduce the number of servers to be managed. Thanks for your input. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] LDAP queries
Not an answer, but another question. Do any of those queries find contact objects or do you not use them? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, May 08, 2006 3:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP queries I’m using a Symantec Mail Security 8260 appliance that used LDAP to prevent Directory Harvest attacks. The problem is, the built in queries is causing an issue with adding the LDAP server. We have an empty root with several child domains. Here are the queries: Query start (Sync base DN): DC=domain,DC=com User query: (|(mail=*)(proxyAddresses=*)) Group query: (&(!(mail=*))(!(proxyAddresses=*))) Distribution list query: (|(mail=*)(proxyAddresses=*)) My question is, what other LDAP filters can I use instead of these to accomplish the result of querying for user SMTP addresses & distribution groups? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] InetOrgPersonFix.... Do I need it?
Stretching my memory banks... seems to me one of the steps of upgrading Exchange 2000-->2003 was to verify the changes made by the LDF import. Why not just look at the schema and see if the changes have already been made. I interpret your email as you never had Exchange 2000, you started with 2003. But I don't know if the InetOrg fix was put in the 2003 forestprep or not, sorry. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, May 04, 2006 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] InetOrgPersonFix Do I need it? Quick question that I can't find a simple, definitive answer to with a Google search... I've got a AD 2000 Forest (2000 FFL). We're preparing to upgrade our first DC to Server 2003 (planning to use the ADPrep off the R2 CD). I've already verified the AD, FRS, and other items are running well so I'm just about ready to roll... I've already got Exchange 2003 running on the forest/domain. Do I need to run the InetOrgPersonFix.ldf in this environment or were the fixes incorporated into the Exchange 2003 forestprep/domainprep? Everything I've read does specify an Exchange 2000 environment (including Joe & Robbie's 3rd edition book, p363). However, I thought it better to ask than to be sorry later that I didn't run it. Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover." - Bill Gates. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Easiest way to convert a SID to an account name?
Any suggestions? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Allowing users to manage security groups
Excellent! I’ll try it out. I just need this for a handful of people. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SCHAN Sent: Friday, April 07, 2006 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Allowing users to manage security groups For a crude approach (in my mind, not too practical to support), you can do this via the XP Search dialogue; open Search, pick "printers, computers, or people", then "people in your address book". In the "Find people" dialogue, select "Active Directory" as your source, then enter the group name in the "Name:" field as your search criteria. When the group is returned in the search results, assuming the “manager can update membership list” is properly set, you can add/delete members through the "Properties" General tab. Yes, the search will return groups, and no, they don't have to be mail-enabled, assuming you set "Active Directory" in the search scope and not "Address Book". As I said, not to practical to support, but it is possible without any 3rd party components. Andy Schan Titus International, Inc. From: "Lucas, Bryan" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: [ActiveDir] Allowing users to manage security groups Date: Fri, 7 Apr 2006 13:33:26 -0500 The “manager can update membership list” is great, but how does a user do that for a security group? For a Distribution Group, they can use Outlook, but I don’t want to hand over the ADUC mmc snap-in to my users to manage security groups. Does anyone have any recommendations on 3rd party products that allow a very controlled “self-service”, either through web or actual client? What about any public ASP that does this? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Allowing users to manage security groups
The “manager can update membership list” is great, but how does a user do that for a security group? For a Distribution Group, they can use Outlook, but I don’t want to hand over the ADUC mmc snap-in to my users to manage security groups. Does anyone have any recommendations on 3rd party products that allow a very controlled “self-service”, either through web or actual client? What about any public ASP that does this? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] View Delegated Tasks?
Thanks for the info Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 05, 2006 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? nope, they don't. But you'd be doing something wrong, if you'd use any of the default groups to assign delegated permissions. As such, you should ensure using a useful naming-convention for groups used for AD delegation to allow you to analyse the ACLs so that you understand what's delegated and what's default. With a bit (or a lot) of extra scripting you could even "substract" the default permissions from the existing rights on an object, so that you're left with the non-default rights => the default permissions for any AD object (e.g. organizationalUnit, user, group etc.) are stored in the defaultSecurity attribute of the respective schemaClass object in the AD schema. Some good examples of scripts that handle AD ACLs (and ACLs on File System or Exchange mailboxes etc.) can be found in the Script-Kits on Alain Lissoir's site (handling ACLs is part of Volume 2) http://users.skynet.be/alain.lissoir/wmibooks/Volume_1_ScriptKits.zip http://users.skynet.be/alain.lissoir/wmibooks/Volume_2_ScriptKits.zip /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Freitag, 17. März 2006 22:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? Does the report or dsacls distinguish between delegated and default permissions? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, March 17, 2006 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? you can also use DSREVOKE in report mode to see where a certain security principal has been assigned delegated permissions in the domain partition Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 2006-03-17 19:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? You can use the dsacls command line tool if you want it in text view, or, in ADUC, View>Advanced Features, and then right click the OU, Properties, Security Tab. You can also get the ACL Editor view in ADSIEdit natively. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, March 17, 2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
[ActiveDir] Guest account locked out
Our built in guest account gets locked out from time to time,
generating 644 events in the DC’s security logs. I’m trying
to determine how it can get locked out because the account is disabled.
If I take a test box and hammer away at the guest account with bogus passwords
I never get a lockout message, only “Your account has been disabled….”
Our account policy is as such:
Duration: 120m
Threshold: 5 attempts
Reset: 15 minutes
If I look at the caller machine, I see the same Event 515 (KSecDD)
at the exact time the lockout occurs. I also see just seconds before, 2
528’s and 2 576’s, Network Service logon/logoff and privilege uses
(primary token privilege). The computer accounts aren’t
disabled. It feels like the client is just renewing its token, but why
would that involve the guest account (renamed to netgst).
Event
ID : 644
Event Importance :
Critical importance event
Date &
Time : 3/30/2006 - 7:37:40 AM
Rule
Triggered : User Account Locked Out - 644 - Outside N.O.T -
Medium - Win2k/Win2003 DC
Computer
: AD6
Event
Log : Security
Event
Source : Security
Event
Category : Account Management
Event
Type : Success Audit
S.E.L.M. Event ID :
1143560217_4988749
User
Name : NT AUTHORITY\SYSTEM
Operating System :
Windows 2003 Domain Controller
User Account Locked Out:
Target
Account Name: NetGst
Target
Account ID: %{S-1-5-21-2142909598-1293495619-134157935-501}
Caller
Machine Name: PP1174
Caller
User Name: AD6$
Caller
Domain: TCU
Caller
Logon ID: (0x0,0x3E7)
More Information:
User account named NetGst
(account ID %{S-1-5-21-2142909598-1293495619-134157935-501}) has been locked
out by User AD6$ from domain TCU (machine named PP1174).
Event Type: Success
Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 3/30/2006
Time: 7:37:40
AM
User: NT
AUTHORITY\SYSTEM
Computer: PP1174
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to submit logon
requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971
RE: [ActiveDir] Quiet? DEC? Related?
Do you believe that any 50-50 situation (coin toss) ever gone heads-tails-heads-tails-head-tails…and so on for ever? Of course not. Does that then mean that the odds change? Of course not. But it does mean that there are small waves of heads and waves of tails. Same in blackjack. The book says to hit it yet I would put equal value on “feeling” the current wave. Of course if you can at least keep a running count of big/small in the remaining deck that helps too. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Wednesday, March 29, 2006 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon
RE: [ActiveDir] DNS question
Any other comments? I'm going to have to make a recommendation on this and am looking for as many opinions as possible. Has anyone made these changes or does anyone forsee any other issues? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, March 18, 2006 1:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS question You can remove the A records with out any impact (if I remember they were for legacy LDAP clients) but this requires more work than just removing the records. You will have to change the registry entry below to "0" to disable the registration of ALL A records, this includes some important DNS entries that will need to be entered as static records (see below). Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: RegisterDNSARecords Type: RegDWord Value: 0/1 (default=1) You will need to enter the following records statically, especially when adding a GC... gc._msdcs.company.com. 600 IN A 192.168.0.1 ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1 Hope this helps. -Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Friday, March 17, 2006 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS question Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question
Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] View Delegated Tasks?
Does the report or dsacls distinguish between delegated and default permissions? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, March 17, 2006 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? you can also use DSREVOKE in report mode to see where a certain security principal has been assigned delegated permissions in the domain partition Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 2006-03-17 19:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? You can use the dsacls command line tool if you want it in text view, or, in ADUC, View>Advanced Features, and then right click the OU, Properties, Security Tab. You can also get the ACL Editor view in ADSIEdit natively. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, March 17, 2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] AD - What to monitor?
So, does Intrust do these things: "OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts" Can you get granular and say show me all the changes to these groups, or these OU's, or when this account is used, etc? Do you use Quest Reporter? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Monday, March 06, 2006 5:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD - What to monitor? Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! AD's go bad when replication is out of whack... In my experience when it comes to replication you need to monitor both the Event Logs, but also the ports. Also if a firewall goes anywhere between two replication partners, you then have to start to consider UDP fragmentation which manifest itself as broken trust and bad authentication attempts. As for events, well the security event logs are a maze of Event ID's that I just rather not dig into unless I am required. Both Quest and Netpro (probably NetIQ, MOM and some other tools out there I haven't evaluated as well) have some nice tools that make monitoring the security event logs a lot nicer. I currently use Quest Intrust and Intrust for AD. The nice thing about the AD product is that it creates a nice little Event Log for administration and logs those activities separately. The put a hook into the LDAP service that intercepts the LDAP calls and logs them. There are some KB articles out there that list several of the events. As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get an idea. MoM also has some pretty slick admin packs that might be informative, but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of value in Third-Party add-ons since most of these products offer add-ons to MoM as part of their features. Todd From: Ryan A. Conrad [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD - What to monitor? You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari <[EMAIL PROTECTED]> wrote: AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Dynamic Groups
I know you can build a dynamic query based distribution group, but can you do the same for a security group? What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Recommendations for spam issue
Are you 2003 and dissatisfied with the IMF? I’ve found for small businesses it is extremely effective when loaded with the right RBL’s, IP blocks and configured correctly. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, March 06, 2006 9:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was "filtering" and forwarding your e-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Delegation
Title: Message Thanks! Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, March 02, 2006 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation Hi Bryan, You might find these helpful! http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en (the second link is for the appendices) -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, March 02, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation I’ve recently joined this list and didn’t see this post. Is there any list (official or unofficial) that details what permissions are necessary to delegate certain tasks? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Thursday, March 02, 2006 5:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation I remember seeing a posting that listed the ACLs required on User objects so that a Help Desk could perform duties such as resetting password, unlocking accounts etc. The posting mentioned the following permissions: * allow Reset Password permission for user objects-grants permission to reset an account's password * allow Write lockoutTime permission for user objects-grants permission to unlock an account * allow Write pwdLastSet permission for user objects-grants permission to set User must change password at next logon account property * allow Read AccountRestrictions permission for user objects-grants permission to read all account options Can someone explain what the last permission is actually providing or allowing to be Read? If this permissions is not set I can still click the Account tab of a user account and view the state of the account options. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Delegation
Title: Message I’ve recently joined this list and didn’t see this post. Is there any list (official or unofficial) that details what permissions are necessary to delegate certain tasks? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Thursday, March 02, 2006 5:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation I remember seeing a posting that listed the ACLs required on User objects so that a Help Desk could perform duties such as resetting password, unlocking accounts etc. The posting mentioned the following permissions: * allow Reset Password permission for user objects-grants permission to reset an account's password * allow Write lockoutTime permission for user objects-grants permission to unlock an account * allow Write pwdLastSet permission for user objects-grants permission to set User must change password at next logon account property * allow Read AccountRestrictions permission for user objects-grants permission to read all account options Can someone explain what the last permission is actually providing or allowing to be Read? If this permissions is not set I can still click the Account tab of a user account and view the state of the account options. Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Quick CSVDE question
Great thanks. Where did you find this 1.2.840... number? Is there a reference table somewhere? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Roberts Sent: Tuesday, February 28, 2006 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quick CSVDE question If you need to distinguish between true distribution groups and mail-enabled security groups you would be better querying the group type attribute. If you add this to the query you will only get back security-enabled groups, regardless of mail status. (groupType:1.2.840.113556.1.4.803:=2147483648) John Roberts JLR Technology Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quick CSVDE question Nevermind, I added "mail" to the filters and then parsed the data accordingly. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quick CSVDE question I'm trying to export a list of security groups, but not distribution groups. The string below gets all groups, is there a way I can exclude DLs? csvde -f c:\groups.csv -s ad7 -d "dc=tcu,dc=edu" -p subtree -r(&(objectCategory=Group)(objectClass=group))" -l displayname,samaccountname,description" Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quick CSVDE question
Nevermind, I added "mail" to the filters and then parsed the data accordingly. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quick CSVDE question I'm trying to export a list of security groups, but not distribution groups. The string below gets all groups, is there a way I can exclude DLs? csvde -f c:\groups.csv -s ad7 -d "dc=tcu,dc=edu" -p subtree -r(&(objectCategory=Group)(objectClass=group))" -l displayname,samaccountname,description" Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Quick CSVDE question
I'm trying to export a list of security groups, but not distribution groups. The string below gets all groups, is there a way I can exclude DLs? csvde -f c:\groups.csv -s ad7 -d "dc=tcu,dc=edu" -p subtree -r(&(objectCategory=Group)(objectClass=group))" -l displayname,samaccountname,description" Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] (OT) Sound problem
Nothing personal and I appreciate the OT tag, but this list is already high volume as it is and I could do without the workstation hardware posts to wade through. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 20, 2006 12:40 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] (OT) Sound problem Thanks I also tried to install a new sound card. and nothing changed.. I would like to find a way to fix it without reinstalling OS.. Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 "Krenceski, William" <[EMAIL PROTECTED]> Enviado Por: [EMAIL PROTECTED] 20/02/2006 14:04 Favor responder a ActiveDir@mail.activedir.org Para cc Assunto RE: [ActiveDir] (OT) Sound problem I had the same problem. Bought a new pci sound card, disabled the onboard and installed the drivers for the new X-Fi Card and still no sound. The only thing that worked was an OS Repair or reinstall XP Pro/Home. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 20, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (off topi) Sound problem I apologize if this question isn't exactly about ACTIVE DIR, but I have this problem in a member workstation and I need help One of our users has a sound card installed in his computer. It was working fine till some time ago. But suddenly it is installed in Device drivers, but there is no sound, When I go to Control Panel > Sound and audio devices, there is no audio device available. I tried to re-install it, but it didn't work. The card installs wok, its ok in devices, but there is no sound, I tried many things and the worst the user needs the sound for his job., I wait for your help Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Getting better control over DHCP
Joe, From what I understand of MS NAP, it only helps if the machines belong to the domain, is that correct? It doesn’t stop someone from plugging in and hard coding an IP. I get the impression it is designed to be used in conjunction with Cisco’s CleanAccess product. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 03, 2006 7:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, February 03, 2006 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP Assigning IP’s based off of MAC addresses would be a huge headache! Besides, just as you said the “network savvy” person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 03, 2006 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: February 3, 2006 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
