subject:"RE\: \[ActiveDir\] trust question"

RE: [ActiveDir] trust question

2005-08-15 Thread Dean Wells

Attach a debugger to it?  I'm happy to review the source, but thanks though
... anyway, I wouldn't want to steal your weekend from you ;o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Sunday, August 14, 2005 8:42 PM
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE: [ActiveDir] trust question

If you want to validate when this code path is fired, set a breakpoint on
DCacheWriteDomainsToCache and see when it fires. It might be easiest to use
image file execution options to do this and put every winlogon that fires up
under ntsd, or you can do it on the kd side, whatever you find easiest.

`Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Sunday, August 14, 2005 10:31 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

Hmmm, I understand the distinction you're making Eric but don't recollect it
being the case, I'll take a look at the source again and see if I can't
solidify this.  Thanks for the input.

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Sunday, August 14, 2005 1:08 PM
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE: [ActiveDir] trust question

Slight modification inline.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 13, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

My apologies if I appeared to be yelling earlier, that wasn't my intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list is
populated by the NETLOGON service (if memory serves) and is not dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This too
can be changed using the following registry entries -

[EFleis] - The list in the GINA UI is actually populated by winlogon itself
strictly speaking. When one presses the SAS in session 0 (this _only_
applies to session 0, no other session, as of win2k3 RTM anyway) we populate
this list. That said, it does boil down to a query of netlogon of course (I
don't recall if it asks the local netlogon who has already obtained the info
from the upstream DCs netlogon or directly asks the DCs netlogon, it's been
too long since I looked at this).
Disclaimer: I really don't know much about winlogon architecture. I once had
to debug this domain list population code and of course had to dip my toe in
there, so you just heard about a third of what I learned in that debug.
;)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers a
transport-independent programmatic interface that permitted developers to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly work
without.

Hope the info. proves useful!

Dean

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones of
their respective domains or conditional forwarding, all should be good for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that 
 there's a related article published only lends weight to that point.
 It takes very little effort to test and it continues to surprise me 
 when I hear of articles such as the one you've referenced

Re: [ActiveDir] trust question

2005-08-14 Thread Mylo


Dean,

You mention the VM sandpit and that lit a bulb... was doing testing with 
Forest trusts some days ago and had to do an outgoing trust between 2k3 
and 2k3 forest using stub zones ... no NetBIOS in site... nowhere.. 
none..none..none It's amazing how ingrained these misconceptions 
become. I'll have harsh words with my memory retention department :-)


Thanks for the info.
Mylo

Dean Wells wrote:


My apologies if I appeared to be yelling earlier, that wasn't my intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list is
populated by the NETLOGON service (if memory serves) and is not dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This too
can be changed using the following registry entries -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers a
transport-independent programmatic interface that permitted developers to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly work
without.

Hope the info. proves useful!

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones of
their respective domains or conditional forwarding, all should be good for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 

As I said, it is indeed a common misunderstanding ... the fact that 
there's a related article published only lends weight to that point.  
It takes very little effort to test and it continues to surprise me 
when I hear of articles such as the one you've referenced (not that I 
read it since I have more than enough accurate material to plough 
through ;o)


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: Re: [ActiveDir] trust question

Dean,

Oh...I was under the impression that external trusts still used legacy 
name resolution.. Here's a common misunderstood article about it ;-) 
http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html


Cheers
Mylo

Dean Wells wrote:

   

I'm really not certain where this very common misunderstanding comes 
from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that
matter) requires NetBIOS in order to establish a trust.  The locator 
mechanisms employed to establish the trust are dependant exclusively 
upon the ability to resolve the trust partner, a role which DNS is 
more
 


than able to fulfill.
   

This is true to say of external, cross-forest and realm trusts (as 
far as I can recollect however, NT does impose a NetBIOS dependency).


One of the most common reasons for trust creation failure is the 
scenario where each domain uses an isolated DNS name resolution 
hierarchy, enabling NetBIOS often appears to resolve this (no pun
intended) since broadcast, WINS or LMHOSTS mechanisms are triggered 
and are typically more tolerant in these instances.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

Tom,

Had to do this a few months back in a 3-way love triangle between 
NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that 
NetBIOS has been deprecated... so, yes you still need NetBIOS 
for the trust

RE: [ActiveDir] trust question

2005-08-14 Thread Dean Wells

Inline ...

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: Tom Kern
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i guess my question is, how/where does the netlogon service get it from? DNS
srv records?

** A client could not ask DNS such a question without prior knowledge of its
domain suffix.

To me, netlogon just refers to a secure encrypted channel between 2 hosts.
To send a hashed password  or register dns records of a DC. Or create a
trust between a domain memeber and a dc or two domains.

** NETLOGON is many things; typically it is a share and a service.  The
service performs many functions (many of which you've mentioned), the
creation of authenticated, secure channels is one of them.  Try stopping it
and see what happens.

how does the netlogon service get a list of every domain in the forest when
you join a domain with a client?

** The client simply asks the DC representing the domain it is joining.

In NT and 2003. 
The source must be different depending on the OS-NT or 2000/2003.

** Windows NT and Active Directory are radically different technologies, the
source of that information is likely very different but since I don't
recollect the mechanisms used by Windows NT, I can't comment with any
certainty.

also, flat names or samAccount names when it comes to Domains, to me, always
has been a synonoum for Netbios.

** Correct, since NetBIOS is being phased out but the concept of a
short-name isn't, the newer name applies.

i understand that a single HOST name can be part of a bigger dns name space
and windows will try  and append the suffixes, but a windows domain name
with no suffix, can only be a netbios name to me.

** That's not correct, it would be a single labeled (not recommended )DNS
name whose NetBIOS name may or may not be the same.  The number of labels in
a name do not tell Windows whether it is a DNS name or a NetBIOS name, we
define that during the install.  Windows maintains fewer and fewer NetBIOS
dependencies through each successive version but the short/flat name is not
going away in the foreseeable future.

otherwise that would be like yahoo being the same as the Yahoo.com
domain.
 it would be useless.

** I don't understand your point.

Or it could just be me. i'm not the brightest bulb.
I came from Novell backround(please don't hold it against me)

** I don't, my background is deeply rooted in Novell.

 and i still can't get over it when i see in AD something like
cn=schema,cn=configuration,dc=domain,dc=root.
i always think, how can a leaf object be inside another leaf object and if
its not a leaf why would you use cn prefix and not ou.

** cn doesn't necessarily indicate a leaf object, it expresses common
name.  Novell's implementation was exactly that, their implementation,
Microsoft's is different.  The attribute prefix is controlled by the 'RDN
attribute identifier' and can be any property enforced upon an object
(standards dictate that it can even be multi-valued ... not supported here
BTW). I could (and have), for example, forced an OU to use CN instead ... my
point is, the attribute prefix is configurable and does not indicate whether
the object in question can or cannot contain anything, that is something
typically inferred by those coming from an NDS background.

maybe i'm thinking DNS domains when i should be thinking windows domains or
vice versa.
Or maybe a Domain has become so overused, i don't know what it is

** I couldn't agree more; the term domain is ambiguous without specific
context.

anymore- a windows area of management, a dns name space,a naming context to
be replicated,a MS form of Kerberos Realm?

I'm just confused.
Sorry Dean, ignore me. To be honest, I don't know enough about anything
network related to be arguing with you or the likes of anyone on this list.

** I wasn't aware we were arguing, I thought I was assisting with your
questions/misconceptions,

Heck, i'm an English Lit major. i haven't even taken Comp Sci so i guess i'm
just too dense to see the difference between netbios the protocol, netbios
the name,and flat names and dns names.

My apologies.
Please don't hold it against this dim bulb who is clearly out of his depth
here.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: RE: [ActiveDir] trust question

2005-08-14 Thread rkingsla

I suspect that it comes from all of the external trusts that people have 
established with existing NT4 environments and not changing their tactics 
because the LMHosts and NetBIOS things work with NT4.  First shot on Win2k to 
Win23 - fire up LMHosts and get it working.

Yes - DNS will work, but as I said in my post earlier this week, sometimes the 
familiar and simpler methods make sense when you 5 million other problesm that 
are quite large.

However, DNS or WINS (there, joe...  happy?  :) is the preferred method, 
without question as it provides a much more 'universal' mechanism for name 
resolution between the two entities once in place.

Rick

 
 From: Dean Wells [EMAIL PROTECTED]
 Date: 2005/08/13 Sat AM 11:32:26 EDT
 To: Send - AD mailing list [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] trust question
 
 I'm really not certain where this very common misunderstanding comes from,
 neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter)
 requires NetBIOS in order to establish a trust.  The locator mechanisms
 employed to establish the trust are dependant exclusively upon the ability
 to resolve the trust partner, a role which DNS is more than able to fulfill.
 This is true to say of external, cross-forest and realm trusts (as far as I
 can recollect however, NT does impose a NetBIOS dependency).  
 
 One of the most common reasons for trust creation failure is the scenario
 where each domain uses an isolated DNS name resolution hierarchy, enabling
 NetBIOS often appears to resolve this (no pun intended) since broadcast,
 WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in
 these instances.
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 9:46 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] trust question
 
 Tom,
 
 Had to do this a few months back in a 3-way love triangle between NT4, 2K
 and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has
 been deprecated... so, yes you still need NetBIOS for the trust
 creation process try creating the trust with NetBIOS (e.g. 
 LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate
 the trust afterwards... It could be for the trust creation only that it
 needs to be turned on..
 Cheers
 Mylo
 
 Tom Kern wrote:
 
 I can't find a clear answer-
 when you form a trust between the root of a win2k3 forest and a child 
 domain of a win2k forest, is netbios used at all?
 is this trust all done through dns?
 
 this is NOT a forest trust but an external trust.
 
 we are about to migrate to a new forest. the old forest has netbios/tcp 
 turned off and so will the new forest.
 
 when an external trust is formed between a win2k3 and win2k domain, is 
 wins/netbios needed?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
   
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] trust question

2005-08-14 Thread Eric Fleischman

Slight modification inline.

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 13, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

My apologies if I appeared to be yelling earlier, that wasn't my
intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the
term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list
is
populated by the NETLOGON service (if memory serves) and is not
dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This
too
can be changed using the following registry entries -

[EFleis] - The list in the GINA UI is actually populated by winlogon
itself strictly speaking. When one presses the SAS in session 0 (this
_only_ applies to session 0, no other session, as of win2k3 RTM anyway)
we populate this list. That said, it does boil down to a query of
netlogon of course (I don't recall if it asks the local netlogon who has
already obtained the info from the upstream DCs netlogon or directly
asks the DCs netlogon, it's been too long since I looked at this).
Disclaimer: I really don't know much about winlogon architecture. I once
had to debug this domain list population code and of course had to dip
my toe in there, so you just heard about a third of what I learned in
that debug. ;)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an
underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers
a
transport-independent programmatic interface that permitted developers
to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these
scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly
work
without.

Hope the info. proves useful!

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that
list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones
of
their respective domains or conditional forwarding, all should be good
for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that 
 there's a related article published only lends weight to that point.  
 It takes very little effort to test and it continues to surprise me 
 when I hear of articles such as the one you've referenced (not that I 
 read it since I have more than enough accurate material to plough 
 through ;o)

 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 12:19 PM
 To: ActiveDir@mail.activedir.org
 Cc: Send - AD mailing list
 Subject: Re: [ActiveDir] trust question

 Dean,

 Oh...I was under the impression that external trusts still used legacy

 name resolution.. Here's a common misunderstood article about it ;-) 
 http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html

 Cheers
 Mylo

 Dean Wells wrote:

 I'm really not certain where this very common misunderstanding comes 
 from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that
 matter) requires NetBIOS in order to establish a trust.  The locator 
 mechanisms employed to establish the trust are dependant exclusively 
 upon the ability to resolve the trust partner, a role which DNS is 
 more
 than able to fulfill.
 This is true to say of external, cross-forest and realm trusts (as 
 far as I can recollect however, NT does impose a NetBIOS dependency).

 One of the most common reasons for trust creation failure is the 
 scenario where each domain uses an isolated DNS name resolution 
 hierarchy, enabling NetBIOS often appears to resolve this (no pun
 intended) since broadcast, WINS or LMHOSTS mechanisms are triggered

RE: [ActiveDir] trust question

2005-08-14 Thread Dean Wells

Hmmm, I understand the distinction you're making Eric but don't recollect it
being the case, I'll take a look at the source again and see if I can't
solidify this.  Thanks for the input.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Sunday, August 14, 2005 1:08 PM
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE: [ActiveDir] trust question

Slight modification inline.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 13, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

My apologies if I appeared to be yelling earlier, that wasn't my intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list is
populated by the NETLOGON service (if memory serves) and is not dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This too
can be changed using the following registry entries -

[EFleis] - The list in the GINA UI is actually populated by winlogon itself
strictly speaking. When one presses the SAS in session 0 (this _only_
applies to session 0, no other session, as of win2k3 RTM anyway) we populate
this list. That said, it does boil down to a query of netlogon of course (I
don't recall if it asks the local netlogon who has already obtained the info
from the upstream DCs netlogon or directly asks the DCs netlogon, it's been
too long since I looked at this).
Disclaimer: I really don't know much about winlogon architecture. I once had
to debug this domain list population code and of course had to dip my toe in
there, so you just heard about a third of what I learned in that debug. ;)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers a
transport-independent programmatic interface that permitted developers to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly work
without.

Hope the info. proves useful!

Dean

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones of
their respective domains or conditional forwarding, all should be good for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that 
 there's a related article published only lends weight to that point.
 It takes very little effort to test and it continues to surprise me 
 when I hear of articles such as the one you've referenced (not that I 
 read it since I have more than enough accurate material to plough 
 through ;o)
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 12:19 PM
 To: ActiveDir@mail.activedir.org
 Cc: Send - AD mailing list
 Subject: Re: [ActiveDir] trust question
 
 Dean,
 
 Oh...I was under the impression that external trusts still used legacy

 name resolution.. Here's a common misunderstood article about it ;-) 
 http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html
 
 Cheers
 Mylo
 
 Dean Wells wrote:
 
 I'm really not certain where this very common misunderstanding comes 
 from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that
 matter) requires NetBIOS in order to establish a trust.  The locator 
 mechanisms employed to establish the trust are dependant exclusively 
 upon

RE: [ActiveDir] trust question

2005-08-14 Thread Eric Fleischman

If you want to validate when this code path is fired, set a breakpoint
on DCacheWriteDomainsToCache and see when it fires. It might be easiest
to use image file execution options to do this and put every winlogon
that fires up under ntsd, or you can do it on the kd side, whatever you
find easiest.

`Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Sunday, August 14, 2005 10:31 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

Hmmm, I understand the distinction you're making Eric but don't
recollect it
being the case, I'll take a look at the source again and see if I can't
solidify this.  Thanks for the input.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Sunday, August 14, 2005 1:08 PM
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE: [ActiveDir] trust question

Slight modification inline.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 13, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question

My apologies if I appeared to be yelling earlier, that wasn't my
intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the
term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list
is
populated by the NETLOGON service (if memory serves) and is not
dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This
too
can be changed using the following registry entries -

[EFleis] - The list in the GINA UI is actually populated by winlogon
itself
strictly speaking. When one presses the SAS in session 0 (this _only_
applies to session 0, no other session, as of win2k3 RTM anyway) we
populate
this list. That said, it does boil down to a query of netlogon of course
(I
don't recall if it asks the local netlogon who has already obtained the
info
from the upstream DCs netlogon or directly asks the DCs netlogon, it's
been
too long since I looked at this).
Disclaimer: I really don't know much about winlogon architecture. I once
had
to debug this domain list population code and of course had to dip my
toe in
there, so you just heard about a third of what I learned in that debug.
;)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an
underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers
a
transport-independent programmatic interface that permitted developers
to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these
scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly
work
without.

Hope the info. proves useful!

Dean

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that
list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones
of
their respective domains or conditional forwarding, all should be good
for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that 
 there's a related article published only lends weight to that point.
 It takes very little effort to test and it continues to surprise me 
 when I hear of articles such as the one you've referenced (not that I 
 read it since I have more than enough accurate material to plough 
 through ;o)
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 12:19 PM
 To: ActiveDir@mail.activedir.org
 Cc: Send - AD mailing list
 Subject: Re: [ActiveDir] trust question
 
 Dean,
 
 Oh...I was under

Re: [ActiveDir] trust question

2005-08-13 Thread Mylo


Tom,

Had to do this a few months back in a 3-way love triangle between NT4, 
2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS 
has been deprecated... so, yes you still need NetBIOS for the 
trust creation process try creating the trust with NetBIOS (e.g. 
LMHOSTS with 1xB and 1xC entries) enabled and then disable it and 
validate the trust afterwards... It could be for the trust creation only 
that it needs to be turned on..

Cheers
Mylo

Tom Kern wrote:


I can't find a clear answer-
when you form a trust between the root of a win2k3 forest and a child
domain of a win2k forest, is netbios used at all?
is this trust all done through dns?

this is NOT a forest trust but an external trust.

we are about to migrate to a new forest. the old forest has
netbios/tcp turned off and so will the new forest.

when an external trust is formed between a win2k3 and win2k domain, is
wins/netbios needed?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] trust question

2005-08-13 Thread Dean Wells

I'm really not certain where this very common misunderstanding comes from,
neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter)
requires NetBIOS in order to establish a trust.  The locator mechanisms
employed to establish the trust are dependant exclusively upon the ability
to resolve the trust partner, a role which DNS is more than able to fulfill.
This is true to say of external, cross-forest and realm trusts (as far as I
can recollect however, NT does impose a NetBIOS dependency).  

One of the most common reasons for trust creation failure is the scenario
where each domain uses an isolated DNS name resolution hierarchy, enabling
NetBIOS often appears to resolve this (no pun intended) since broadcast,
WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in
these instances.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

Tom,

Had to do this a few months back in a 3-way love triangle between NT4, 2K
and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has
been deprecated... so, yes you still need NetBIOS for the trust
creation process try creating the trust with NetBIOS (e.g. 
LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate
the trust afterwards... It could be for the trust creation only that it
needs to be turned on..
Cheers
Mylo

Tom Kern wrote:

I can't find a clear answer-
when you form a trust between the root of a win2k3 forest and a child 
domain of a win2k forest, is netbios used at all?
is this trust all done through dns?

this is NOT a forest trust but an external trust.

we are about to migrate to a new forest. the old forest has netbios/tcp 
turned off and so will the new forest.

when an external trust is formed between a win2k3 and win2k domain, is 
wins/netbios needed?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


  


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] trust question

2005-08-13 Thread Mylo


Dean,

Oh...I was under the impression that external trusts still used legacy 
name resolution.. Here's a common misunderstood article about it ;-)

http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html

Cheers
Mylo

Dean Wells wrote:


I'm really not certain where this very common misunderstanding comes from,
neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter)
requires NetBIOS in order to establish a trust.  The locator mechanisms
employed to establish the trust are dependant exclusively upon the ability
to resolve the trust partner, a role which DNS is more than able to fulfill.
This is true to say of external, cross-forest and realm trusts (as far as I
can recollect however, NT does impose a NetBIOS dependency).  


One of the most common reasons for trust creation failure is the scenario
where each domain uses an isolated DNS name resolution hierarchy, enabling
NetBIOS often appears to resolve this (no pun intended) since broadcast,
WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in
these instances.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

Tom,

Had to do this a few months back in a 3-way love triangle between NT4, 2K
and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has
been deprecated... so, yes you still need NetBIOS for the trust
creation process try creating the trust with NetBIOS (e.g. 
LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate

the trust afterwards... It could be for the trust creation only that it
needs to be turned on..
Cheers
Mylo

Tom Kern wrote:

 


I can't find a clear answer-
when you form a trust between the root of a win2k3 forest and a child 
domain of a win2k forest, is netbios used at all?

is this trust all done through dns?

this is NOT a forest trust but an external trust.

we are about to migrate to a new forest. the old forest has netbios/tcp 
turned off and so will the new forest.


when an external trust is formed between a win2k3 and win2k domain, is 
wins/netbios needed?


thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/





   



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 


De
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] trust question

2005-08-13 Thread Dean Wells

As I said, it is indeed a common misunderstanding ... the fact that there's
a related article published only lends weight to that point.  It takes very
little effort to test and it continues to surprise me when I hear of
articles such as the one you've referenced (not that I read it since I have
more than enough accurate material to plough through ;o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: Re: [ActiveDir] trust question

Dean,

Oh...I was under the impression that external trusts still used legacy name
resolution.. Here's a common misunderstood article about it ;-)
http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html

Cheers
Mylo

Dean Wells wrote:

I'm really not certain where this very common misunderstanding comes 
from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that 
matter) requires NetBIOS in order to establish a trust.  The locator 
mechanisms employed to establish the trust are dependant exclusively 
upon the ability to resolve the trust partner, a role which DNS is more
than able to fulfill.
This is true to say of external, cross-forest and realm trusts (as far 
as I can recollect however, NT does impose a NetBIOS dependency).

One of the most common reasons for trust creation failure is the 
scenario where each domain uses an isolated DNS name resolution 
hierarchy, enabling NetBIOS often appears to resolve this (no pun 
intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and 
are typically more tolerant in these instances.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, August 13, 2005 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

Tom,

Had to do this a few months back in a 3-way love triangle between NT4, 
2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS 
has been deprecated... so, yes you still need NetBIOS for the 
trust creation process try creating the trust with NetBIOS (e.g.
LMHOSTS with 1xB and 1xC entries) enabled and then disable it and 
validate the trust afterwards... It could be for the trust creation 
only that it needs to be turned on..
Cheers
Mylo

Tom Kern wrote:

  

I can't find a clear answer-
when you form a trust between the root of a win2k3 forest and a child 
domain of a win2k forest, is netbios used at all?
is this trust all done through dns?

this is NOT a forest trust but an external trust.

we are about to migrate to a new forest. the old forest has 
netbios/tcp turned off and so will the new forest.

when an external trust is formed between a win2k3 and win2k domain, is 
wins/netbios needed?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


  

De
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] trust question

2005-08-13 Thread Tom Kern

i heard somewhere that windows 2k uses netbios to generate the drop
down list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate
that list when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary
zones of their respective domains or conditional forwarding, all
should be good for a trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that there's
 a related article published only lends weight to that point.  It takes very
 little effort to test and it continues to surprise me when I hear of
 articles such as the one you've referenced (not that I read it since I have
 more than enough accurate material to plough through ;o)
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 12:19 PM
 To: ActiveDir@mail.activedir.org
 Cc: Send - AD mailing list
 Subject: Re: [ActiveDir] trust question
 
 Dean,
 
 Oh...I was under the impression that external trusts still used legacy name
 resolution.. Here's a common misunderstood article about it ;-)
 http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html
 
 Cheers
 Mylo
 
 Dean Wells wrote:
 
 I'm really not certain where this very common misunderstanding comes
 from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that
 matter) requires NetBIOS in order to establish a trust.  The locator
 mechanisms employed to establish the trust are dependant exclusively
 upon the ability to resolve the trust partner, a role which DNS is more
 than able to fulfill.
 This is true to say of external, cross-forest and realm trusts (as far
 as I can recollect however, NT does impose a NetBIOS dependency).
 
 One of the most common reasons for trust creation failure is the
 scenario where each domain uses an isolated DNS name resolution
 hierarchy, enabling NetBIOS often appears to resolve this (no pun
 intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and
 are typically more tolerant in these instances.
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 9:46 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] trust question
 
 Tom,
 
 Had to do this a few months back in a 3-way love triangle between NT4,
 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS
 has been deprecated... so, yes you still need NetBIOS for the
 trust creation process try creating the trust with NetBIOS (e.g.
 LMHOSTS with 1xB and 1xC entries) enabled and then disable it and
 validate the trust afterwards... It could be for the trust creation
 only that it needs to be turned on..
 Cheers
 Mylo
 
 Tom Kern wrote:
 
 
 
 I can't find a clear answer-
 when you form a trust between the root of a win2k3 forest and a child
 domain of a win2k forest, is netbios used at all?
 is this trust all done through dns?
 
 this is NOT a forest trust but an external trust.
 
 we are about to migrate to a new forest. the old forest has
 netbios/tcp turned off and so will the new forest.
 
 when an external trust is formed between a win2k3 and win2k domain, is
 wins/netbios needed?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 
 De
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] trust question

2005-08-13 Thread Dean Wells

My apologies if I appeared to be yelling earlier, that wasn't my intention
... I guess some frustrations came out in my text, sorry about that :o(

The GINA's domain list (by default) contains short or flat names (the term
NetBIOS name currently describes the same thing but will eventually be
replaced by either of those two ... I at least live in hope).  The list is
populated by the NETLOGON service (if memory serves) and is not dependent
upon NetBIOS in anyway ... it merely shows the same short name.  This too
can be changed using the following registry entries -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
DCacheShowDomainTags=dword:0001
DCacheShowDnsNames=dword:0001

NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying
transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
advertising presence, service and session management ... it also offers a
transport-independent programmatic interface that permitted developers to
write network-capable software without concerning themselves about the
specifics of the underlying transport mechanism(s).

If I may, I would wholeheartedly recommend getting yourself a series of
shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios
yourself, it's a facility I've grown to cherish and couldn't possibly work
without.

Hope the info. proves useful!

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, August 13, 2005 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] trust question

i heard somewhere that windows 2k uses netbios to generate the drop down
list of trusted domains when you logon.

now don't yell at me, Dean, but is this true? how does it generate that list
when you join a domain?
there is just a lot of disinformation about netbios(is it a protocol?
an API? A network driver?) and its role in windows today.

from what you're saying, as long as each dns server has secondary zones of
their respective domains or conditional forwarding, all should be good for a
trust just based on dns?

thanks

On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 As I said, it is indeed a common misunderstanding ... the fact that 
 there's a related article published only lends weight to that point.  
 It takes very little effort to test and it continues to surprise me 
 when I hear of articles such as the one you've referenced (not that I 
 read it since I have more than enough accurate material to plough 
 through ;o)
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 12:19 PM
 To: ActiveDir@mail.activedir.org
 Cc: Send - AD mailing list
 Subject: Re: [ActiveDir] trust question
 
 Dean,
 
 Oh...I was under the impression that external trusts still used legacy 
 name resolution.. Here's a common misunderstood article about it ;-) 
 http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html
 
 Cheers
 Mylo
 
 Dean Wells wrote:
 
 I'm really not certain where this very common misunderstanding comes 
 from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that
 matter) requires NetBIOS in order to establish a trust.  The locator 
 mechanisms employed to establish the trust are dependant exclusively 
 upon the ability to resolve the trust partner, a role which DNS is 
 more
 than able to fulfill.
 This is true to say of external, cross-forest and realm trusts (as 
 far as I can recollect however, NT does impose a NetBIOS dependency).
 
 One of the most common reasons for trust creation failure is the 
 scenario where each domain uses an isolated DNS name resolution 
 hierarchy, enabling NetBIOS often appears to resolve this (no pun
 intended) since broadcast, WINS or LMHOSTS mechanisms are triggered 
 and are typically more tolerant in these instances.
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
 Sent: Saturday, August 13, 2005 9:46 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] trust question
 
 Tom,
 
 Had to do this a few months back in a 3-way love triangle between 
 NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that 
 NetBIOS has been deprecated... so, yes you still need NetBIOS 
 for the trust creation process try creating the trust with NetBIOS
(e.g.
 LMHOSTS with 1xB and 1xC entries) enabled and then disable it and 
 validate the trust afterwards... It could be for the trust creation 
 only that it needs to be turned on..
 Cheers
 Mylo
 
 Tom Kern wrote:
 
 
 
 I can't find a clear answer-
 when you form a trust between the root of a win2k3 forest

Re: [ActiveDir] trust question

2005-08-13 Thread Tom Kern

i guess my question is, how/where does the netlogon service get it
from? DNS srv records?
To me, netlogon just refers to a secure encrypted channel between 2
hosts. To send a hashed password  or register dns records of a DC. Or
create a trust between a domain memeber and a dc or two domains.
how does the netlogon service get a list of every domain in the forest
when you join a domain with a client?
In NT and 2003. 
The source must be different depending on the OS-NT or 2000/2003.

also, flat names or samAccount names when it comes to Domains, to me,
always has been a synonoum for Netbios.
i understand that a single HOST name can be part of a bigger dns name
space and windows will try  and append the suffixes, but a windows
domain name with no suffix, can only be a netbios name to me.
otherwise that would be like yahoo being the same as the Yahoo.com domain.
 it would be useless.
Or it could just be me. i'm not the brightest bulb.
I came from Novell backround(please don't hold it against me) and i
still can't get over it when i see in AD something like
cn=schema,cn=configuration,dc=domain,dc=root.
i always think, how can a leaf object be inside another leaf object
and if its not a leaf why would you use cn prefix and not ou.

maybe i'm thinking DNS domains when i should be thinking windows
domains or vice versa.
Or maybe a Domain has become so overused, i don't know what it is
anymore- a windows area of management, a dns name space,a naming
context to be replicated,a MS form of Kerberos Realm?

I'm just confused.
Sorry Dean, ignore me. To be honest, I don't know enough about
anything network related to be arguing with you or the likes of anyone
on this list.
Heck, i'm an English Lit major. i haven't even taken Comp Sci so i
guess i'm just too dense to see the difference between netbios the
protocol, netbios the name,and flat names and dns names.

My apologies.
Please don't hold it against this dim bulb who is clearly out of his depth here.

Thanks for your replies



On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
 My apologies if I appeared to be yelling earlier, that wasn't my intention
 ... I guess some frustrations came out in my text, sorry about that :o(
 
 The GINA's domain list (by default) contains short or flat names (the term
 NetBIOS name currently describes the same thing but will eventually be
 replaced by either of those two ... I at least live in hope).  The list is
 populated by the NETLOGON service (if memory serves) and is not dependent
 upon NetBIOS in anyway ... it merely shows the same short name.  This too
 can be changed using the following registry entries -
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 DCacheShowDomainTags=dword:0001
 DCacheShowDnsNames=dword:0001
 
 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying
 transport such as TCP/IP, IPX or NetBEUI.  It provides a means of
 advertising presence, service and session management ... it also offers a
 transport-independent programmatic interface that permitted developers to
 write network-capable software without concerning themselves about the
 specifics of the underlying transport mechanism(s).
 
 If I may, I would wholeheartedly recommend getting yourself a series of
 shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios
 yourself, it's a facility I've grown to cherish and couldn't possibly work
 without.
 
 Hope the info. proves useful!
 
 Dean
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Saturday, August 13, 2005 8:55 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] trust question
 
 i heard somewhere that windows 2k uses netbios to generate the drop down
 list of trusted domains when you logon.
 
 now don't yell at me, Dean, but is this true? how does it generate that list
 when you join a domain?
 there is just a lot of disinformation about netbios(is it a protocol?
 an API? A network driver?) and its role in windows today.
 
 from what you're saying, as long as each dns server has secondary zones of
 their respective domains or conditional forwarding, all should be good for a
 trust just based on dns?
 
 thanks
 
 On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote:
  As I said, it is indeed a common misunderstanding ... the fact that
  there's a related article published only lends weight to that point.
  It takes very little effort to test and it continues to surprise me
  when I hear of articles such as the one you've referenced (not that I
  read it since I have more than enough accurate material to plough
  through ;o)
 
  --
  Dean Wells
  MSEtechnology
  * Email: [EMAIL PROTECTED]
  http://msetechnology.com
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
  Sent: Saturday, August 13, 2005 12:19 PM

RE: [ActiveDir] trust question

Re: [ActiveDir] trust question

RE: [ActiveDir] trust question

Re: RE: [ActiveDir] trust question

RE: [ActiveDir] trust question

RE: [ActiveDir] trust question

RE: [ActiveDir] trust question

Re: [ActiveDir] trust question

RE: [ActiveDir] trust question

Re: [ActiveDir] trust question

RE: [ActiveDir] trust question

Re: [ActiveDir] trust question

RE: [ActiveDir] trust question

Re: [ActiveDir] trust question

14 matches

Site Navigation

Mail list logo

Footer information