Re: Today is Tau day

[Angus Scott-Fleming]

On 28 Jun 2012 at 10:45, Kurt Buff  wrote:

> It's a much nicer constant than Pi...
> http://newsletters.networkworld.com/t/6688025/258773379/367815/0/
> 
> and especially
> http://tauday.com/
> 
> Because Pi ruined my math career, I care...

Sorry I missed it.

Forwarded to the math teachers in my family.

Maybe next year.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Office 365 and AD synchronization

[Steve Kradel]

I will vigorously agree with this... a cluster for handling ADFS2 load for
basic sign-on to SaaS is very rarely necessary, but you almost always do
want to be able to patch and reboot without making unavailable all the
stuff that now absolutely depends on federation/SSO.

--Steve

On Thu, Jun 28, 2012 at 11:52 AM, Brian Desmond wrote:

>  *I think 99.99% is overdoing it. I’m pretty sure there is more than .01%
> of customers who want HA for their AuthN to email, IM, SharePoint, partner
> apps, etc. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *br...@briandesmond.com*
>
> * *
>
> *w – 312.625.1438 | c   – 312.731.3132*
>
> * *
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Wednesday, June 27, 2012 4:29 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Office 365 and AD synchronization
>
>  ** **
>
> You don’t need a separate machine for either dirsync or adfs. It is,
> indeed, recommended. It’s also recommend to have a load-balanced adfs
> proxy, but for 99.99% of clients, that is just bollocks.
>
> ** **
>
> *From:* Christopher Bodnar [mailto:christopher_bod...@glic.com]
> *Sent:* Wednesday, June 27, 2012 10:28 AM
> *To:* NT System Admin Issues
> *Subject:* Office 365 and AD synchronization
>
> ** **
>
> Getting ready to migrate a small office environment to office 365. Domain
> is 2008 R2, only 10 users. I'm reading through all the documentation and
> specifically looking at the requirement for a separate machine to host the
> Directory Synchronization tool. Anyone here do this yet with a small
> office? Just curious as to the load on the box. I'm going to create a VM
> for this but see that the minimum requirements are 4G RAM and 70G of disk
> space. That seems high to me for something like this in a very small
> environment. Curious to hear what others have seen after doing this in a
> similar environment.
>
> Also just starting to read about single sign-on. So using the AD Sync tool
> doesn't give you single-sign on? It just gets your users and groups up to
> Office 365? For what purpose, if the credentials are synched? That's what I
> don't understand yet, but I'm not done reading yet, so maybe that will
> come. So if you need AD FS for single sign-on, how was the process?
>
> Thanks, ** **
>
> *Christopher Bodnar*
> Enterprise Achitect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Office 365 and AD synchronization

[Michael B. Smith]

:-P

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Thursday, June 28, 2012 11:52 AM
To: NT System Admin Issues
Subject: RE: Office 365 and AD synchronization

I think 99.99% is overdoing it. I'm pretty sure there is more than .01% of 
customers who want HA for their AuthN to email, IM, SharePoint, partner apps, 
etc.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: Michael B. Smith 
[mailto:mich...@smithcons.com]
Sent: Wednesday, June 27, 2012 4:29 PM
To: NT System Admin Issues
Subject: RE: Office 365 and AD synchronization

You don't need a separate machine for either dirsync or adfs. It is, indeed, 
recommended. It's also recommend to have a load-balanced adfs proxy, but for 
99.99% of clients, that is just bollocks.

From: Christopher Bodnar 
[mailto:christopher_bod...@glic.com]
Sent: Wednesday, June 27, 2012 10:28 AM
To: NT System Admin Issues
Subject: Office 365 and AD synchronization

Getting ready to migrate a small office environment to office 365. Domain is 
2008 R2, only 10 users. I'm reading through all the documentation and 
specifically looking at the requirement for a separate machine to host the 
Directory Synchronization tool. Anyone here do this yet with a small office? 
Just curious as to the load on the box. I'm going to create a VM for this but 
see that the minimum requirements are 4G RAM and 70G of disk space. That seems 
high to me for something like this in a very small environment. Curious to hear 
what others have seen after doing this in a similar environment.

Also just starting to read about single sign-on. So using the AD Sync tool 
doesn't give you single-sign on? It just gets your users and groups up to 
Office 365? For what purpose, if the credentials are synched? That's what I 
don't understand yet, but I'm not done reading yet, so maybe that will come. So 
if you need AD FS for single sign-on, how was the process?

Thanks,
Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CD5574.1BD78990]

The Guardian Life Insurance Company of America

www.guardianlife.com



- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Upgrading DC's to 2K8

[Michael B. Smith]

3.5 remove server from domain

From: David Lum [mailto:david@nwea.org]
Sent: Thursday, June 28, 2012 2:14 PM
To: NT System Admin Issues
Subject: Upgrading DC's to 2K8

Reality check:

Empty forest root
MYDOMAIN.LOCAL
ML-DC01
ML-DC02
Then subdomain
SUBDOMAIN.MYDOMAIN.LOCAL
SML-DC01
SML-DC02

All are currently 2K3 DC's. Ideally I think we'd like to upgrade them to W2K8 
DC's and keep the same name (we have a fair amount of LDAP-y stuff that looks 
at names).

What about this plan for ML-DC01?
1. Create 2008 R2 DC ML-DC03
2. Move the FSMO/DHCP roles to ML-DC03
3. DCPROMO W2K3 ML-DC01 to member status
4. Build new 2008 R2 ML-DC01 with same name and IP, Make it a DC
5. Move FSMO roles back to ML-DC01
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Upgrading DC's to 2K8

[Jon Harris]

I am with Kurt on this you might as well push it to 2k8r2. Jon 
 > Date: Thu, 28 Jun 2012 11:32:01 -0700
> Subject: Re: Upgrading DC's to 2K8
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> > From: David Lum [mailto:david@nwea.org]
> > Sent: Thursday, June 28, 2012 2:14 PM
> > To: NT System Admin Issues
> > Subject: Upgrading DC's to 2K8
> 
> 
> 
> > What about this plan for ML-DC01?
> 
> I assume your earlier message about the uneventful schema extension
> was for this domain, and for this purpose?
> 
> > 1. Create 2008 R2 DC ML-DC03
> >
> > 2. Move the FSMO/DHCP roles to ML-DC03
> >
> > 3. DCPROMO W2K3 ML-DC01 to member status
> 
> 3b. (just to be pedantic) Shut down ML-DC01 and remove account from domain
> 
> > 4. Build new 2008 R2 ML-DC01 with same name and IP, Make it a DC
> >
> > 5. Move FSMO roles back to ML-DC01
> 
> I'm not sure of the issues surrounding the empty root, but otherwise
> this should work just fine.
> 
> Also, why 2008 and not 2008 R2?
> 
> Kurt
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
  
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Upgrading to IIS 7.x

[David L Herrick]

Woot I think that is it - thanks

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Thursday, June 28, 2012 2:45 PM
To: NT System Admin Issues
Subject: Re: Upgrading to IIS 7.x

Haven't needed to configure one of these under IIS7, but suspect it is in the 
"Handler Mappings" section; you might also need to register it as an allowed 
CGI; along these lines 
http://geekswithblogs.net/Lance/archive/2007/12/13/how-to-run-cgi-applications-on-iis7.aspx

--Steve

On Thu, Jun 28, 2012 at 2:27 PM, David L Herrick  
wrote:
> I am sure this is easy but I have not been able to find it thus far
>
>
>
> Under "old" IIS to associate an application with extension .plc I 
> followed instructions like:
>
>
>
> Application Configuration window.  Click Add, and enter in the 
> following as your executable:
>
>
>
> c:\sunbelt\plbwin.90\code\plbwin.exe -qq -h -i {full path to INI file} 
> %s %s
>
>
>
> and .plc for the extension.  Everything else can be left as the 
> default
>
>
>
> How the heck do I do it in the current version?
>
>
>
> Thanks in advance
>
>
>
> David
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Upgrading to IIS 7.x

[Steve Kradel]

Haven't needed to configure one of these under IIS7, but suspect it is
in the "Handler Mappings" section; you might also need to register it
as an allowed CGI; along these lines
http://geekswithblogs.net/Lance/archive/2007/12/13/how-to-run-cgi-applications-on-iis7.aspx

--Steve

On Thu, Jun 28, 2012 at 2:27 PM, David L Herrick
 wrote:
> I am sure this is easy but I have not been able to find it thus far
>
>
>
> Under “old” IIS to associate an application with extension .plc I followed
> instructions like:
>
>
>
> Application Configuration window.  Click Add, and enter in the following as
> your executable:
>
>
>
> c:\sunbelt\plbwin.90\code\plbwin.exe -qq -h -i {full path to INI file} %s %s
>
>
>
> and .plc for the extension.  Everything else can be left as the default
>
>
>
> How the heck do I do it in the current version?
>
>
>
> Thanks in advance
>
>
>
> David
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Upgrading DC's to 2K8

[Kurt Buff]

> From: David Lum [mailto:david@nwea.org]
> Sent: Thursday, June 28, 2012 2:14 PM
> To: NT System Admin Issues
> Subject: Upgrading DC's to 2K8



> What about this plan for ML-DC01?

I assume your earlier message about the uneventful schema extension
was for this domain, and for this purpose?

> 1. Create 2008 R2 DC ML-DC03
>
> 2. Move the FSMO/DHCP roles to ML-DC03
>
> 3. DCPROMO W2K3 ML-DC01 to member status

3b. (just to be pedantic) Shut down ML-DC01 and remove account from domain

> 4. Build new 2008 R2 ML-DC01 with same name and IP, Make it a DC
>
> 5. Move FSMO roles back to ML-DC01

I'm not sure of the issues surrounding the empty root, but otherwise
this should work just fine.

Also, why 2008 and not 2008 R2?

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Upgrading DC's to 2K8

[John Cook]

Sounds sound.  Did it here about 18 months ago

John W. Cook
System Administrator
Partnership For Strong Families
5950 NW 1st Place
Gainesville, Fl 32607
Office (352) 244-1610
Cell (352) 215-6944

MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4


From: David Lum [mailto:david@nwea.org]
Sent: Thursday, June 28, 2012 2:14 PM
To: NT System Admin Issues
Subject: Upgrading DC's to 2K8

Reality check:

Empty forest root
MYDOMAIN.LOCAL
ML-DC01
ML-DC02
Then subdomain
SUBDOMAIN.MYDOMAIN.LOCAL
SML-DC01
SML-DC02

All are currently 2K3 DC's. Ideally I think we'd like to upgrade them to W2K8 
DC's and keep the same name (we have a fair amount of LDAP-y stuff that looks 
at names).

What about this plan for ML-DC01?
1. Create 2008 R2 DC ML-DC03
2. Move the FSMO/DHCP roles to ML-DC03
3. DCPROMO W2K3 ML-DC01 to member status
4. Build new 2008 R2 ML-DC01 with same name and IP, Make it a DC
5. Move FSMO roles back to ML-DC01
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the company. 
Warning: Although precautions have been taken to make sure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage that arise from the use of this email or attachments.


CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Upgrading DC's to 2K8

[David Lum]

Reality check:

Empty forest root
MYDOMAIN.LOCAL
ML-DC01
ML-DC02
Then subdomain
SUBDOMAIN.MYDOMAIN.LOCAL
SML-DC01
SML-DC02

All are currently 2K3 DC's. Ideally I think we'd like to upgrade them to W2K8 
DC's and keep the same name (we have a fair amount of LDAP-y stuff that looks 
at names).

What about this plan for ML-DC01?
1. Create 2008 R2 DC ML-DC03
2. Move the FSMO/DHCP roles to ML-DC03
3. DCPROMO W2K3 ML-DC01 to member status
4. Build new 2008 R2 ML-DC01 with same name and IP, Make it a DC
5. Move FSMO roles back to ML-DC01
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Wickr on corporate iPhones?

[Kurt Buff]

Ah

No.

"The security is based on a proprietary, patent pending, Digital
Security Bubble(TM) (DSB) algorithm..."

Snakeoil.

Kurt

On Thu, Jun 28, 2012 at 9:30 AM, Ziots, Edward  wrote:
> Actually according to the article they are using AES and RSA standards,
> which are available to public scrutiny (I agree if encryption was
> proprietary and not open to public scrutiny I wouldn't be advising using
> it)
>
> The Anti-Forensics capabilities might be a blessing and a curse in the
> age of BYOD in the enterprise. One way if you can guarantee that data
> has been wiped from endpoint devices in a forensically sound manner then
> internal data from the company that would be on the phone ( PCI/PHI/ etc
> etc) would not be available for recovery, but at the same token if there
> is evidence that incriminates someone of a crime and its digitally wiped
> from the system, then the evidence that would be needed in a court of
> law to prosecute is also gone.
>
> And do we still think BYOD with corporate information is a good idea?
> (IMHO:NO)
>
> Z
>
> Edward Ziots
> CISSP, Security +, Network +
> Security Engineer
> Lifespan Organization
> ezi...@lifespan.org
>
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, June 28, 2012 10:02 AM
> To: NT System Admin Issues
> Subject: Re: Wickr on corporate iPhones?
>
> On Thu, Jun 28, 2012 at 9:43 AM, David Lum  wrote:
>> http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryptio
>> n-app-a-3-year-old-can-use/?tag=mncol;txt
>
>  From the app page:
>
> http://itunes.apple.com/us/app/wickr/id528962154?ls=1&mt=8
>
> "The security is based on a proprietary, patent pending, Digital
> Security Bubble(TM) (DSB) algorithm that combines military grade and
> propriety encryption algorithms and does not rely on a key distribution
> center (KDC)."
>
>  That sets off all my snake oil alarms.
>
> * Crypto which is brand-new and proprietary is by definition unproven
> * Crypto which is proprietary can't be reviewed and almost always proves
> to be broken
> * The phrase "military grade" applied to crypto is basically
> automatically bullsh!t
> * The crytpo the US military does use is never commercial proprietary
>
>  Also, they spelled "proprietary" wrong.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Wickr on corporate iPhones?

[Ben Scott]

On Thu, Jun 28, 2012 at 12:30 PM, Ziots, Edward  wrote:
> Actually according to the article they are using AES and RSA standards,
> which are available to public scrutiny ...

  I saw that, too.  But if accurate, that means they're lying in their
product description.  Either way, it's a sign of snake oil.

  There is a *huge* amount of crypto snake oil on the market.  Good
crypto and bad crypto look about the same to non-experts[1].

-- Ben

[1] I include myself in this category, but I at least know enough to
know what I don't know.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Schema upgrade/rollback

[David Lum]

No, but the other SE's half did. I should have put a smiley after my "nothing 
broke" comment.

I read a blog the other day that a schema upgrade did break something, but only 
because they went "forward then backward":
http://blogs.technet.com/b/askpfeplat/archive/2012/02/20/2008-r2-active-directory-schema-updates-lcs-ocs-and-lync.aspx

Dave

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, June 28, 2012 9:35 AM
To: NT System Admin Issues
Subject: Re: Schema upgrade/rollback

You *expected* something to break?
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...



On Thu, Jun 28, 2012 at 11:56 AM, David Lum 
mailto:david@nwea.org>> wrote:
I extended our Schema last week and amazingly, nothing broke. Now, before 
deploying the first 2K8 DC I am running though this "checklist":
http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx

In some cases I am going to create an equivalent GPO and turn it on. Eventually 
all W2K8 equivalent GPO's will be on and we'll know at least when we do stand 
up the first 2K8 DC it's unlikely a new GPO setting will break things.

From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Thursday, June 28, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

Yes - that is the only back out plan.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 11:48 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

I'm not worried in the least, my fellow non-AD educated folks have paranoia 
about what happens if something breaks so I have to give them an answer. I told 
them simply a forest restore.

From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Friday, June 08, 2012 2:56 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

What is it that you fear will happen that this proposed process will protect 
you from?

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 2:32 PM
To: NT System Admin Issues
Subject: Schema upgrade/rollback

In this day and age of VM's, what would be the simplest way to test and 
possibly roll back a schema extension? Would this work?



1.   Power down all DC's

2.   Snapshot schema master

3.   Power up schema master

4.   Extend schema

5.   Smoke test

a.   If there are failures revert to snapshot

b.  If all checks out OK power up remaining DC's
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 
503.267.9764




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Identifying service accounts that are loggin in interactively

[David Lum]

I know, it was a tong-in-cheek comment. Like you I thought there was an EventID 
description that differentiated between an interactive logon and other types.

Have you looked on http://www.ultimatewindowssecurity.com ?
Specifically: 
http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx

Dave

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Thursday, June 28, 2012 9:28 AM
To: NT System Admin Issues
Subject: RE: Identifying service accounts that are loggin in interactively

Keep in mind what I'm trying to do here. Not trying to figure out a way to make 
sure they can't do interactive logon. I need to prove to audit that they didn't 
logon interactively. That means a report from the security logs.

Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CD5515.583E3B40]

The Guardian Life Insurance Company of America

www.guardianlife.com







From:David Lum mailto:david@nwea.org>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:06/28/2012 12:21 PM
Subject:RE: Identifying service accounts that are loggin in 
interactively




Set a GPO to prevent them from being interactive and see what breaks :P

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Thursday, June 28, 2012 7:37 AM
To: NT System Admin Issues
Subject: Identifying service accounts that are loggin in interactively

Is anyone else tasked with doing this? This is a new requirement from audit. We 
have about 1,000 accounts that are being used to run services in the 
environment. So audit is asking how we know these accounts aren't being used to 
logon interactively. All security logs are being shipped to or SEIM system. The 
question is how to identify this. My thought it that it would have to be an 
event from the member servers security log with an event ID of 528 where the 
logon type is not 5. Environment is FFL 2003.

Initially I thought we would be able to distinguish this from just the domain 
controllers security logs. but that does not seem to be the case. Just looking 
at the domain controller logs, there doesn't seem to be any differentiation 
between the logon type, that is captured at the machine they are logging on 
from.



If anyone has recommendations on how to do this differently or if they see a 
problem I'm missing, let me know.

Thanks
Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CD5515.583E3B40]

The Guardian Life Insurance Company of America

www.guardianlife.com




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Schema upgrade/rollback

[Ziots, Edward]

It is Microsoft Duck..

 

Z

 

Edward Ziots

CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Thursday, June 28, 2012 12:35 PM
To: NT System Admin Issues
Subject: Re: Schema upgrade/rollback

 

You *expected* something to break?


ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...





On Thu, Jun 28, 2012 at 11:56 AM, David Lum  wrote:

I extended our Schema last week and amazingly, nothing broke. Now,
before deploying the first 2K8 DC I am running though this "checklist":

http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active
-directory-upgrade-considerations.aspx

 

In some cases I am going to create an equivalent GPO and turn it on.
Eventually all W2K8 equivalent GPO's will be on and we'll know at least
when we do stand up the first 2K8 DC it's unlikely a new GPO setting
will break things.

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Thursday, June 28, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

 

Yes - that is the only back out plan.

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

w - 312.625.1438 | c   - 312.731.3132

 

From: David Lum [mailto:david@nwea.org] 
Sent: Friday, June 08, 2012 11:48 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

 

I'm not worried in the least, my fellow non-AD educated folks have
paranoia about what happens if something breaks so I have to give them
an answer. I told them simply a forest restore.

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Friday, June 08, 2012 2:56 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

 

What is it that you fear will happen that this proposed process will
protect you from?

 

Thanks,

Brian Desmond

br...@briandesmond.com  

 

w - 312.625.1438 | c   - 312.731.3132

 

From: David Lum [mailto:david@nwea.org  ]

Sent: Friday, June 08, 2012 2:32 PM
To: NT System Admin Issues
Subject: Schema upgrade/rollback

 

In this day and age of VM's, what would be the simplest way to test and
possibly roll back a schema extension? Would this work?

 

1.   Power down all DC's

2.   Snapshot schema master

3.   Power up schema master

4.   Extend schema 

5.   Smoke test 

a.   If there are failures revert to snapshot

b.  If all checks out OK power up remaining DC's

David Lum 
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Identifying service accounts that are loggin in interactively

[Ziots, Edward]

Why not put the service accounts in a group and apply GPO that denies
logon type 2 (Logon Locally) via User Rights Assignment. 

 

1)   The common logon types are the following. 

a)   Logon Type (2): Console logon - interactive from the computer
console

b)   Logon Type (3): Network logon - network mapping (net use/net
view)

c)   Logon Type (4): Batch logon - scheduler

d)   Logon Type (5): Service logon - service uses an account

e)   Logon Type (6): Proxy Logon

f)Logon Type (7): Unlock Workstation

g)   Logon Type (8): NetworkClearText ( Reserved for cleartext
Logons over the network)

h)   Logon Type (9): NewCredentials (Initated by using runas command
with the /netonly )

i) Logon Type (10): Remote Interactive (Recorded for Terminal
Service Logons) 

j)Logon Type (11): Cached Interactive (Recorded when cached
credentials are used to logon locally to a computer) 

k)   Logon Type (13): CachedUnlock (Recorded when the computer was
unlocked and the user's credentials were verified against previously
cached credentials.) 

 

Z

 

 

 

Edward Ziots

CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Thursday, June 28, 2012 10:37 AM
To: NT System Admin Issues
Subject: Identifying service accounts that are loggin in interactively

 

Is anyone else tasked with doing this? This is a new requirement from
audit. We have about 1,000 accounts that are being used to run services
in the environment. So audit is asking how we know these accounts aren't
being used to logon interactively. All security logs are being shipped
to or SEIM system. The question is how to identify this. My thought it
that it would have to be an event from the member servers security log
with an event ID of 528 where the logon type is not 5. Environment is
FFL 2003. 

Initially I thought we would be able to distinguish this from just the
domain controllers security logs. but that does not seem to be the case.
Just looking at the domain controller logs, there doesn't seem to be any
differentiation between the logon type, that is captured at the machine
they are logging on from. 



If anyone has recommendations on how to do this differently or if they
see a problem I'm missing, let me know. 

Thanks 

Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise
Architecture and Engineering Services 

Tel 610-807-6459  
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com   

 

The Guardian Life Insurance Company of America

www.guardianlife.com   




- This message, and any
attachments to it, may contain information that is privileged,
confidential, and exempt from disclosure under applicable law. If the
reader of this message is not the intended recipient, you are notified
that any use, dissemination, distribution, copying, or communication of
this message is strictly prohibited. If you have received this message
in error, please notify the sender immediately by return e-mail and
delete the message and any attachments. Thank you. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Schema upgrade/rollback

[Andrew S. Baker]

You *expected* something to break?

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Thu, Jun 28, 2012 at 11:56 AM, David Lum  wrote:

>  I extended our Schema last week and amazingly, nothing broke. Now,
> before deploying the first 2K8 DC I am running though this “checklist”:***
> *
>
>
> http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx
> 
>
> ** **
>
> In some cases I am going to create an equivalent GPO and turn it on.
> Eventually all W2K8 equivalent GPO’s will be on and we’ll know at least
> when we do stand up the first 2K8 DC it’s unlikely a new GPO setting will
> break things.
>
> ** **
>
> *From:* Brian Desmond [mailto:br...@briandesmond.com]
> *Sent:* Thursday, June 28, 2012 8:50 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Schema upgrade/rollback
>
> ** **
>
> *Yes – that is the only back out plan.*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *br...@briandesmond.com*
>
> * *
>
> *w – 312.625.1438 | c   – 312.731.3132*
>
> * *
>
> *From:* David Lum [mailto:david@nwea.org]
> *Sent:* Friday, June 08, 2012 11:48 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Schema upgrade/rollback
>
> ** **
>
> I’m not worried in the least, my fellow non-AD educated folks have
> paranoia about what happens if something breaks so I have to give them an
> answer. I told them simply a forest restore.
>
> ** **
>
> *From:* Brian Desmond [mailto:br...@briandesmond.com]
> *Sent:* Friday, June 08, 2012 2:56 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Schema upgrade/rollback
>
> ** **
>
> *What is it that you fear will happen that this proposed process will
> protect you from?***
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *br...@briandesmond.com* **
>
> * *
>
> *w – 312.625.1438 | c   – 312.731.3132*
>
> * *
>
> *From:* David Lum [mailto:david@nwea.org ]
> *Sent:* Friday, June 08, 2012 2:32 PM
> *To:* NT System Admin Issues
> *Subject:* Schema upgrade/rollback
>
> ** **
>
> In this day and age of VM’s, what would be the simplest way to test and
> possibly roll back a schema extension? Would this work?
>
> ** **
>
> **1.   **Power down all DC’s
>
> **2.   **Snapshot schema master
>
> **3.   **Power up schema master
>
> **4.   **Extend schema 
>
> **5.   **Smoke test 
>
> **a.   **If there are failures revert to snapshot
>
> **b.  **If all checks out OK power up remaining DC’s
>
> *David Lum*
> Systems Engineer // NWEATM
> Office 503.548.5229 //* *Cell (voice/text) 503.267.9764
>
> ** **
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Wickr on corporate iPhones?

[Ziots, Edward]

Actually according to the article they are using AES and RSA standards,
which are available to public scrutiny (I agree if encryption was
proprietary and not open to public scrutiny I wouldn't be advising using
it)

The Anti-Forensics capabilities might be a blessing and a curse in the
age of BYOD in the enterprise. One way if you can guarantee that data
has been wiped from endpoint devices in a forensically sound manner then
internal data from the company that would be on the phone ( PCI/PHI/ etc
etc) would not be available for recovery, but at the same token if there
is evidence that incriminates someone of a crime and its digitally wiped
from the system, then the evidence that would be needed in a court of
law to prosecute is also gone. 

And do we still think BYOD with corporate information is a good idea?
(IMHO:NO)

Z

Edward Ziots
CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, June 28, 2012 10:02 AM
To: NT System Admin Issues
Subject: Re: Wickr on corporate iPhones?

On Thu, Jun 28, 2012 at 9:43 AM, David Lum  wrote:
> http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryptio
> n-app-a-3-year-old-can-use/?tag=mncol;txt

  From the app page:

http://itunes.apple.com/us/app/wickr/id528962154?ls=1&mt=8

"The security is based on a proprietary, patent pending, Digital
Security Bubble(TM) (DSB) algorithm that combines military grade and
propriety encryption algorithms and does not rely on a key distribution
center (KDC)."

  That sets off all my snake oil alarms.

* Crypto which is brand-new and proprietary is by definition unproven
* Crypto which is proprietary can't be reviewed and almost always proves
to be broken
* The phrase "military grade" applied to crypto is basically
automatically bullsh!t
* The crytpo the US military does use is never commercial proprietary

  Also, they spelled "proprietary" wrong.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Identifying service accounts that are loggin in interactively

[Christopher Bodnar]

Keep in mind what I'm trying to do here. Not trying to figure out a way to 
make sure they can't do interactive logon. I need to prove to audit that 
they didn't logon interactively. That means a report from the security 
logs. 



Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   David Lum 
To: "NT System Admin Issues" 
Date:   06/28/2012 12:21 PM
Subject:RE: Identifying service accounts that are loggin in 
interactively



Set a GPO to prevent them from being interactive and see what breaks :P
 
From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Thursday, June 28, 2012 7:37 AM
To: NT System Admin Issues
Subject: Identifying service accounts that are loggin in interactively
 
Is anyone else tasked with doing this? This is a new requirement from 
audit. We have about 1,000 accounts that are being used to run services in 
the environment. So audit is asking how we know these accounts aren't 
being used to logon interactively. All security logs are being shipped to 
or SEIM system. The question is how to identify this. My thought it that 
it would have to be an event from the member servers security log with an 
event ID of 528 where the logon type is not 5. Environment is FFL 2003. 

Initially I thought we would be able to distinguish this from just the 
domain controllers security logs. but that does not seem to be the case. 
Just looking at the domain controller logs, there doesn't seem to be any 
differentiation between the logon type, that is captured at the machine 
they are logging on from. 



If anyone has recommendations on how to do this differently or if they see 
a problem I'm missing, let me know. 

Thanks 

Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 


The Guardian Life Insurance Company of America

www.guardianlife.com 


- This message, and any 
attachments to it, may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law. If the 
reader of this message is not the intended recipient, you are notified 
that any use, dissemination, distribution, copying, or communication of 
this message is strictly prohibited. If you have received this message in 
error, please notify the sender immediately by return e-mail and delete 
the message and any attachments. Thank you. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<><>

RE: Identifying service accounts that are loggin in interactively

[David Lum]

Set a GPO to prevent them from being interactive and see what breaks :P

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Thursday, June 28, 2012 7:37 AM
To: NT System Admin Issues
Subject: Identifying service accounts that are loggin in interactively

Is anyone else tasked with doing this? This is a new requirement from audit. We 
have about 1,000 accounts that are being used to run services in the 
environment. So audit is asking how we know these accounts aren't being used to 
logon interactively. All security logs are being shipped to or SEIM system. The 
question is how to identify this. My thought it that it would have to be an 
event from the member servers security log with an event ID of 528 where the 
logon type is not 5. Environment is FFL 2003.

Initially I thought we would be able to distinguish this from just the domain 
controllers security logs. but that does not seem to be the case. Just looking 
at the domain controller logs, there doesn't seem to be any differentiation 
between the logon type, that is captured at the machine they are logging on 
from.



If anyone has recommendations on how to do this differently or if they see a 
problem I'm missing, let me know.

Thanks
Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CD5502.E71B3D30]

The Guardian Life Insurance Company of America

www.guardianlife.com



- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Schema upgrade/rollback

[David Lum]

I extended our Schema last week and amazingly, nothing broke. Now, before 
deploying the first 2K8 DC I am running though this "checklist":
http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx

In some cases I am going to create an equivalent GPO and turn it on. Eventually 
all W2K8 equivalent GPO's will be on and we'll know at least when we do stand 
up the first 2K8 DC it's unlikely a new GPO setting will break things.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Thursday, June 28, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

Yes - that is the only back out plan.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 11:48 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

I'm not worried in the least, my fellow non-AD educated folks have paranoia 
about what happens if something breaks so I have to give them an answer. I told 
them simply a forest restore.

From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Friday, June 08, 2012 2:56 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

What is it that you fear will happen that this proposed process will protect 
you from?

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 2:32 PM
To: NT System Admin Issues
Subject: Schema upgrade/rollback

In this day and age of VM's, what would be the simplest way to test and 
possibly roll back a schema extension? Would this work?



1.   Power down all DC's

2.   Snapshot schema master

3.   Power up schema master

4.   Extend schema

5.   Smoke test

a.   If there are failures revert to snapshot

b.  If all checks out OK power up remaining DC's
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Office 365 and AD synchronization

[Brian Desmond]

I think 99.99% is overdoing it. I'm pretty sure there is more than .01% of 
customers who want HA for their AuthN to email, IM, SharePoint, partner apps, 
etc.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, June 27, 2012 4:29 PM
To: NT System Admin Issues
Subject: RE: Office 365 and AD synchronization

You don't need a separate machine for either dirsync or adfs. It is, indeed, 
recommended. It's also recommend to have a load-balanced adfs proxy, but for 
99.99% of clients, that is just bollocks.

From: Christopher Bodnar 
[mailto:christopher_bod...@glic.com]
Sent: Wednesday, June 27, 2012 10:28 AM
To: NT System Admin Issues
Subject: Office 365 and AD synchronization

Getting ready to migrate a small office environment to office 365. Domain is 
2008 R2, only 10 users. I'm reading through all the documentation and 
specifically looking at the requirement for a separate machine to host the 
Directory Synchronization tool. Anyone here do this yet with a small office? 
Just curious as to the load on the box. I'm going to create a VM for this but 
see that the minimum requirements are 4G RAM and 70G of disk space. That seems 
high to me for something like this in a very small environment. Curious to hear 
what others have seen after doing this in a similar environment.

Also just starting to read about single sign-on. So using the AD Sync tool 
doesn't give you single-sign on? It just gets your users and groups up to 
Office 365? For what purpose, if the credentials are synched? That's what I 
don't understand yet, but I'm not done reading yet, so maybe that will come. So 
if you need AD FS for single sign-on, how was the process?

Thanks,
Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CD551C.102248E0]

The Guardian Life Insurance Company of America

www.guardianlife.com



- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Schema upgrade/rollback

[Brian Desmond]

Yes - that is the only back out plan.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 11:48 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

I'm not worried in the least, my fellow non-AD educated folks have paranoia 
about what happens if something breaks so I have to give them an answer. I told 
them simply a forest restore.

From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Friday, June 08, 2012 2:56 PM
To: NT System Admin Issues
Subject: RE: Schema upgrade/rollback

What is it that you fear will happen that this proposed process will protect 
you from?

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 2:32 PM
To: NT System Admin Issues
Subject: Schema upgrade/rollback

In this day and age of VM's, what would be the simplest way to test and 
possibly roll back a schema extension? Would this work?



1.  Power down all DC's

2.  Snapshot schema master

3.  Power up schema master

4.  Extend schema

5.  Smoke test

a.  If there are failures revert to snapshot

b.  If all checks out OK power up remaining DC's
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Identifying service accounts that are loggin in interactively

[Christopher Bodnar]

Is anyone else tasked with doing this? This is a new requirement from 
audit. We have about 1,000 accounts that are being used to run services in 
the environment. So audit is asking how we know these accounts aren't 
being used to logon interactively. All security logs are being shipped to 
or SEIM system. The question is how to identify this. My thought it that 
it would have to be an event from the member servers security log with an 
event ID of 528 where the logon type is not 5. Environment is FFL 2003. 

Initially I thought we would be able to distinguish this from just the 
domain controllers security logs. but that does not seem to be the case. 
Just looking at the domain controller logs, there doesn't seem to be any 
differentiation between the logon type, that is captured at the machine 
they are logging on from. 



If anyone has recommendations on how to do this differently or if they see 
a problem I'm missing, let me know.

Thanks


Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 





-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Wickr on corporate iPhones?

[Kurt Buff]

Uh, yeah. +27

It pegs the bullshit meter fer sher.

Kurt

On Thu, Jun 28, 2012 at 7:01 AM, Ben Scott  wrote:
> On Thu, Jun 28, 2012 at 9:43 AM, David Lum  wrote:
>> http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryption-app-a-3-year-old-can-use/?tag=mncol;txt
>
>  From the app page:
>
> http://itunes.apple.com/us/app/wickr/id528962154?ls=1&mt=8
>
> "The security is based on a proprietary, patent pending, Digital
> Security Bubble(TM) (DSB) algorithm that combines military grade and
> propriety encryption algorithms and does not rely on a key
> distribution center (KDC)."
>
>  That sets off all my snake oil alarms.
>
> * Crypto which is brand-new and proprietary is by definition unproven
> * Crypto which is proprietary can't be reviewed and almost always
> proves to be broken
> * The phrase "military grade" applied to crypto is basically
> automatically bullsh!t
> * The crytpo the US military does use is never commercial proprietary
>
>  Also, they spelled "proprietary" wrong.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Wickr on corporate iPhones?

[Ben Scott]

On Thu, Jun 28, 2012 at 9:55 AM, Paul Hutchings
 wrote:
> Is encrypting texts that much use to most folks?

  "Useful" is ill-defined, but certainly people send information in
cleartext over SMS which they prolly wouldn't want disclosed.  (But
people do the same with email and snail mail, which is why I hedge on
"useful".)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Wickr on corporate iPhones?

[Ben Scott]

On Thu, Jun 28, 2012 at 9:43 AM, David Lum  wrote:
> http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryption-app-a-3-year-old-can-use/?tag=mncol;txt

  From the app page:

http://itunes.apple.com/us/app/wickr/id528962154?ls=1&mt=8

"The security is based on a proprietary, patent pending, Digital
Security Bubble(TM) (DSB) algorithm that combines military grade and
propriety encryption algorithms and does not rely on a key
distribution center (KDC)."

  That sets off all my snake oil alarms.

* Crypto which is brand-new and proprietary is by definition unproven
* Crypto which is proprietary can't be reviewed and almost always
proves to be broken
* The phrase "military grade" applied to crypto is basically
automatically bullsh!t
* The crytpo the US military does use is never commercial proprietary

  Also, they spelled "proprietary" wrong.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Wickr on corporate iPhones?

[Paul Hutchings]

Does it serve that much purpose I wonder?  Is encrypting texts that much use to 
most folks?

From: David Lum [mailto:david@nwea.org]
Sent: 28 June 2012 14:44
To: NT System Admin Issues
Subject: Wickr on corporate iPhones?

Could this be workable in a corporate environment I wonder? Specifically how 
hard would it be for a Help desk team to configure this for employees (assuming 
a corporate iPhone).
http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryption-app-a-3-year-old-can-use/?tag=mncol;txt
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
Registered in England and Wales No. 402570
VAT Registration  GB 100 1464 84

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.  If you receive this e-mail in error, please delete it and 
notify us either by e-mail, telephone or fax.  You should not copy, forward or 
otherwise disclose the content of the e-mail as this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Backup a DC

[David Lum]

Nope I sure don't mind the command line.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, June 27, 2012 2:25 PM
To: NT System Admin Issues
Subject: RE: Backup a DC

Windows server backup is amazingly powerful, if you don't mind dropping to the 
command line.

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, June 27, 2012 11:58 AM
To: NT System Admin Issues
Subject: RE: Backup a DC

Cool I was thinking just the AD guys should be able to backup/restore, hadn't 
considered not using TSM for DC recovery options but I like that idea.

I got the HelpDesk folks out of DA's years ago, this latest development lets me 
kick out the other SE's from being DA's which has been a point of contention 
for me for YEARS!

Dave

From: Free, Bob [mailto:r...@pge.com]
Sent: Wednesday, June 27, 2012 8:31 AM
To: NT System Admin Issues
Subject: RE: Backup a DC

Only your fully qualified AD admins should have backup/restore rights on the 
DCs. Period. Double check the user rights assignment as well. You have your DR 
plan all document and tested too, right? 

Do you even need TSM? We don't use it because it doesn't fit in our DR plan and 
because of the attendant security holes.

If you have people in the other built-in *Operator groups, they should also be 
addressed.

Hope you got the helpdesk folks out by now too

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, June 27, 2012 8:17 AM
To: NT System Admin Issues
Subject: Backup a DC

How do you guys handle permissions for backup and restore of a domain 
controller? I somehow got to be the AD lead on our newly formed Active 
Directory team, and one thing I get to do is pare back is Domain Admin 
membership!

Our Tivoli backup person is DA for the *sole* purpose of backup/restore of our 
DC's and I'm thinking that can be addressed.
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT - Clean Joke -

[Don Kuhlman]

Wow - that's been a while :)



 From: Michael B. Smith 
To: NT System Admin Issues  
Sent: Wednesday, June 27, 2012 4:23 PM
Subject: RE: OT - Clean Joke -
 

 
Honestly, I have a printed copy of this joke (with minor changes appropriate 
for changing technology), from Usenet, dated October, 1981.
 
It was (perhaps), more timely then – long before AutoSave. J
 
From:Don Kuhlman [mailto:drkuhl...@yahoo.com] 
Sent: Wednesday, June 27, 2012 12:01 PM
To: NT System Admin Issues
Subject: OT - Clean Joke -
 
This is one of the best clean jokes I've seen in a while!
 
 
Jesus and Satan were having an on-going argument about who was better on the 
computer.
 
They had been going at it for days, and frankly God was tired of hearing all 
the bickering.
 
Finally fed up, God said, 'THAT'S IT! I have had enough. I am going to set up a 
test that will run for two hours, and from those results, I will judge who does 
the better job.'
 
So Satan and Jesus sat down at the keyboards and typed away. They moused. They 
faxed. They e-mailed. They e-mailed with attachments... They downloaded. They 
did spreadsheets! They wrote reports. They created labels and cards. They 
created charts and graphs. They did some genealogy reports. They did every job 
known to man. Jesus worked with heavenly efficiency and Satan was faster than 
hell. Then, ten minutes before their time was up, lightning suddenly flashed 
across the sky, thunder rolled, rain poured, and, of course, the power went 
off... Satan stared at his blank screen and screamed every curse word known in 
the underworld. Jesus just sighed Finally, the electricity came back on, 
and each of them restarted their computers. Satan started searching 
frantically, screaming: 'It's gone! It's all GONE! 'I lost everything when the 
power went out!' Meanwhile, Jesus quietly started printing out all of his files 
from the past two hours of work. Satan
 observed this and became irate. 'Wait!' he screamed. That's not fair! He 
cheated! How come he has all his work and I don't have any?' God just shrugged 
and said, JESUS SAVES...
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin