If you have firewalls protecting networks, I recommend isolating them as
sites, and setting up preferred bridgehead servers and site link bridges.
Todd
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 06, 2004 4:03 PM
To: [EMAIL PROTECTED]
Subject:
Would you believe we did not have to open the firewall between the resource server and the domain controller in the opposite forest?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
GRILLENMEIER,GUIDO
Thanks Joe,
Below are the pre SP1 AD hotfixes we are testing with our deployment. These
are only the ones for DC's... we also apply about 15 pre SP1 hotfixes that
deal with security issues as well.
E2K3 and 2K GC's Upgraded to 2K3GC's
Kajsa Linderborg (former address [EMAIL PROTECTED]) has a new e-mail address:
[EMAIL PROTECTED]
Please use this instead to get in touch with her!
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
Why? What traffic is being passed
then?
Can we assume the use of a Kerberos trust
then?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004
9:17 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Can someone describe teh cross-forest login proce
ss?
Would you
Ugh. Thanks Todd. Love the LSASS leak... And yet another FRS fix that will
make FRS work perfectly. :oP
I would like to understand the first one better... The KB article is kind of
hokey in its description Do you know any more? Eric?
Specifically this problem occurs if the
Anyone have any clue on how to do this? I need a list in CSV format with
all the information you would get if you went into ADSI edit, right click'ed
on Microsoft Exchange Properties and selected Security.
If CSVDE does it, do I need to add any headers?
thanks
CK
Not a clue Joe, other than what is implied.
Todd
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 10:06 AM
To: [EMAIL PROTECTED]
Subject: FW: [ActiveDir] [Lessons Learned]: Schema Mismatch promoting firs t
K3 DC to GC in production forest... Several
Have a look at dsacls.
Tony
-- Original Message --
From: Kleciak, Clint D B270 [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Mon, 8 Mar 2004 10:14:59 -0500
Anyone have any clue on how to do this? I need a list in CSV format with
all the
...or acldiag.exe, which gives you the /tdo option for tab delimited output.
-- Original Message --
From: Tony Murray [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Mon, 8 Mar 2004 10:26:17 -0500
Have a look at dsacls.
Tony
-- Original
I don't mean to be
rude to anyone. Please excuse the double post, this still has me very
confused so I thought I would repost it for anyone who may not have seen my
previous post this past Friday:
Recently I've done some work for the company
rebuilding the DC's for concerns of naming
Okay it looks like I may have found a resolution to my own
question. For whatever reason dynamic updates were not enabled for the
reverse DNS zone, so I've enabled secure only updates for that zone and we'll
see what happens on the next replication.
Again, my apoligies for the double post.
thank you, thank you, thank you.
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 10:34 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Export Group Rights at the
Configuration\Services\MicrosoftExcha nge level
wow - that's a nice surprise - not sure if this is a
feature of NTLMv2 or if I simply had it wrong. I am pretty sure that in
NT4 days the resource server would only check with it's DC to if a token trying
to access it comes from a trusted domain and would then request the
authentication
Is the issue on the handling of the ntsecuritydescriptor or the
msexchsecuritydescriptor?
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: AD Protected groups
LOL.
Thanks Rocky. :o)
joe
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky
HabeebSent: Friday, February 27, 2004 1:00 PMTo:
Cool, that is anice change.
Any recommendations I had would be around making it less
confusing / more intuitive. Shouldn't need a KB article to understand what
happens when you populate the restricted group. Maybe break it up into a couple
of things
1. Replace membership
2. Add to
The way I understand it what should have happened is that
the client in A should have connected to the resource server in B, the resource
server should have contacted the DC ofdomain B it is in that's its secure
channel is to and then that DC of B will passthrough check with a DC of domain A
Title: Message
Yes usernames still appear to be capped at 20 characters.
This is also per lmcons.h header file
#define
UNLEN
256
// Maximum user name length#define LM20_UNLEN
20
// LM 2.0 Maximum user name length
as for
groups... well they are defined the same as users in lmcons.h but
Title: Curious Exchange Server Question
Load the tools on your workstations, stay away from loading
the crap on the DC. DC's for authentication and authorization. Let it do its
job. Really no purpose to manage the Domain from the DC itself. Just encourages
doing bad things like getting
G'day,
I'm doing some LDAP queries to AD for a web application, and I'm
trying to locate the closest DC using LDAP ping.
A sample chapter from Understanding Active Directory Services [2]
contains the following:
When the client receives the SRV records, it performs a quick LDAP
ping to
LOL.
I wouldn't expect a lot of replication unless you are making lots of
changes, but you can tune it by modifying the schedule to get the max
benefit out of the replication packet compression. Actually you will
probably have less traffic as your logons and other things using the DCs
don't have
Title: RE: [ActiveDir] DNS Permissions
Guido's answer aside, you kind of need to knock this one
down or else you will always be back on your heels regularly. This is the kind
of crap that really bogs down any real lockdown/security progress in a company.
In order to get more and more secure
People just don't understand how DNS works and make silly mistakes. That's why we did
so much in w2k03 to hopefully have it set up automatically and, if not, give you good
actionable items to follow. Netdiag was improved of course as well.
-Original Message-
From: [EMAIL PROTECTED]
It's been a while, but I think nTSecurityDescriptor. I'd need to look back at the code
change to know for sure though, but I'm like 95% sure of that.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 08, 2004 6:31 PM
To: [EMAIL
I'll bite.
I wouldn't expect a lot of replication unless you are making lots of
changes, but you can tune it by modifying the schedule to get the max
benefit out of the replication packet compression
What does that mean? I don't see the relationship between frequency of
replication and
I was simply going by the idea that the less often you replicate the more
changes that pile up to be replicated. The more data that has to be
compressed *generally* the better the compression ratio's you get - this is
standard compression algorithm magic involving the pattern reductions that
can
Title: Message
:o)
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Celone,
MikeSent: Wednesday, February 25, 2004 11:20 AMTo:
'[EMAIL PROTECTED]'Subject: RE:
Maybe. Im a HUGE ADAM guy, totally
love it, but if AD does the job, why introduce another infrastructure to
support? If you can do it in an app partition and that is acceptable (security,
performance, etc.) why bring in another set of DSA that need be supported?
There are plenty of reasons
Ugh. Ok thanks Eric, I will sent it to the load integrators and have them
wrap it up for us. :o)
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Ah.
I can tell you miss WINS. :o)
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, March 08, 2004 11:30 PM
Point taken, but I'd argue your savings, over the long haul, are
probably fairly small. Existent, sure, but not worth planning over. If
this is really what you're looking at you're better off going to w2k03
to get lvr, SIS and tunable compression settings. As long as you're not
notifying across
I'm a big fan of DCs primarily doing
authorization/authentication. The app stuff can go somewhere else to play.
:oP The more stuff you stack up on a domain controller the more chances
you have of making it so it can't do its primary job. All of the other stuff is
cool and all, but if it
Hmmm, you tempt me to go looking through 2/3 year old PST files to see if I
can find numbers. Maybe I should just try to find my notes from the field as
I recall pages of boring numbers... I do recall the numbers be being better
than fairly small. But the planning part is the key thing, depends
Yeah I was looking this over the other
day...
Has anyone been using the VAS product that is described. I
would be curious to hear RW experiences.
Our UNIX Kerberos integration folks have been fighting with
multirealm issues and cert expiration with chatter about possibly having us
extend
Hey your vent mode can also be MVP mode. We are here to help people and help
point out issues to MS, not be cheerleaders.
When they first approached me 3 or so years ago the first thing I asked was
You don't expect me to stop bing about MS do you? The answer was
absolutely not.
As for the
I agree with Guido. Its all about physical security.
Consider if they fixed that little loophole... What would you do? You
obviously have done this enough you have worked up a nice little process.
You have probably described a method that 10% or better of the people on the
list read and said, no
Good god Rick, you are going to scare the crap out of everyone and I'm not
going to be allowed near Redmond nor anywhere else I am going to wear a
tag that says, Hi, my name is !joe Ok if you don't get that c humor.
Although
We now have a fun issue where the RUS is building
38 matches
Mail list logo
