Acutally one of the books is by Mika and Sakari. Mika/Sakari used to do NDS training so have quite a few references. That would be the Inside Active Directory book. Again, you should familiar with the ground concepts before diving into that one as it gets deep fast.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, May 13, 2004 4:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Global Catalogs are global catalogs. Period. There is no real distinction between domains when it comes to Global Catalogs. Here's why... GC's are read only, but only through "normal" (i.e. user) interaction. Something has to be able to write to the GC on every DC in a forest, and that something is the System account. By launching a process as System (which anyone with admin privs to ANY DC in ANY domain could do), you can modify the contents of a Universal Group (which exists in the GC). So, you're not elevating privs in the root. You're using existing privileges to inject an account into a Uni Group, to own the world. We realize you're not trying to hack AD. We're trying to explain to you what the reality is vs. what the documentation says happens. The books that Joe mentioned (both by Robbie Allen, I believe) are well worth your time and money. I also think that the Microsoft "Building Enterprise Active Directory Services: Notes from the Field" book might be worth it. There are some sections written there that compare concepts between AD and NDS, which might help you make that transition. Links to most of the books recommended here over time are available here: http://www.wiredeuclid.com/modules.php?op=modload&name=books&file=index&req= view_subcat&sid=7 (link may wrap - this will take you there as well: http://tinyurl.com/28j9n) Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Kern, Tom [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 1:59 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > you mean writing oneself into a GC in the root domain? its my > understanding that GC's have a subset of all AD, but only have a > read-only version of the domain parttion they are not a memeber of. so > i couldn't just write myself into a GC in my domain for a uni group > from another domain, no? > as stated earlier, i don't want to "hack" my AD forest so please don't > divluge any info you feel is compromising to AD secrity. I just want > to be clear on and learn some AD internals i can't really seem to find > in any book. i guess this is one of them, so if you can clarify > without giving away a hack or hole, that would be great(if thats at > all possible). > thanks > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 1:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > > Basically, ite because the GC (which is the same on all domain > controllers within a forest) is writable on every domain, anyone with > Domain Admin privs can write themselves into Universal Groups - one of > which is Enterprise Admins - through a relatively trivial process > (there are scripts available on the Internet, I believe). > > Last I checked, that means the child domain admin now has what amounts > to local admin rights on every DC in every domain in the forest. In > other words, they now 0wn your forest. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Kern, Tom [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 13, 2004 10:20 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] A root dc question > > > > how would one force an escallation of privilges? is this just taking > > advantage of a security hole in AD? or is this standard ability? a > > backdoor to prevent a lockout, like the ability to change a domain > > admin pw if you're physically at the machine with a linux boot disk? > > and if its a flaw, why hasn't it been fixed by MS? > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 13, 2004 9:41 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] A root dc question > > > > > > You'd be very, very wrong. Through *standard* practices, you're > > correct. > > However, you have sufficient rights to force an escallation of > > privileges and insert your account into the Enterprise Admins > > group.... > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Kern, Tom [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, May 13, 2004 9:16 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] A root dc question > > > > > > 1. what do you mean by "an admin in any domain has the power of > > > being an Entrprise admin"? i, being a domain admin of a child > > > domain, do not have the power to put myself into the Enterprise > > > admins group. A domain or enterprise admin in the root domain > > > would have to do that for me. > > > > > > Also, as a domain admin in a child domain, i'm kinda limited to > > > the damage i could do to the forest, no?I mean, i could screw up > > > my domain royally, but i can't really do anything to screw up the > > > forest( and completly hosing my domain would only cause > > > replication errors generated in event logs and some repointing of > > > exchange servers to different GC's). i can't modify the schema or > > > install an app that does it for me. i can't link a wrong headed > > > GPO to a site or create one on the root or any other domain. i > > > can't create a site or subnet. > > > And if a crashed and burned all my DC's wouldn't AD remove them > > > permantely after 60 days? > > > > > > I'm sorry to belabour the point here and waste your time, but i > > > really want to make a good case for our IT dept to have enterprise > > > admin access and show why multiple seperate domain admins for > > > multiple domains is not a good idea. as well as further my > > > knowldge of what can and can't be done and what can and can't be > > > screwed up. > > > i'd like to convince everyone that playing nice is in our best > > > interest. > > > thanks, and again, i apologize for rehashing old posts. > > > > > > -----Original Message----- > > > From: joe [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, May 13, 2004 8:34 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] A root dc question > > > > > > > > > Wow this is like d�j� vu, I swear we went through this whole > > > thought process a month or two ago on here.... > > > > > > The quick summary (no I will not spout the whole thing, it should > > > be in the > > > archives) of what I recall > > > > > > 1. An admin in any domain has the power of being an > > Enterprise Admin, > > > domains ARE NOT security boundaries. Each child domain > > should not have > > > different admins because that can result in chaos and possible > > > danger to the entire forest. > > > > > > 2. You can not do DR testing with just a child domain. > > > > > > 3. Either your corp IT has to be involved with your DR testing or > > > you should redesign into multiple forests. > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > > Sent: Wednesday, May 12, 2004 4:37 PM > > > To: ActiveDir (E-mail) > > > Subject: [ActiveDir] A root dc question > > > > > > My apologies if this seems basic and/or silly. > > > > > > > > > Aside from creating new domains or modifying the schema, why > > > would an admin > > > need access to the root dc of a forest(the schema, domain > > > namming master)? > > > furthermore, why would an admin in a child domain need > > > enterprise admin > > > privilges? > > > > > > I only ask because we had issues with our test DR run wherein > > > we didn't have > > > access to the root domain and/or a test root domain vmware'd > > > on a laptop and > > > it ended miserably. > > > i am in the process of convincing the higher ups in my corp > > > of letting our > > > IT dept have enterpise admin access. > > > i'd like to make a case for us as to why we would need this > > > accont with > > > concrete examples(aside from the DR one). ones that a semi > > > tech aware CIO > > > could relate to. > > > What other compelling reasons would one need these rights for > > > in day to > > > day(or not so day to day) AD administration? > > > > > > we are a multi-domain(14) win2k forest in mixed mode with > > > exchange2k in > > > native mode. > > > > > > Thank you in advance for any assitance. > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
