I just pop a hub in between the DC and the switch and then tie my laptop with ethereal running into the hub. I'm with you... I don't like running anything on DCs. I've found that I can unplug a DC, plug in a small hub, and plug it all back together without losing connectivity, assuming I don't drop the cable while I'm doing it... :-)
********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Francis Ouellet > Sent: Friday, March 11, 2005 11:11 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > I just looked at ethereal and I hate the fact that you need > to install winpcap on a DC. I actually hate installing > anything on a DC for that matter. I'm trying to do all the > damage control I can do over here; Knowing how completely > paranoid you are <g> you'd probably fire everybody around > here if you had the power :) Things I wouldn't have done > myself during the beta of NT5.0 (given the little knowledge I > had about AD back then) > > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 13:50 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Heh. I was so hip on giving help on how to look for this in a > sniffer that I completely missed the GC in a DMZ point. Oy. I > am getting old or tired or both. > > Yes, do not put a GC in the DMZ. Yes, do use AD/AM, > especially if all the provider needs is a list of valid email > addresses or something along those lines. That should be an > exceedingly simple sync to perform. > > joe > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Francis Ouellet > Sent: Friday, March 11, 2005 1:19 PM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > I was toying with the idea of using ADAM myself but the > admins around here (only been here a few months) don't have > any notion whatsoever of security boundaries. You don't want > to know the rest ;-) > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Coleman, Hunter > Sent: 11 mars 2005 13:12 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > While we haven't outsourced our anti-spam stuff, we're in the > same boat with the AD address validation. We're likely going > to spin up an ADAM instance and have the queries run against > that, so that 1) we can control what information the > anti-spam software has access to and 2) it's not directly > touching our DCs/GCs. It also lets you keep your DCs out of > the DMZ. Something you may want to consider... > > Hunter > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Francis Ouellet > Sent: Friday, March 11, 2005 10:55 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Thanks for the reply Joe! The url provided was extremely > helpful. The reason I'm asking all of this is because the > management has decided to outsource anti-spam technology to a > 3rd party that uses our AD to validate e-mail addresses. > Unfortunately their "security through obscurity" methods are > scaring the crap out of me. They won't disclose the type of > bind they are doing agains't one of our GC in the DMZ. I > guess I could sniff the incomming traffic and figure out what > type of bind they are doing? > > Thanks, > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 12:17 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Depends on the auth options chosen. By default, ldp will use > kerberos as will my adfind. The auth option is called > LDAP_AUTH_NEGOTIATE which is a generic security services (GSS > - SPNEGO) provider and will try different mechanisms starting > out with kerberos but NTLM is also an option there. You can > force it to bind with a simple bind though which is clear > text passwords. > > > See > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/ldap/ldap/ldap_bind_s.asp and look in the remarks section. > > joe > > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Francis Ouellet > Sent: Friday, March 11, 2005 11:43 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Thanks for the reply joe, however one last questions remains: > > Is the process of binding to the GC (in the case I'm > connecting to port 3268) different from say: A user > authentication to AD when logging on to a workstation? Does > it use the same kerberos ticket system? > > Thanks!! > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 11:28 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > You have two major functions in this area > > 1. Connect. This is where you specify the server, port, and > network protocol you want to use. If you select > connectionless you are using UDP, otherwise you are using > TCP. For most folks, UDP is useless, so you may not want to > play with it too much. You can also specify an SSL > connection. Until you work out the basics, don't worry about it. > > 2. Bind. This is where you specify the ID you want to connect > to AD with and the authentication mechanism you want to use. > The calls are all going against the server/port that you > specified in 1. Note that you can't authenticate a UDP > connection (just one reason why you don't generally want to > play with UDP). > > Some apps combine that all together in the background so you > don't see it such as my adfind command line tool. You simply > specify what you want and off it goes and handles the binding > and connecting and everything else for you. > > joe > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Francis Ouellet > Sent: Friday, March 11, 2005 11:03 AM > To: [email protected] > Subject: [ActiveDir] Binding to ldap process.. > > > Hi, > > > I'm trying to understand the process of binding to an ldap > server. I'm toying with ldp.exe and I'd like to know a little > bit more about the different bind options... > > If you decide to connect to port 3268 to query the GC and > then decide to bind do you bind on port 389 or continue to > authenticate to the GC? You see, I'm just a wee bit confused > as to what happens in the background :) > > Thanks, > Francis Ouellet > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
