RE: [ActiveDir] Domain Rename
can you do a live demo when you do the rename? I'd love to be part of it... This is seriously a major undertaking, and you should obviously check the dependency of all your applications leveraging the netbios name of your domain within them (e.g. SMS is still a friend of the NetBios domain name...). The Exchange piece was already mentioned, but another known challenge is with domain based DFS, as the rename will likely break the DFS referrals. Be prepared to build a big lab which can host a very realistic environment with most of your apps and then do a lot of testing. Hope you have no NT4 left in your environment, as you'll (obviously) need to rejoin these to the renamed domain. Regarding the overall effort, don't forget that if DC DNS names should match new domain names, then each DC must undergo the DC rename procedure. Maybe even more important: you need RPC connectivity to every DC in the forest from the host running rendom.exe tool during operation - this can be quite challenging itself accross the WAN to 85 sites. I'd say the road to Windows 2000 Native was a piece of cake ;-) At least a cake that you could cut into pieces - the domain rename cake you have to swallow at once. I am sure MS will succeed in making this much easier in the future, but for now, if you don't absolutely have to do it in an environment of your size, you might want to think twice about it. Just something to cheer you up on your journey... /Guido -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 2. Juli 2003 02:59 To: [EMAIL PROTECTED] Thanks Rick - we find the two reboots per device requirement a bit ... tricky. (24 x 7 operations with 450 servers - 12500 workstations - 85 sites). Sounds like a mess of work for what I consider optics! - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:08 PM Subject: RE: [ActiveDir] Domain Rename Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Identity Management using AD
There is a MS moderated MMS mailing list on yahoo.It has no authentication service or directory of its own, so you will need to plan around that or perhaps use one of the planned ISV solutions.--Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 07/03/2003 10:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*). Having not actually got my hands on MIIS, this could be completely unfeasible. Other options are a custom database for the "customer store", or some other existing product. Has anyone been down this road before, and could share some insights / resources ? Thanks Glenn
RE: [ActiveDir] Taking DC Offline
Title: Message How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things. In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 5:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. Im just wondering if Im missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It wont be online long but.. Paul Simpsen Windows ServerAdministrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] AD DOS vulnerability
Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals. Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -Original Message- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I'd certainly concur with the idea of using the hotfix before rushing SP4 out of the door without the usual acceptance testing but it might be worth remembering that someone who is posting from an educational establishment is in an environment where malicious attacks from within the network are not just possible, or likely, but are simply another day at the office. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: 03 July 2003 12:51 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD DOS vulnerability Given that this vulnerability can generally only be exploited through malicious use from *within* the network (at least for most organisations), you may want to hold off on SP4. This will depend on your assessment of the threat in your environment. SP4 was only released last week and it is usually prudent to wait to see if any major bugs appear before installing it. I'm sure you remember the problems introduced by Windows NT 4.0 SP6, which were then urgently fixed in SP6a? You could always install the hotfix first and hold off a while on SP4. More info on this vulnerability here: http://www.coresecurity.com/common/showdoc.php?idx=351idxseccion=10 Tony -- Original Message -- Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC Reply-To: [EMAIL PROTECTED] Date: Thu, 3 Jul 2003 11:10:44 +0100 I received notification about a vulnerability in AD this morning - details are at http://support.microsoft.com/default.aspx?kbid=319709 It looks like the recommended fix is to upgrade my DCs to SP4. I was planning to wait a lot longer before I inflict SP4 on any machines that I care about, but it looks like this might force my hand a bit. What's everyone else doing? Has anyone heard of *any* problems with SP4 yet? -- Steve Bennett, Systems Support Lancaster University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Rename
Guido, Thanks for the reply - always appreciate hearing from you. I agree completely that the complexity of a domain rename is not a light undertaking (understatement of the year) given that the Microsoft White Paper detailing the process wheighs in at a whopping 100 pages. (Clearing the record) I hope that no one construed that my advice was that the domain rename was 'not as bad as it looks'. The message was that getting to Forest Functional mode was not a huge issue - no where near as daunting as getting to Windows 2000 Native. In no way am I suggesting that the domain rename process is easily accomplished or advisable - the process, as you pointed out is fraught with difficulty. I, too, would love to witness the planning and execution of a successful rename. However, I doubt that it's going to occur with the given toolset. At present, the risks FAR outweigh the minimal reward. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, July 04, 2003 2:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Rename can you do a live demo when you do the rename? I'd love to be part of it... This is seriously a major undertaking, and you should obviously check the dependency of all your applications leveraging the netbios name of your domain within them (e.g. SMS is still a friend of the NetBios domain name...). The Exchange piece was already mentioned, but another known challenge is with domain based DFS, as the rename will likely break the DFS referrals. Be prepared to build a big lab which can host a very realistic environment with most of your apps and then do a lot of testing. Hope you have no NT4 left in your environment, as you'll (obviously) need to rejoin these to the renamed domain. Regarding the overall effort, don't forget that if DC DNS names should match new domain names, then each DC must undergo the DC rename procedure. Maybe even more important: you need RPC connectivity to every DC in the forest from the host running rendom.exe tool during operation - this can be quite challenging itself accross the WAN to 85 sites. I'd say the road to Windows 2000 Native was a piece of cake ;-) At least a cake that you could cut into pieces - the domain rename cake you have to swallow at once. I am sure MS will succeed in making this much easier in the future, but for now, if you don't absolutely have to do it in an environment of your size, you might want to think twice about it. Just something to cheer you up on your journey... /Guido -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 2. Juli 2003 02:59 To: [EMAIL PROTECTED] Thanks Rick - we find the two reboots per device requirement a bit ... tricky. (24 x 7 operations with 450 servers - 12500 workstations - 85 sites). Sounds like a mess of work for what I consider optics! - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:08 PM Subject: RE: [ActiveDir] Domain Rename Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DOS vulnerability
Joe, Unfortunately, one of the biggest issues with AD can't be addressed with an upgrade, and that's the Security vulnerability from cross-domain admins. Looking to NetPro's monitoring tool to aid in this as a 'burglar alarm'. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 04, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals. Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -Original Message- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I'd certainly concur with the idea of using the hotfix before rushing SP4 out of the door without the usual acceptance testing but it might be worth remembering that someone who is posting from an educational establishment is in an environment where malicious attacks from within the network are not just possible, or likely, but are simply another day at the office. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: 03 July 2003 12:51 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD DOS vulnerability Given that this vulnerability can generally only be exploited through malicious use from *within* the network (at least for most organisations), you may want to hold off on SP4. This will depend on your assessment of the threat in your environment. SP4 was only released last week and it is usually prudent to wait to see if any major bugs appear before installing it. I'm sure you remember the problems introduced by Windows NT 4.0 SP6, which were then urgently fixed in SP6a? You could always install the hotfix first and hold off a while on SP4. More info on this vulnerability here: http://www.coresecurity.com/common/showdoc.php?idx=351idxseccion=10 Tony -- Original Message -- Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC Reply-To: [EMAIL PROTECTED] Date: Thu, 3 Jul 2003 11:10:44 +0100 I received notification about a vulnerability in AD this morning - details are at http://support.microsoft.com/default.aspx?kbid=319709 It looks like the recommended fix is to upgrade my DCs to SP4. I was planning to wait a lot longer before I inflict SP4 on any machines that I care about, but it looks like this might force my hand a bit. What's everyone else doing? Has anyone heard of *any* problems with SP4 yet? -- Steve Bennett, Systems Support Lancaster University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :