that's correct - even if you configure an additional UPN suffix for the
forest (or for an OU) and assign this to an account when you create the
account (e.g. via ADUC), every account will still have an implicit UPN
suffix that is made up of his samAccountName + the domain-suffix of his
AD domain.
Our domain is using a Win2K3 server which is also a domain
controller as its DHCP solution. Often I look at the DHCP tables and notice
that there are unauthorized machines that connect to our network. This seems
to occur from employees who bring in their laptop during the weekend when the
I was informed of this problem today and
it is with a certain individual who uses their laptop on the public network.
When he uses that same laptop from within the network all is buttery!
In a totally separate event that I was
looking into, I noticed that some people were getting the
For the first user, I assume then that you realize the
answer right?
For the other users, see below for questions relating to
the scope and steps so far taken. Add software in use to find out what's
different about those 2K workstations that have a problem.
Al
From: [EMAIL PROTECTED]
Is it possible to configure a GC to
perform GC functions, but to disable the ability to process authentication
request? I was asked this question and figured this would be an interesting
topic here. I know it is possible to mess with the SRV records to lower the
priority of the server,
Hi Todd
You can use a GPO (2003) or Reg Hacks (2000) to hide the SRV records so it
can no longer do authentications. The following is an excerpt from
Microsoft Q306602
Windows 2000
1.Start Registry Editor (Regedt32.exe).
2.Locate and click the following key in the registry:
There just isn't a way to turn off the authentication function other than
block port 88.
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 09, 2004 2:37 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re:
Maybe I'm mis-understanding something; stop the KDC service?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Thursday, September 09, 2004
Hi Todd
True, but if you misconfigure the DNS settings the clients will not be able
to find the DC SRV records to authenticate. We did have one location that
was using a BIND DNS server and had a local DC. They replaced their DC but
did not update the SRV records in their DNS server.
Thanks Dean James,
That is a good point too. My boss asked me this question... So I figured I
would test the waters. I proposed... setup an ADAM instance and have MIIS
replicate to it. Allow Everyone Read access.
Not sure why they want to do it.
Todd
-Original Message-
From: Dean
What you may find is that users that have already used it as an
authentication source will try again. Not sure if they'll try to look up
the DNS records or not but I would expect them to just try to use server
again. Additionally, wondering what's going to happen if you remove the
ability for
I agree AL, It seems kinda challenged to me as well... I was just asked
the question, and I am the kinda guy that looks for answers to questions
people pose. All your input has been really appreciated.
Todd
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday,
I'm guessing he wants to use the GC solely as a directory/ldap server rather than as a
point of authentication - ldap heavy app, wnat to dedicate a GC to it would be my
guess.
--Brian
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thu
ok... this starts to be more interesting. If the implicit UPN is constructed from
samaccountname and AD DNS name, I do not see how Kerberos principals could clash. This
is what I initially had (names changed to protect the innocent):
Regular account:
dn:[EMAIL
14 matches
Mail list logo
