Archive for July, 2008

Next RID number

Posted by RZomerman in . All Posts, Active Directory on July 29th, 2008

So let’s say you want to know how many objects are created on a domain controller, you want to see shen it’s receiving a new RID pool?

 

checkout the RID-SET

 

Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com”)

 

it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool are the same, the server is still on it’s initial RID pool.. but that can also be viewed by looking at the creation and modification date offcourse (whenCreated, whenChanged)

 

Putting:

Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=NLDATADC04,OU=Domain Controllers,DC=intra,DC=NUMICO,DC=NET”)
intRidNumber=objrid.rIDNextRID
wscript.echo “Rid Number:” & intRidNumber

in a script will give you the next RID number.. but that is PER domain controller!

(UPDATE: It is not the nextRID being given out.. it’s the last used RID: MS docs are going to be updated)

 

The large number must be splitted, (for example in LDP Large Integer Converter). Low=number of given out SID’s to all DC’s (per 500) and high number is top of the RID pool.

Just for fun :)

No Comments

Kerberos multiple hops

Posted by RZomerman in . All Posts, Kerberos on July 29th, 2008

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.

 

Basically we want the following to happen:

 

Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication

 

In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

  Read the rest of this entry »

No Comments

Cross forest authentication

Posted by RZomerman in . All Posts, Active Directory on July 28th, 2008

 

Anyone installed a forest trust before.. probably else you would not be reading this post.. how does authentication work in a forest trust?

Well there are two authentication mechanisms in Windows NTLM and Kerberos, both can be used in a forest trust, and both work differently. Setting it up brought me the following authentication schema..

Read the rest of this entry »

No Comments

Kerberos PAC validation

Posted by RZomerman in . All Posts, Kerberos on July 20th, 2008

 

 
basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.
 

No Comments

Cross-forest Authenticate in VBS

Posted by RZomerman in Active Directory, Scripting on July 19th, 2008

 

So the problem:

All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how :) ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge, how do you change your mapi profile.

We had 4 scenario’s

1: The domain is NT4 no trust or no domain at all!
2: The domain the user is in, has a trust with the Exchange domain
3 The domain the user is in is a Windows 2000/2003/2008 domain no trust
4: The user is in the domain

Read the rest of this entry »

No Comments