Hi all, Ned here again. Just like last Friday, today I’m sharing some emails we’ve gotten recently. Enjoy.

Question:

I am creating a custom schema extension for AD LDS (aka ADAM). Do I need to obtain and register my OID with Microsoft?

Answer:

It's not as critical as an AD forest but still highly recommended - once you get a root OID it can be used for your entire company. You absolutely must register with MS if you intend on creating a product that will be given to third parties to extend their AD LDS schemas. If you don't get an ISO-provided root OID, don't register with MS, then provide that schema to your customers then you could damage your customers. Without registration you are ineligible for the Certified for Windows logo, which is a deal breaker for certain classes of applications within many companies.

If your AD LDS schema is never going anywhere and there’s no risk of it synchronizing with an AD schema, we have a script for generating a safe internal OID here. I really recommend that you get a registered OID though, as once you duplicate an OID in an environment, fixing the issue ranges from extremely difficult to impossible.

Question:

I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

Answer:

This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

dnscmd.exe /Config /RpcAuthLevel 0

If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here.

Question:

Why is your manager such a hugely inappropriate bull in a china shop that never knows when not to say exactly what he is thinking?

Answer:

He’s from St John’s, Newfoundland.

 

Have a great weekend folks!

- Ned “now to work on my midyear review” Pyle