Thomas Karch Weblog

Domaenen Migration und ReACLing

tkarch — Tue, 26 Feb 2008 16:22:00 GMT

Wie wir ja im Seminar besprochen haben kann das SIDHistory Attribut nicht beliebig weit gefüllt werden. Spätestens mit 1024 Einträgen im Access Token – zu denen auch die Einträge des SidHistory Attributs gehören - ist das Ende erreicht. Es ist also Aufräumen...(read more)

Domaenencontroller in virtuellen Maschinen

tkarch — Thu, 21 Feb 2008 18:46:00 GMT

Virtualisierung ist in aller Munde. Was machen wir aber mit unseren Domänencontrollern? Auch diese lassen sich prinzipiell durchaus virtualisieren. Für die Plattform Virtual Server 2005 existiert ein Whitepaper in dem die wesentlichen der zu beachtenden...(read more)

Die Macht des Einzeilers

tkarch — Wed, 20 Feb 2008 19:28:00 GMT

Für die Verwaltung im Active Directory gibt es eine ganz Reihe von Werkzeugen der ds* Serie. "How To Use the Directory Service Command-Line Tools to Manage Active Directory Objects in Windows Server 2003" gibt einige Tipps, wie man die Werkzeuge einsetzen...(read more)

Wo ist mein DC?

tkarch — Tue, 19 Feb 2008 15:36:00 GMT

Wie findet eine Workstation den optimalen Domänencontroller für die Anmeldung? Über den „Domain Controller Locator“ Prozess... Eine kurze Anmerkung zum Thema Caching vorneweg: Prinzipiell berücksichtig jede Workstation (und jeder Mitgliedsserver) zuerst...(read more)

Infrastruktur Master und Globaler Katalog

tkarch — Fri, 15 Feb 2008 19:53:00 GMT

Zumindest aus dem ersten Termin der Serie ist noch die Frage offen, wie Globale Kataloge und die Rolle des Infrastrukturmasters kombiniert werden können: Danke Yusuf für den Verweis auf Deinen Blog. Yusuf`s Directory Blog - Die FSMO-Rollen verschieben...(read more)

Der letzte Tag…

tkarch — Fri, 15 Feb 2008 19:36:00 GMT

Der letzte Tag… Heute war der letzte Tag der Seminarrundreise „Was sie schon immer über Active Directory wissen wollten…“. Vielen Dank an alle, die die Termine besucht haben. Ich hatte viel Spass – und ich hoffe auch für Sie war es sinnvoll investierte...(read more)

Was sie schon immer ueber Active Directory wissen wollten…

tkarch — Wed, 30 Jan 2008 11:04:00 GMT

"Active Directory" als zentraler Verzeichnisdienst der Windows Welt gibt einige Themen her. Die Agenda für das TechNet Event ist noch nicht bis ins Detail festgeschrieben. Der Grundtenor wird sein die Themen zu besprechen, die ich im Laufe der Zeit in...(read more)

Kerberos demystified

tkarch — Mon, 19 Mar 2007 18:05:00 GMT

There is already quite a lot of documentation and books on Kerberos out there. Here I just wanted to compile the Information I typically need myself to do my daily business. Very good in-depth Information can be found here:

How the Kerberos Version 5 Authentication Protocol Works

http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true

Kerberos Explained

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx

What's New in Windows Server 2003 Kerberos Authentication?

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/kerberos.mspx

Kerberos Authentication in Windows Server 2003

http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerberos/default.mspx

Well, there is a lot of strange perception on the Kerberos protocol in the market. It does not do wonders. It does authentication. Other – older - players in this field are NTLM (LM, NTLM, NTLMv2) , SSL and Digest. The current Version is Version 5, but no other Version has gained broad acceptance in the market. Kerberos is the standard authentication protocol in Microsoft environments since Windows 2000.

Kerberos is based on the Needham-Schroeder protocol. Just in case you want to read this up. And leverages symmetric keys. So no PKI or anything is needed. The Needham-Schroeder protocol defines three participants in the protocol exchange: a client machine, a server that the client wishes to access, and an authentication server.

The client is any machine that requests authentication; usually, it's a user's personal desktop. The server is any application server, say a mail server, which provides a service the client wishes to contact. Finally, the authentication server is a dedicated server that holds a copy of the encryption keys for all users and servers on the network (the "trusted third-party").

The first thing the client does is to request a TGT (ticket granting ticket) from the KDC (Kerberos Distribution Center). After that some negotiation goes on that is beyond the scope of this blog.

Limitations

In the NT4 days NTLM protocol was used for authentication. Still there are a lot of scenarios and applications that rely on NTLM today. E.g. if you access a resource via IP Address \\10.10.10.10 – this forces NTLM.

You also cannot use Kerberos over the Internet because it would require a KDC/DC on the Internet to contact. This would not be available unless you placed your domain controllers on the Internet. Nobody does this because it would likely lead to the Domain being compromised. The only way to get a Kerberos login from an Internet source is to do a protocol transition from Basic or NTLM to Kerberos. If you use an external trust NTLM is used as authentication protocol, no Kerberos involved. Kerberos authentication only works if the trust type is “Forest Trust” and it does work seamlessly with other domains part of the trusted forest.

“Access to resources between domains that are connected by an external trust require Pre-Windows 2000 Compatibility. Because external trusts only support NTLM authentication, queries to a directory in a different forest are always handled as anonymous access.”

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx

Ultimately NTLM will be phased out, sooner or – probably – later.

Hm, is it ethical to update a Blog post? I will try to improve the entry as I learn new things in the mysterious world of IT...

Where are the good webcasts?

tkarch — Thu, 08 Mar 2007 18:18:00 GMT

I am a big fan of out webcasts. It is like watching TV. And who doesn´t like being entertained. I always found it a little hard to find the good ones. Of course you can browse them by month - ;( - but what if I only want the 400 level webcasts on Vista? (Yep, they exist). Try this one http://msevents.microsoft.com/CUI/AdvancedSearch.aspx?culture=en-US. Agreed, often they are a little high-level, so in your field of expertise they might be a little shallow even at 400-level.

I think I found it - The best Scripting Editor

tkarch — Tue, 06 Mar 2007 11:38:00 GMT

No, it didn´t take me one-and-a-half years to find out...

But after some trying out I think that SystemScripter v6.0 is the tool for me. www.scriptinternals.com is the page a trial version can be downloaded from. SystemScripter v6.0 trial is valid for - I think - 45 days and has all features available. Code Highlighting, Debugging, Lots of Snippets (Little pieces of extremely usable code), IntelliSense etc.. There is also a good discussion board on the page: So if you are missing a feature there is a good chance the author might implement it.

There is also a Version for PowerShell on the way: www.powershell.com. I wonder how Tobias managed to get this URL...

Scripting Ahead!

tkarch — Sun, 17 Jul 2005 20:57:00 GMT

Check out the new „Mastering VBScript Debugging“ Webcast from Don Jones from ScriptingAnswers.com if you are interested in Scripting. Not only is it fun to watch, it also contains a wealth of useful information on Debugging. Did you know about wbemtest? A lot more Info from Don can be found at http://www.microsoft.com/events/series/donjonesscripting.mspx

By the way: An alternative to PrimalScript for playing around with Scripting Editors is ConTEXT: It misses some of the nice features like “Intellisense”, but it is far ahead compared to notepad.

You don´t need all of that introductory stuff anymore? Check out the Scripting Puzzle on Scriptcenter

http://www.microsoft.com/technet/scriptcenter/funzone/puzzle/default.mspx