| Author | Messages | |
AD00000119
Posts:0
 | | 08/31/2005 12:57 PM |
| I was hoping somebody might be able to explain how the
following occurred. A member server was built with the same name as an
existing Domain Controller, Domain Controller A. The server was somehow
put in the domain, and rebooted. In addition, I believe the server was
then renamed to Domain Controller B (just a name as it was not dcpromoed). while
still in the domain. The end result was that the existing Domain controller,
Domain Controller A was somehow overwritten by the member server, and, its
display name in ADUC changed to this new name Domain Controller B. The
offending Domain Controller B was then deleted from the domain controllers
OU. The event logged for the change shows Target Account
Name: Domain Controller B but Target Account ID Domain Controller A, they are
mismatched. I believe the same event was displayed for the delete.
I entered this issue after all the above had occurred and performed an
authoritative restore of the object (original Domain Controller A) and stopped
the KDC, replicated, and got the domain controller back. I have
researched this issue, and tried to recreate the issue many different ways in a
test lab but cannot recreate it. Has anyone ever seen anything like this?
I am absolutely dumbfounded. | | | |
| Alm@xxxx.yyy
| | 08/31/2005 2:19 AM |
| Have you checked the audit logs to see who did what at what time? That might help with any steps you may be missing to recreate the issue.
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Dan Pilloff
Sent: Tue 8/30/2005 8:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Help to Explain how a Domain Controller could be Overwritten by a Member Server
I was hoping somebody might be able to explain how the following occurred.
A member server was built with the same name as an existing Domain
Controller, Domain Controller A. The server was somehow put in the domain,
and rebooted. In addition, I believe the server was then renamed to Domain
Controller B (just a name as it was not dcpromoed). while still in the
domain. The end result was that the existing Domain controller, Domain
Controller A was somehow overwritten by the member server, and, its display
name in ADUC changed to this new name Domain Controller B. The offending
Domain Controller B was then deleted from the domain controllers OU. The
event logged for the change shows "Target Account Name: Domain Controller B
but Target Account ID Domain Controller A, they are mismatched. I believe
the same event was displayed for the delete. I entered this issue after all
the above had occurred and performed an authoritative restore of the object
(original Domain Controller A) and stopped the KDC, replicated, and got the
domain controller back. I have researched this issue, and tried to recreate
the issue many different ways in a test lab but cannot recreate it. Has
anyone ever seen anything like this? I am absolutely dumbfounded.
> | | | |
| mark.parris@xxxx.yyy
| | 08/31/2005 6:19 AM |
| Dan.
I seem to remember from a security course
that I did that you had to write an ADM to prevent this happening in certain
circumstances “ it was to do with NetBIOS.
This is the snippet of my custom ADM and
was meant to be configured on internet facing machines only.
POLICY "Release NetBIOS name on
request"
EXPLAIN "Internet Facing Machines
Only. Release NetBIOS name on request. Recommended Value is Disabled"
VALUENAME
"NoNameReleaseOnDemand"
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
This was a Windows 2000 policy setting and
is documented in http://support.microsoft.com/kb/315669/EN-US/
Regards
Mark
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dan Pilloff
Sent: 31 August 2005 00:57
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Help to
Explain how a Domain Controller could be Overwritten by a Member Server
I was hoping somebody might be able to explain how
the following occurred. A member server was built with the same name as
an existing Domain Controller, Domain Controller A. The server was
somehow put in the domain, and rebooted. In addition, I believe the
server was then renamed to Domain Controller B (just a name as it was not
dcpromoed). while still in the domain. The end result was that the
existing Domain controller, Domain Controller A was somehow overwritten by the
member server, and, its display name in ADUC changed to this new name Domain
Controller B. The offending Domain Controller B was then deleted from the
domain controllers OU. The event logged for the change shows
Target Account Name: Domain Controller B but Target Account ID
Domain Controller A, they are mismatched. I believe the same event was
displayed for the delete. I entered this issue after all the above had
occurred and performed an authoritative restore of the object (original Domain
Controller A) and stopped the KDC, replicated, and got the domain controller
back. I have researched this issue, and tried to recreate the issue many
different ways in a test lab but cannot recreate it. Has anyone ever seen
anything like this? I am absolutely dumbfounded. | | | |
| listmail
Posts:822
| | 09/01/2005 12:48 PM |
| The only way I can visualize this happening is if someone
reset the computer account on Domain Controller A. Otherwise when the new
machine joined the domain, it couldn't "slide into" the machine account for the
existing domain controller A.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dan
PilloffSent: Tuesday, August 30, 2005 8:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Help to Explain how
a Domain Controller could be Overwritten by a Member Server
I was hoping somebody might be able
to explain how the following occurred. A member server was built with the
same name as an existing Domain Controller, Domain Controller A. The
server was somehow put in the domain, and rebooted. In addition, I believe
the server was then renamed to Domain Controller B (just a name as it was not
dcpromoed). while still in the domain. The end result was that the
existing Domain controller, Domain Controller A was somehow overwritten by the
member server, and, its display name in ADUC changed to this new name Domain
Controller B. The offending Domain Controller B was then deleted from the
domain controllers OU. The event logged for the change shows Target
Account Name: Domain Controller B but Target Account ID Domain Controller A,
they are mismatched. I believe the same event was displayed for the
delete. I entered this issue after all the above had occurred and
performed an authoritative restore of the object (original Domain Controller A)
and stopped the KDC, replicated, and got the domain controller back. I
have researched this issue, and tried to recreate the issue many different ways
in a test lab but cannot recreate it. Has anyone ever seen anything like
this? I am absolutely
dumbfounded. | | | |
|
|