Disaster Recovery on Different Hardware - Only DC in Domain

September 29, 2003


We're testing different Disaster Recovery techniques in the event that one of our domain controllers (the only one in the domain at the time) is destroyed and we can not find similar hardware to restore to. Here's some of the Microsoft articles to help in this process:

263532 - How to Perform a Disaster Recovery Restoration of Active Directory on Dissimilar Hardware

237556 - How to Troubleshoot Windows 2000 Hardware Abstraction Layer Issues

229716 - Description of the Windows 2000 Recovery Console

255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

249694 - How to Move a Windows 2000 Installation to Different Hardware

292175 - How to Perform an In-Place Upgrade of Windows 2000

306952 - What an In-Place Windows 2000 Upgrade Changes and What It Does Not Change

RSS newsfeeds

September 25, 2003


Attention Info Addicts: RSS is a great thing. It stands for many things, but in my world, RSS stands for only one: bringing information to my desktop. It's like having a program that continually hits news websites for new headlines, security sites for new advisories, blogs for new postings, etc, and placing all of the new information into one simple program, ready of you to digest. Personally I get the latest advisories, news, tech news, tech blogs, and even info on hockey all in one place - reducing the need to hit 20 or 30 websites every 30 minutes to stay on top of the game. Here's a few links you'll need to get started:

Recommended Reader:

Wildgrape NewsDesk - this free program is fast and easy. The only gripe I have about it is that all of a sudden it seems to want to crash on my work pc (probably a .Net issue). Other than that, it runs great on my home box and lets me quickly stay informed.

Where to look for RSS feeds:

djeaux :: RSS newsfeeds - Has a short listing of Security-related newsfeeds.

NewsIsFree - an insane database full of news feeds for many different subjects.

Blogstreet - Lists blogs with RSS feeds.

A helpful article:

Blogs: Another Tool in the Security Pro's Toolkit

RIAA collects fines, doesn't pay artists

September 22, 2003


This is an interesting passage from theInquirer.net:

"The notion of copyright infringement as theft was clearly addressed in the 1985 Supreme Court decision of Dowling v. United States. While this case involved hard goods (phonograph records), Justice Harry Blackmun was most certainly speaking of abstract property (copyrights) when he wrote these words in his majority decision overturning Dowling's conviction of interstate transport of stolen property: '(copyright infringement) does not easily equate with theft, conversion, or fraud... The infringer invades a statutorily defined province guaranteed to the copyright holder alone. But he does not
assume physical control over copyright; nor does he wholly deprive its owner of its use.'"

This is the article:
RIAA collects fines, doesn't pay artists

This is hilarious: User Friendly Amnesty Form

And also this: Accounting for 12-year old Brianna LaHara's Settlement by the RIAA.

Windows 2000 backup command-line switches

September 19, 2003


As an Admin, sometimes you find the need to use the built-in MS Backup utility. Here's a quick syntax summary:

JSI Tip 4113. More on Windows 2000 backup command-line switches.: "Windows 2000 backup command-line switches."

ntbackup backup [systemstate] "bks file name" /j {"job name"} [/p {"pool name"}] [/g {"guid name"}] [/t { "tape name"}] [/n {"media name"}] [/f {"file name"}] [/d {"set description"}] [/ds {"server name"}] [/is {"server name"}] [/a] [/v:{yes|no}] [/r:{yes|no}] [/l:{f|s|n}] [/m {backup type}] [/rs:{yes|no}] [/hc:{on|off}] [/um]
systemstate Specifies that you want to back up the system state data. When you back up the system state data, all of the system state data is backed up, so the /s switch does not apply. Also, the backup type is forced to normal or copy.
bks file name Specifies the name of the backup selection file (.bks file) to be used for the backup operation. A backup selection file contains information on the files and folders that you have selected for backup. You have to create the file by using the graphical user interface (GUI) version of Backup.
/j {"job name"} Specifies the job name to be used in the log file. The job name usually describes the files and folders that you are backing up in the current backup job as well as the date and time at which you backed up the files.
/p {"pool name"} Specifies the media pool from which you want to use media. This is usually a subpool of the Backup media pool, such as 4mm DDS. If you select this, do not use the following switches: /a /g /f /t.
/g {"guid name"} Overwrites or appends to this tape. Do not use this switch in conjunction with /p.
/t{"tape name"} Overwrites or appends to this tape. Do not use this switch in conjunction with /p.
/n {"media name"} Specifies the new tape name. Do not use /a with this switch.
/f {"file name"} Logical disk path and file name. You cannot use the following switches with this switch: /p /g /t.
/d {"set description"} Specifies a label for each backup set.
/ds {"server name"} Backs up the directory service file for the specified Microsoft Exchange server.
The /DS command line switches for NTBackup (with Exchange 5.5) no longer work with NTBackup for Exchange 2000. The Directory Store (DS) switch is not relevant since Exchange 2000 uses the Windows 2000 Active Directory. The Information Store (IS) switch does not apply since the structure of the Information Store has changed from Exchange 5.5
/is {"server name"} Backs up the Information Store file for the specified Exchange server.
The /IS command line switches for NTBackup (with Exchange 5.5) no longer work with NTBackup for Exchange 2000. The Directory Store (DS) switch is not relevant since Exchange 2000 uses the Windows 2000 Active Directory. The Information Store (IS) switch does not apply since the structure of the Information Store has changed from Exchange 5.5
/a Performs an append operation. Either /g or /t must be used in conjunction with this switch. Do not use this switch in conjunction with /p.
/v:{yes|no} Verifies the data after the backup is complete.
/r:{yes|no} Restricts access to this tape for the owner or members of the Administrators group.
/l:{f|s|n} Specifies the type of log file: f=full, s=summary, n=none (with n, no log file is created).
/m {backup type} Specifies the backup type. It must be one of the following: normal, copy, differential, incremental, or daily.
/rs:{yes|no} Backs up the Removable Storage database.
/hc:{on|off} Uses hardware compression, if it is available, on the tape drive.
/um Finds the first available media, formats it, and uses it for the current backup operation. Use the /p switch to designate a device-type media pool when you use the /um switch so that Backup searches for the appropriate type of media, such as 4mm DDS. When you use the /um switch, Backup searches the following media pools for available media: Free pool, Import pool, Unrecognized pool, and Backup pool. When available media is found, the search stops and the media is formatted and then used without prompting you for input. This command is not applicable to tape loaders and you should only use it if you have a standalone tape device.

Software Update Services Now Support Service Packs

September 18, 2003


Here's some interesting news:

Microsoft's SUS Website:
Software Update Services now provides Windows service packs (SPs), in addition to critical and security updates. SUS will deliver Windows XP SP1, Windows 2000 SP4, and all future service packs for Windows 2000, Windows XP, and the Windows Server™ 2003 family of products.

This will sure save some wear and tear on the shoes but trying to use this to deploy on a large number of hosts will not. Some suggest to set up several SUS servers or to use GPO to control deployments.

For those of you who do not know about SUS, go here: Software Update Services. It is a free and easy way to provide critical updates and (now) service packs to your client pcs/servers instead of manually doing them or having your users go to Windows Update to patch themselves. You also have the power to approve which updates are installed. This website SUSserver.com is a great resource for SUS.

Improve Performance by Disabling the Indexing Service

September 17, 2003


I've seen several tips on freeing up CPU cycles by enacting this minor tweak. Here's the how-to:

This excerpt from Windows-Help.NET:

"To disable the Indexing service, open Computer Management from Administrative Tools (on the Start menu if you enabled this, or from the Control Panel), select Services and Applications, double click Services, and find the Indexing Service. Double click to bring up the Properties window, and click Stop to let Windows stop the service. Then from the Status type drop down box select Disabled. "

MSBlast copycat set to pounce, firm says | CNET News.com


MSBlast copycat set to pounce, firm says | CNET News.com

Here's even more warning to all of you out in SysAdminHell. I've heard multiple sources say that it's only a matter of days before said worm is released, and it won't be pretty.

For those of you who don't like to patch, get your resumes ready. I heard that the Real Estate industry is doing rather well.

MS03-039 Exploit How-To Released!!

September 14, 2003


Ok guys.. I just received this email on the NTSysAdmin mailing list:

The PSS Security team is issuing this alert to advise customers that on Saturday 9/13/03 a research company called XXXXXX published a paper providing guidance on how to exploit the vulnerabilities patched by Microsoft Security Bulletin MS03-039. To date we've had no reports of actual exploit code being publicly available or being used actively in a worm or virus

The paper makes it very simple to your 11 year old neighbor to write a worm with this exploit.

Patch your systems!! Mine are all patched (as of today) so get busy.

Find out more about the PSS Security Team.

Export Information from Active Directory

September 12, 2003


Here's a quick and easy way to gather information from Active Directory and import it into a spreadsheet:

Run Active Directory Users and Computers.

Select View -> Add/Remove Columns, and add the columns you want to display and export (e-mail address, last name, etc.).

Select the Users container or another organizational unit (OU) within your Active Directory hierarchy.

Right click on this same container/OU, select Export List and provide a path/filename.

Open up the exported text file with Microsoft Excel or another spreadsheet application.
You now have the information you need in spreadsheet format.

Enable Account Management Auditing

September 11, 2003


Here's a good hint:

Enable Account Management Auditing

Sometimes you want to know what is going on w/ your Active Directory at all times (who wouldn't right?). User lockouts, creations, deletions, etc. To get these events into your event logs, you must enable the Audit account management policy for both success and failure. Here's how:

1. Log into your domain controller.
2. Select Domain Controller Security Policy under Administrative Tools in the start menu.
3. Find your way through security settings, local policies, audit policy.
4. Enable Audit Account Management for success and failure.
5. Done.

Look out for these events in your event logs (or use a filter program, such as EventSentry).

624 - user account creation
642 - user account changed
630 - user account deleted
628 - user account password set
627 - user account password attempt
644 - user account locked out
642 - user account changed: account disabled
645 - computer account created
647 - computer account deleted
635 - local group created
639 - local group changed
638 - local group deleted
631 - global group created
641 - global group changed
634 - global group deleted

Many thanks to Windows & .Net Magazine for publishing such a great article on this. If you don't regularly read this magazine, then you're no SysAdmin (well, in the Windows world at least).



Hey kids. INSTALL THE MS03-039 PATCH NOW!!! This is no bloody joke. Yesterday afternoon Microsoft had the nerve to disrupt my already busy day by releasing Microsoft TechNet Security Bulletin MS03-039 which is yet ANOTHER hole in the RPC service. Every single Windows NT kernel-based computer is affected (2k, NT, 2k3, XP). Blaster 2 is only a matter of tweaking the original Blaster worm, so patch now. I've been watching the lists and newsgroups closely (as well as my own installations) and haven't seen any issues with this patch as of yet. It may also be of interest to grab the free Eeye RPC scanner here to get a good look at what's vulnerable on your networks.

Remember: Now that you know, it's up to you whether you spend a few hours and some reboots to patch now or spend a ton of time cleaning viruses later.