Tag Archives: Security

FSMO Roles and moving them

I wrote last week about my move from Exchange 2003 to Exchange 2007, and in that article I mentioned that I moved my Domain Controller over at the same time.

There has been questions about what and how, so I’ve knocked this together for anyone that needs to do likewise.

In this scenario we have our old server, and we have our new freshly Server 2003’d server, OLD and NEW.

  • Install DNS on the NEW server, however do not configure it. To do this just add the DNS role through Add Remove programs. You may also need WINS if you use legacy OS’s.
  • Configure the NEW server’s network with a static IP, and the primary DNS should point to the OLD server for DNS, with itself as a secondary.
  • Join the domain on the new server (through computer properties) and reboot.
  • DCPromo the server upto a DC, you should join this server as ‘Additional Domain Controller for an Existing Domain’. This will automatically configure the DNS to replicate the DNS of the domain. Use the defaults for all the settings, unless you have a good reason not to. Make sure you remember the recovery password that you enter.

Write after a reboot at this point you will have two DC servers on your LAN (NEW and OLD), the problem is however that OLD will still be the FSMO master for all the roles in the domain, seeming as we are decommissioning this box we need to move all the roles.

  • First off we need to make the NEW server a Global Catalogue server, to do this launch ‘Active Directory Sites and Services’, now expand your site, then expand servers, select the NEW server, then right click and properties of NTDS Settings (on the right pain). Select the ‘Global Catalogue check box, now ok out of this screen.
  • Now change the properties of the NEW server network to point to itself for DNS as primary and the OLD server as secondary.

Now that the server is a GC server we can assign it FSMO Roles, lets do that.

  • Launch the ‘Active Directory Users and Computers’ from Admin tools.
  • Select the Domain and right click, select ‘connect to domain controller’, select NEW then ok.
  • Right click the Domain, select ‘Operations Masters’.
  • You should now see a screen with three tabs, Select the change button on each tab to migrate that role to the connected server.
  • Domain Naming Master must now be transferred. Launch the ‘Active Directory Domains and Trusts’ tool from Admin Tools.
  • Right click the root level, and select the ‘Connect to Domain Controller and select the NEW server.
  • Right click the root level, and select ‘Operations Master’ then Change. This should move the Ops Master role over to NEW.

The last couple of roles can either be done through script (as can all of the above), or with an ‘unsupported but shipped’ tool. We will use the later as it’s easiest to describe without going into how to use the NTDSUTIL.EXE tool.

  • First register the Schema Management tool by typing regsvr32 schmmgmt.dll into the run box on the server.
  • Now run MMC and add the Active Directory Schema snapin to it.
  • Right click the Domain name, and select ‘Change Domain Controller, select NEW server.
  • Right click the Domain name, and select ‘Schema Master’, then change.
  • Now we need to change the Site Licensing Server, to do this open ‘Active Directory Sites and Services’, now select Sites, then your domain, then on the right pain right click ‘Licensing Site Settings’ and then Change on the Licensing Computer area.

Ok nearly done now. Reboot the NEW server, and wait, what we are looking for is an event type of 1869 (or 1119, but we should get an 1869) to show up in the NEW servers Directory Service log. Whatever you do don’t shutdown the OLD server until you get this, else nobody will be able to logon, as we will not have a GC server on the lan.

When we get that Event happen, we can remove the Global Catalog role from the OLD server, this is done in the same way as we added it to NEW earlier.

Now we do some checks and force the PDC role over, and for this we will use NTDSUTIL.

  • Launch a command prompt
  • type NTDSUTIL
  • You should see ntdsutil: at the prompt. Here we type Roles and press enter
  • fsmo maintenance: connections and enter
  • server connections: connect to server NEW (or servername here) and enter
  • Connected to NEW using credentials of locally logged on user.
    server connections:
    CTRL-Z and enter
  • fsmo maintenance: Seize PDC
  • This should result in the server attempting a nice transfer of the role (which should already be on the NEW server). The results will also tell you about the other roles. If any of the roles are still on the OLD server, then type the appropriate command from below to seize the role on the NEW server.

    Seize infrastructure master
    Seize domain naming master
    Seize RID master
    Seize schema master
    Select operation target

That should be it. You can now DCPromo out the OLD server, and use the new server as if the OLD one did not exist.

The only things left that may need to do are, setup the helper addresses in DNS so the server can lookup Internet DNS names. Setup your DHCP Scope and options.

If there is anything that I have missed, then please let me know.

Snort 2.7 Beta out

Pop along to the Snort Site for the downloads.

I would not recomend installing this as your live version, but advise you to give it a go.

New additions in this version :-

  • Target-based stream reassembly, including handling of TCP data overlaps and anomalous TCP header flags on a per-destination basis. 11 different target-based policies are supported. See README.stream5 for specific configuration options for operating system targets.
  • UDP session tracking
  • Option to emulate Stream4 flushing behaviour
  • Stream5 replaces BOTH Stream4 Flow — should disable both of these when Stream5 is enabled.

BlueRay Decrypter

muslix64 has done it again. There is now a BluRay decrypter available for anyone that wants to remove the DRM from their BR disk.

This is an early version and has the bellow limitations :

  • Don't support BD+
  • Don't support Volume unique key
  • Only support one CPS unit key per disc
  • I don't clear the HDMV_copy_control_descriptor in the stream
  • Don't have any FAQ or document so far…
  • You have to provide your own CPS unit key
  • The playback seems to work with VideoLan

However it works, so get yourself a copy. BackupBluRayV001

PDF’s are Bad!

 Or at the moment at least they are. A new security flaw has popped up (Here and Here).

Want an example? Try Clicking this, it's ok though that will not do anything nasty.

The good news? It seems that FoxIt on Vista (either IE or Firefox) does not exibit the behaviour, however at the moment (as Justin has said) it looks like pretty much all versions of Adobe's Acrobat plugin do exibit the issue.

So my advice? Pop over to Foxit Software for there PDF reader, not only does it not have the issue, it's a good deal faster and smaller as well.