NETDOM

Well, I am certainly full of hot air today – 3 posts!

Netdom.exe is a *very* powerful tool but you need Administrator access to the machine. The ‘latest’ version of Netdom.exe is available in the ‘Windows Server 2003 Service Pack 1 Support Tools’ download [1,2]

Our primary use for Netdom is to add machines to the Domain in a controlled manor. With the restructure there will be a requirement to take machines off the network, rename them, then join them back onto the network … Netdom should be able to help us out.

==== START NETDOM HELP ====
Windows Domain Manager (netdom.exe)

[W2K3-SRV v.5.2.3790.0]

—The netdom.exe Windows Support Tool lets you work with Windows domains and

trusts. You can use netdom.exe to add and remove computer accounts from a

domain, reset computer account passwords, move servers among domains, and

establish one- and two-way trusts between Windows domains. Because netdom.exe

is a command-line tool, it can add powerful capabilities to your

administrative scripts.


>netdom ?

The syntax of this command is:

NETDOM HELP command
      -or-

NETDOM command /help


   Commands available are:
   NETDOM ADD              NETDOM RESETPWD         NETDOM RESET

   NETDOM COMPUTERNAME     NETDOM QUERY            NETDOM TRUST

   NETDOM HELP             NETDOM REMOVE           NETDOM VERIFY

   NETDOM JOIN             NETDOM MOVENT4BDC

   NETDOM MOVE             NETDOM RENAMECOMPUTER

   NETDOM HELP SYNTAX explains how to read NET HELP syntax lines.

   NETDOM HELP command | MORE displays Help one screen at a time.


   Note that verbose output can be specified by including /VERBOSE with
   any of the above netdom commands.


>netdom join /help /verbose


The syntax of this command is:

NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]

           [/PasswordD:[password | *]]

           [UserO:user] [/PasswordO:[password | *]]

           [/REBoot[:Time in seconds]]


NETDOM JOIN Joins a workstation or member server to the domain.
machine is the name of the workstation or member server to be joined


/Domain         Specifies the domain which the machine should join. You

                can specify a particular domain controller by entering

                /Domain:domaindc. If you specify a domain controller, you

                must also include the user's domain. For

                example: /UserD:domainuser


/UserD          User account used to make the connection with the domain

                specified by the /Domain argument


/PasswordD      Password of the user account specified by /UserD.  A * means

                to prompt for the password


/UserO          User account used to make the connection with the machine to

                be joined


/PasswordO      Password of the user account specified by /UserO.  A * means

                to prompt for the password


/OU             Organizational unit under which to create the machine account.

                This must be a fully qualified RFC 1779 DN for the OU.

                If not specified, the account will be created under the default

                organization unit for machine objects for that domain.


/REBoot         Specifies that the machine should be shutdown and automatically

                rebooted after the Join has completed.  The number of seconds

                before automatic shutdown can also be provided.  Default is

                30 seconds


Windows Professional machines with the ForceGuest setting enabled (which is the
default for machines not joined to a domain during setup) cannot be remotely
administered. Thus the join operation must be run directly on the machine
when the ForceGuest setting is enabled.
When joining a machine running Windows NT version 4 or before to the domain
the operation is not transacted.  Thus, a failure during the operation could
leave the machine in an undetermined state with respect to the domain it is
joined to.

The act of joining a machine to the domain will create an account for the
machine on the domain if it does not already exist.


==== END NETDOM HELP ====

 

So, to join the DOMAIN (from the machine) …

:: ==== begin JoinDomain.cmd ====
:: ——————————————————————–
:: Batchfile : JoinDomain.cmd
:: Purpose : Join EDFAC Domain using netdom.exe
:: OS : Windows 2K, XP
:: Created : Darren Robertson (ed-IT)
:: Required : NETDOM.EXE (W2k3 SRV CD), login as local Administrator
:: ——————————————————————–
:: please place netdom.exe into the “%system%\SYSTEM32\” folder
:: for all SOE builds to allow for Administration
:: ——————————————————————–

NETDOM JOIN %computername% /Domain:EDFAC /UserD:Administrator {linewrap}
/passwordD:_can_be_here_or_be _prompted /REBoot:10

:: ==== end JoinDomain.cmd ====

To rename a machine the NETDOM RENAMECOMPUTER machine /NewName:new-name command could be used, but this could have an adverse impact in some cases. It is much better to leave the Domain, rename the machine, then rejoin the Domain. This will use the NETDOM REMOVE machine /Domain:domain command.

==== START NETDOM HELP ====

>netdom remove /help /verbose
The syntax of this command is:



NETDOM REMOVE machine /Domain:domain [/UserD:user]


           [/PasswordD:[password | *]]


           [UserO:user] [/PasswordO:[password | *]]


           [/REBoot[:Time in seconds]]



NETDOM REMOVE Removes a workstation or server from the domain.



machine is the name of the computer to be removed



/Domain         Specifies the domain in which to remove the machine



/UserD          User account used to make the connection with the domain


                specified by the /Domain argument



/PasswordD      Password of the user account specified by /UserD.  A * means


                to prompt for the password



/UserO          User account used to make the connection with the machine to be


                removed



/PasswordO      Password of the user account specified By /UserO.  A * means


                to prompt for the password



/REBoot         Specifies that the machine should be shutdown and automatically


                rebooted after the Remove has completed.  The number of seconds


                before automatic shutdown can also be provided.  Default is


                30 seconds



NETDOM HELP command | MORE displays Help one screen at a time.



The command completed successfully.



==== END NETDOM HELP ====

So to leave the DOMAIN (from the machine) …

:: ==== begin LeaveDomain.cmd ====
:: ——————————————————————–
:: Batchfile : LeaveDomain.cmd
:: Purpose : Leave EDFAC Domain using netdom.exe
:: OS : Windows 2K, XP
:: Created : Darren Robertson (ed-IT)
:: Required : NETDOM.EXE (W2k3 SRV CD), login as local Administrator
:: ——————————————————————–
:: please place netdom.exe into the “%system%\SYSTEM32\” folder
:: for all SOE builds to allow for Administration
:: ——————————————————————–

NETDOM REMOVE %computername% /Domain:EDFAC /UserD:Administrator {linewrap}
/passwordD:_can_be_here_or_be _prompted /REBoot:10

:: ==== end LeaveDomain ====

 

To make coffee you use NETDOM COFFEE machine /Espresso:real-strong /Milk:light *CHUCKLE*

 

[1.] Windows Server 2003 Service Pack 1 Support Tools [MS]
[2.] Download Windows Server 2003 SP1 Support Tools (5.21mb) [MS]
[3.] Netdom Overview [MS]

DNS NAMING STRATEGY

The Faculty restructure necessitates a revision of our IT naming strategies to allow for the removal of Departments and the move to Clusters.

NAMING STRATEGY: [1]
In order to access computing and communication devices; or to access computing, communication and information services; or to identify individuals, each has to have a unique name and address. If names and addresses are not unique then at best, devices, services and individuals will be inaccessible. At worst the clashes will cause network naming and addressing to become unstable, affecting many users of networks within, and possibly outside, the Faculty and University.

Names are usually associated with logical identification of devices, services or individuals on a network – they tend to be human readable and need to be mapped into addresses to be interpreted by devices. Names do not necessarily need to reflect the underlying physical structure and are better defined to reflect organisational or functional structures.

USERS: in short, we use the University’s ARS name space for identifying users. For more information see User Naming Strategy. The implementation of a single login for each staff member for all Faculty systems was target 6.1 in the Faculty of Education IT Operational Plan 2001.

WORKSTATIONS: workstation naming is based on the EDFAC asset number. see Faculty Desktop Naming Strategy. The workstation naming convention for the Faculty consistc of location identifier (eg.CF), equipment register asset number (eg.20138), operationg system (eg. W)

NetBIOS = CF20138W, DNS = cf20138w.edfac.unimelb.edu.au

CODE	LOCATION
CF	ed-IT (Computer Facility)
FO	Faculty Office (General Staff)
LAB	ed-IT Labs
ACE	Artistic and Creative Pedagogies
ARC	Assessment Research Centre
CPELL	Center for Postcompulsory Education and Lifelong Learning
CPE	Centre for Program Evaluation and the Humanities
CSHE	Centre for the Study of Higher Education
ELDI	Early Learning, Development and Inclusion
EESC	Education, Equity and Social Change
ICT	ICT in Education and Research
LALE	Language and Literacy
LOL	Leadership and Organisational Learning
SME	Mathematics and Science Education

CODE	OPERATING SYSTEM
W	Windows
M	MacOS
X	MacOS X
L	Linux *
U	Unix *
P	Printer *
cam	Network camera *

* NOTE: Applies to DNS A record, other naming systems apply for these devices that can be used for CNAME records.

PRINTERS: printer naming is based on the EDFAC asset number, similar to the workstation naming strategy, see Faculty Printer Naming Strategy.

In addition to this naming strategy there are two other aliases that should be added to the DNS record.

1. The common name is used for identification and uses the format; location identifier (eg.CF) – room number (eg.211) – and printer type (eg. HP4050N)
   Common = CF-211-HP4050N
2. The queue name if the printer is queued on a remote server and uses the format; location identifier (eg.CF) _ room number (eg.211) _ description (eg. Student)
   Queue = CF_211_Student
   Please note that under scores are use in this case, this allows for a description to be used if necessary in a common name.
   All printer queues should be attached to the queue name to allow the queue to be swapped between different assets without the requirement of reconfiguring the remote systems.
3. THEMIS queues use a variant of the queue name to identify the Faculty and the building.
   THEMIS = edfac-dm-211

SWITCH: switch names consist of location identifier (eg.DM), level of wiring closet (eg.lv2), and the switch indetification number in the rack (eg. sw2)
DNS = dm-lv2-sw2.edfac.unimelb.edu.au
see Faculty Switch Naming Strategy.

CODE	LOCATION
AH	Alice Hoy
DM	Doug McDonell
QB	Queensberry St
HT	Hawthorn
AB	Abbotsford
BT	Barry Street
OP	Old Pathology (Dame Elisabeth Murdoch)
SH	Shepparton

 

[1.] NAMING STRATEGY [EDFAC ed-IT]

XP Wireless Woes

“Under certain circumstances, Microsoft`s Wireless Network Connection software could allow a remote attacker to connect to a target system. The attacker would have to be within wireless networking range of the target system in order to take advantage of this issue, tested and confirmed on Microsoft Windows 2000, XP and 2003 platforms.” [1]

I have been watching this one for the last few days, the Nomad Mobile Research Centre advisory [2] recommends the following;

Solution/Workaround [2]

-------------------
Until Microsoft releases Service Packs for the affected platforms,

use one of the following three workarounds:


Workaround #1:


 Disable wireless when not in use. Simple, eh?


Workaround #2:


 Use an alternate Wireless Client Manager, (e.g. for an integrated

 Intel Wifi connector, use Intel PROSet/Wireless) as all others

 tested do not seem to have the problem (this testing was not

 all-inclusive).


Workaround #3 (recommended):


 1. Click on the Wireless option in the System Tray and open the

    Wireless Network Connection window.

 2. Click on "Change advanced settings".

 3. In the Wireless Network Connection Properties window, click on

    the Wireless Networks tab.

 4. Click on the Advanced button.

 5. Click on "Access point (infrastructure) networks only"


 This workaround prevents you from connecting to any ad-hoc network

  in the first place.

Fig 1. Wireless Network Connection Properties

Fig 2. Access point (infrastructure) networks only

Using Workaround #3 would appear to be the best way to configure our machines. This will need to be changed in our SOE config, and on our current fleet. This exploit is mitigated by the fact that we have the Windows XP firewall activated on our SOE builds, changing the setting enhances the security stance.

 

[1.] Current AlertCon: Vulnerabilities [Internet Security Systems]
[2.] Microsoft Windows Silent Adhoc Network Advertisement [Nomad Mobile Research Centre]
[3.] Simple wireless flaw revealed [SecurityFocus]