|
Posted by Edward W. Ray on June 2, 2005, 1:35 pm
Please log in for more thread options
: quoted-printable
Currently the following procedure takes place during machine startup on =
XP/2003 clients in a domain:
1. Network interface initialization/DHCP - clients get an address, list =
of
DNS servers, default gateway, etc.
2. DNS query for LDAP Service.
3. DNS query for domain controllers. (I actually have DNS queries for
crl.verisign.com, I have no idea why)=20
4. SMB dialect negotiation=20
5. Secure Channel/NetLogon Setup=20
6. DNS query for KDC=20
7. Kerberos Machine authentication=20
8. Kerberos service account authentication=20
9. Distributed File System referral process
10. RPC call for DN Name Conversion=20
11. LDAP query for GPO=20
12. LDAP query for PKI=20
13. NETBIOS crap, if you use it=20
14. time sync=20
15. DNS dynamic update
16. Welcome screen
My goal is to get around the bootstrapping issues which make =
client-to-DC IPSec so difficult (if not impossible) to implement. I do =
not understand why Kerberos needs to take place before Secure =
Channel/Netlogon; in fact, which Kerberos and PKI, I see no need for =
this step at all. Same goes for SMB dialect negotiation. I do not =
expect any of the Kool Aid drinking Microsoft MVPs (or any Microsoft =
personnel for that matter) to provide any help. But if anyone who =
REALLY understands the logon process can give me a hand or point me in =
the right direction, much appreciated.
If not, I will wait until the EU forces Microsoft to open its server =
protocols...
------=_NextPart_000_0006_01C56777.FACC9D90
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>Currently the following procedure takes =
place=20
during machine startup on XP/2003 clients in a domain:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<P><FONT face=3DArial size=3D2><STRONG>1. Network interface =
initialization/DHCP -=20
clients get an address, list of</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>DNS servers, default gateway,=20
etc.</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>2. DNS query for LDAP=20
Service.</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>3. DNS query for domain =
controllers. (I=20
actually have DNS queries for</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>crl.verisign.com, I have no idea =
why)=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>4. SMB dialect negotiation=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>5. Secure Channel/NetLogon Setup=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>6. DNS query for KDC =
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>7. Kerberos Machine =
authentication=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>8. Kerberos service account =
authentication=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>9. Distributed File System =
referral=20
process</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>10. RPC call for DN Name =
Conversion=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>11. LDAP query for GPO =
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>12. LDAP query for PKI =
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>13. NETBIOS crap, if you use it=20
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>14. time sync =
</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>15. DNS dynamic =
update</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2><STRONG>16. Welcome =
screen</STRONG></FONT></P>
<P><FONT face=3DArial size=3D2></FONT> </P>
<P><FONT face=3DArial size=3D2>My goal is to get around the =
bootstrapping issues=20
which make client-to-DC IPSec so difficult (if not impossible) to=20
implement. I do not understand why Kerberos needs to take place =
before=20
Secure Channel/Netlogon; in fact, which Kerberos and PKI, I see no need =
for this=20
step at all. Same goes for SMB dialect negotiation. I do not =
expect=20
any of the Kool Aid drinking Microsoft MVPs (or any Microsoft personnel =
for that=20
matter) to provide any help. But if anyone who REALLY understands =
the=20
logon process can give me a hand or point me in the right =
direction, much=20
appreciated.</FONT></P>
<P><FONT face=3DArial size=3D2>If not, I will wait until the EU forces =
Microsoft to=20
open its server protocols...</FONT></P></DIV></BODY></HTML>
------=
|
| Similar Threads | Posted | | Changing local admin password on a set of machine in an ad network ? | June 6, 2005, 1:28 pm |
| custom Startup Items launcher | August 9, 2007, 7:33 am |
| Windows 2003 Problem with Group Policy for Services Startup and Permissions | April 27, 2006, 7:27 am |
| Failure audits for object access on logon scripts and startup scripts, but clients still run them fine. | February 27, 2008, 7:40 am |
| Registry change | June 19, 2006, 11:30 am |
| Hardening Windows Registry | August 2, 2006, 10:31 pm |
| Applications to Protect Against and Inspect Registry Changes? | December 11, 2006, 3:36 pm |
| Help: How to extract registry data from dead server HDD... | October 5, 2005, 2:00 pm |
| Second Try: Any Anti Virus Applications That Do Not Require Install to Registry? | July 4, 2008, 6:56 pm |
| MSS tcp registry values in windows 2003 server security guide | August 20, 2006, 7:23 am |
|
XML Sitemap