Archive for Security

Some Clarifying thoughts on the PDC Emulator FSMO Role

Posted in Taz, Technical with tags , , , , , , , , , , , , , , , , on March 2, 2009 by tazspaz

Okay, in this post you are going to find some of my personal thoughts.  :/  Ya, a bit scary right?  However, this topic has been going on for some time and you will find posts, retractions, clarifications, etc all over the web in regards to this topic.

The PDC Emulator and what does it do?  People keep asking the question about there being no actual PDC in the domain any longer in a Windows® domain.  That there is no such thing, that the PDC emulator is only important in a mixed mode environment.

Hey, if that above is true, then why do we really care about this FSMO at all (In Native Mode)?  Why do we need to worry about its placement, and is there really a PDC/BDC environment in the Windows® architecture today?

I started this topic after having a discussion with a Project Manager (PM) about a client today in front of a group of other technical folks who more or less tried to call me stupid.  Even had their own laugh track to start with when they thought I was out of ear shot.  Since this they have been educated a bit more.  J

First let’s start off with you, the reader, receiving a better understanding of why the PDC emulator role is important.  Start off by reading here
Personal Note:  If you have Windows® administration, networking, or security questions, Mitch Tulloch is a Microsoft MVP you can look to for the answers. 

Okay, my hope is that you read the link before continuing.  If not, make sure you go open that link and start reading!

So, Microsoft(r) states that the PDC/BDC relationship no longer exists as we knew it in NT days past.  This is true, technically speaking. Understanding however how things really work for the PDC emulator FSMO might help you to realize that, in a fashion, the old “laws” still exist and that there is really a PDC/BDC role model “after a fashion”.  Let’s take a look at what the PDC Emulator does; start by going here:
(For those of you who didn’t follow the link I will outline below from Daniel Petri from this link:

In a Windows® 2000/2003 domain, the PDC emulator role has the following functions:

  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.*

*This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

We also need to remember that the PDC emulator is responsible for (as outlined by Mitch Tulloch found on the first link in this post):

  • Root Time
  • Remember if this role holder fails you will see the most problems occurring on your network.
  • For every N domain in the forest you will have N DCs with the PDC emulator role.
  • This role is arguably the most heavily utilized role and should not house the Global Catalog (GC) as this will help load balance in larger environments.

Also of note:

So the next time you hear someone ask if there is a such thing as a PDC tell them “technically” no in a Native Mode environment.  But as I tell folks, practically speaking, yes.  If you get kick back or “guff” about it, remember there is plenty of fire power out there to back you up.

If they don’t believe you, ask them to shut down the server with the PDC Emulator role. 🙂

(Thank you to Mitch Tulloch and Daniel Petri’s sites and to Google! This post and my thoughts probably wouldn’t have been coherent with out them!) :p

IMPORTANT NOTICE!! (Heartland Payment)

Posted in Rants, Taz with tags , , , , , , , , , , , on January 29, 2009 by tazspaz

We have been notified that a data breach occurred at Heartland Payment, a company that processes credit and debit card transactions nationally for restaurants and small businesses. Please keep in mind that data breaches seldom lead to fraud and rarely identity theft. For your security, please monitor your statements and account activity thoroughly.  If you suspect suspicious activity, contact your bank immediately.


Above is the note I received from my bank today.  I felt it was important to share with you, the readers, and hope in some small way it helps you at least be alert for any suspicious activities on your credit/debit cards.

At this moment I’m trying to see if I can get an idea of restaurants that would have been using Heartland Payment as their provider to help further if possible. 

I do feel that it was a disservice to mention that data breaches’ “seldom lead to fraud and rarely identity theft” by the bank that services my accounts.  I personally take any data breach seriously and would want all of us to protect against fraud and identity theft.  The fact that the data security is breached is enough to be concerned.  If it wasn’t of concern financial institutions wouldn’t be asked to report on it.  A good place to start is to balance your bank statement and keep receipts until you do.  Otherwise you really never know now do you?

Urgent Microsoft Update!!

Posted in Taz, Technical with tags , , , , , , , , , , , , , , , , on December 19, 2008 by tazspaz

Dear readers:

It is once again time for an “out of cycle” patch from Microsoft.  Please, make sure you read the Microsoft Security Bulletin 08-078 and apply accordingly.  It is located here:

Follow the directions there for your specific patch level and browser type.

Windows Mobile AntiVirus

Posted in Taz, Technical with tags , , , , , , , , , , , , , , , , , on July 22, 2008 by tazspaz

Seriously folks, there is no need at current time for you to rush out and buy Windows Mobile AntiVirus software.

I agree with the post (found here), you can go out and buy it if you’d like to; “I won’t call you a sucker — to your face.”

Here are some basic concepts as to “why” I feel you don’t really need it (performing these functions on your smart-phone that is, smarties!):
1.  Do you go to websites you don’t know?
2.  Do you download things to your phone you don’t know where they come from?
3.  Do you sync files from your desktop?
4.  Do you receive your email from a corporate email system?

So if you don’t download things to your phone or go to strange websites, yes men/boys that includes strange girlie pics, then your phone is already doing fine.  Your desktop, I’m sure (right?), has antivirus already installed on it so the files you sync to you phone are already checked.  Your corporate email is scanned before it gets to your inbox (and thus before it gets to your phone), and if not you need a new IT group!

However, if you find you are still skitish or desire the protection (at a cost to system performance of your phone btw) you might want to look at these products:
Symantec’s Norton Smartphone Security
McAfee’s Virusscan Mobile
Trend Micro’s Mobile Security
Airscanner’s Mobile Antivirus

Those are just a few.  I’m sure there are many more out there as well as some freeware options.  Feel free to comment this post with any you might know.

UNC’s, Exe’s, and IE Enhanced Security Config.

Posted in Taz, Technical with tags , , , , , , , , , on July 21, 2008 by tazspaz

Oh my GOSH!

Wow, this was annoying. I knew I’d heard it before so it only took a few moments of my time however; it was a couple hours before my guys asked for help and it does show just how ingrained IE is in the Microsoft’s OS.

Error: SelectObject to CompatibleDC failed: The operation completed successfully. (0)

So what we were attempting to do was run an application installation from a UNC path. We could browse the path no problem. When we attempted to launch the application’s executable we would see the above error.

What was the culprit you ask? It was the “Internet Explorer Enhanced Security Configuration” Windows component of Windows Server 2003 R2®. Once that was removed; Viola! It worked fine.

My guys think I walk on air, I don’t tell them I once sat and banged my head on the keyboard too. Then again I’m sure there is scaring there on the forhead. 😉