Re: AD Query question

---

• From: ctvader <jeff.swift@xxxxxxxxx>
• Date: 30 May 2007 13:06:49 -0700

---

On May 30, 3:53 pm, "Herb Martin" <n...@xxxxxxxxxxxxxx> wrote:

"ctvader" <jeff.sw...@xxxxxxxxx> wrote in message

news:1180548637.795276.255480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On May 30, 1:27 pm, "Herb Martin" <n...@xxxxxxxxxxxxxx> wrote:

"ctvader" <jeff.sw...@xxxxxxxxx> wrote in message

news:1180540631.760004.320820@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Is there a way to actively monitor who is querying a domain
controller? We had two of our DC's become unresponsive last week due
to lsass.exe crapping out and I want to see if someone is throwing
excessivly large queries against the directory.

You could audit AD Object but that is likely to cause more trouble
than it would uncover.

You could also setup an IDS (Intrusion Detection System), e..g,
Snort, and the build rules for the queries/responses you care about....

--
Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com
(phone on web site)

Thanks for the reply. I was thinking, or hoping, there were native
tools from MS that would tell me.

That is what Auditing is.

I have to wonder what leads you to believe that this is happening?

--
Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com
(phone on web site)- Hide quoted text -

- Show quoted text -

You're right in your 1st reply stating that auditing AD Objects would
cause more trouble. I'm asking b/c we had a new product introduced
into the environment during the same time perood the servers became
unrepsonsive and i'm trying to see if they were the cause. Since we
experienced the DC problem, I turned off the services on the suspected
boxes and we havent had the problem. I just want to be a little
proactive before we turn the services back on.


.

---

• Follow-Ups:
  • Re: AD Query question
    • From: Joe Kaplan

• References:
  • AD Query question
    • From: ctvader
  • Re: AD Query question
    • From: Herb Martin
  • Re: AD Query question
    • From: ctvader
  • Re: AD Query question
    • From: Herb Martin

• Prev by Date: Re: Simple question on Group Policy, Password policy and blocking inheritance
• Next by Date: Re: Simple question on Group Policy, Password policy and blocking inheritance
• Previous by thread: Re: AD Query question
• Next by thread: Re: AD Query question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Do I have to create a new Forward Lookup zone? ... >> I did check out yor web site. ... >> in order to get my MCSE. ... > The very best "book" you can read on ISA is the online docs ... > Herb Martin, MCSE, MVP ... (microsoft.public.windows.server.dns) Re: Password Problem with Server Login ... and working your way backwards to ... Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com ... (phone on web site) ... (microsoft.public.windows.server.active_directory) Re: Wins ip problem ... Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com ... (phone on web site) ... the wins and dns registration in that nic. ... (microsoft.public.windows.server.general) Re: Do I have to create a new Forward Lookup zone? ... I did check out yor web site. ... in order to get my MCSE. ... I have cleared 4 exams so far, will be taking 70-227 by the end of the ... > Herb Martin, MCSE, MVP ... (microsoft.public.windows.server.dns) Re: Do I have to create a new Forward Lookup zone? ... > I did check out yor web site. ... Register right NOW! ... The very best "book" you can read on ISA is the online docs ... Herb Martin, MCSE, MVP ... (microsoft.public.windows.server.dns)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-05