Dave M's questions

I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests.

When the wrong user or password is used, I do not see audit events on the DC Event Viewer (Windows Logs > Security).

I tested basic scenarios to try & understand what gets audited:

1. RDP to DC using a valid username but wrong password. No new Audit event. Why?
2. RDP to DC using a non-existent username. Yes! Audit Failure logged EventID 4625 "Unknown user name or bad password".
3. RDP to DC using "test" username which exists in AD but account is disabled. No new Audit event. Why?

How can I log all the above events? Ultimately, what I need logged are failed authentication attempts from external app which authenticates against my AD using domain credentials.

Do I need to enable Advanced Auditing?

• https://petri.com/enable-advanced-audit-policy-configuration-windows-server

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise

Is Event Forwarding necessary?

• https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

CustomApp is registered with a URI Scheme in Windows 10 so it launches when Chrome browser visits CustomApp://userid@departmentid

Computer\HKEY_CLASSES_ROOT\CustomApp\shell\open\command

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Program Files\CustomApp\bin\launch-customapp.ps1" -uri "%1"

Works great for launching the CustomApp but the blue Windows PowerShell console flashes up briefly during execution. How can I prevent it from popping up?

I've tried these parameters but the console window still flashes up.

-WindowStyle Hidden
-NonInteractive
-NoLogo

I have a VMware ESXi 6.5 running on Dell Precision Rack 7910 Intel Xeon CPU E5-2643 v3 @ 3.40GHZ

I'm planning to nest install Microsoft Hyper-V Server 2016 Standalone (free version). How do I go about checking compatibility for this nested hypervisor setup?

We have an Active/Standby pair of AIX 5.3 Unix servers. Business requirement dictates keeping a list of components synchronized between them e.g. Oracle RDBMS using Data Guard and certain OS file & folders which includes /var/spool/cron/crontabs.

Problem with keeping CRON related files sync'd is that they will also run on Standby which we do not want. What are some methods for preventing the jobs from executing on Standby?

My thoughts so far is stopping the "CRON" process (if that's the exact Unix process name for it) but unsure if there's a chance it might get started by a monitor process.

Server_A is an AIX 5.3 server assigned 192.168.1.8.

TNS Ping to it's Oracle 9i DB instance was 120 msec.

A month later, Server_B with identical specs was built assigned 192.168.1.9.

Virtual IP 192.168.1.10 added to Server_A for "High Availability" reasons.

If Server_A goes offline, VIP will be re-assigned to Server_B manually. TNS Ping returns much slower response time of 2 secs to the VIP.

Tnsnames.ora file on the client where TNS Ping is issued uses HOST = 192.168.1.10 so I don't believe /etc/resolv.conf on the AIX is relevant.

What are some possible areas and conf files to investigate?

EDIT: Is there network bindings order in AIX? My experience is more on Windows Servers. I'd appreciate thoughts about this angle.

https://www.ibm.com/developerworks/aix/library/au-aixnetworking/index.html

EDIT 2: Unfortunately, network switches & routers are managed by another team who is not cooperating. Good news is that application actually launches at comparable speeds with older server with lower HW specs. Old server: 4 Cores CPU / 32 GB RAM New server: 8 Cores CPU / 64 GB RAM

Initial testing describe in this post was done using Toad for Oracle >> Test Connections. https://blog.toadworld.com/2017/12/14/getting-to-know-the-three-methods-of-connecting-to-the-database-using-toad-for-oracle-tns-direct-and-ldap

It logs into the Oracle DB and returns Connection Time. It surprised me to see 140 msec vs. 2 secs on Old vs. New server. They're on the exact same subnet with same Default Gateway, network hops from client are identical. Ping ms times looks good on both mostly 0 ms.

I don't know how concerned I should be with the Connection Times posted by Toad for Oracle.

Both servers run windows-server-2003 x64 in a Active/Standby Microsoft Cluster with shared Disk Resources. Server1 Server2

Server1 suffered hardware issues needing HBA SAS card replaced. Disk Management no longer detects the shared logical drives on it. These drives are part of Disk Resources in the cluster.

Based on my research, Microsoft Cluster uses Disk Signature to identify & attach to the Disk Resources.

https://support.microsoft.com/en-us/help/280425/recovering-from-an-event-id-1034-on-a-server-cluster

https://support.microsoft.com/en-us/help/886800/a-disk-signature-changes-unexpectedly-on-a-windows-server-2003-clustered-physical-disk-resource

An issue I see are missing REG_SZ DiskName entries in the registry.

Example:

reg query     HKLM\System\CurrentControlSet\Services\Clusdisk\Parameters\Signatures\D441B580
Listing of [System\CurrentControlSet\Services\Clusdisk\Parameters\Signatures\D484B580]
REG_SZ DiskName \Device\Harddisk1

Do I simply need to add the missing registry keys on Server1 to make it appear in Disk Management?

EDIT: Both servers run on Dell PowerEdge 6850.

Looking at Dell Modular Disk Storage Manager on each server the following looks correct. Configured Hosts Host Name : HBA Hosts Ports mapping

Host-to-virtual disk mappings

Windows Device Manager: SCSI and RAID controllers

DELL PERC 5/i Adapter RAID Controller Dell SAS 5/E Adapter Controller (I believe this is what connects to the shared storage)

LSI Logic PCI-x Ultra320 SCSI Host Adapter

LSI Logic PCI-x Ultra320 SCSI Host Adapter

MagicISO SCSI Host Controller

Multi-Path Support

A new observation is Windows Disk Mangement has Disk 0 assigned to Virtual CD ROM on Server1. On Server2, Disk 0 is the C:\ OS drive.

The logical drives needs to be presented as Disks 1,2,3,5. Since Disk 1 is already in use by Windows could this prevent entire Logical drives not to be presented to Windows?