Spencer's questions

A global outage was caused when Crowdstrike pushed a bad content file. That's well-covered in many other places so I won't elaborate on that.

What I'm interested in is whether company policies to delay automatic updates would have contained the outage.

Crowdstrike has a way to set policies to limit the Falcon sensor version to n-1, n-2, or even a specific build. So you can assign a test group to get the most recent sensor version and your production groups to get a slightly earlier version.

This is a common practice used for other types of patching, such as for Windows updates. I understand that the pace is necessarily faster for information security products, but perhaps some form of vetting might have been possible.

The file that caused the problem is classified as a "content file", and so it's possible that it wouldn't have been prevented by sensor update policies.

On the other hand, Dave Plummer's Youtube video suggested that Crowdstrike was using content updates to patch the sensor code without having to go through Microsoft's driver approval process every time. And the sensor version numbers do appear to increase fairly rapidly. So it's also possible that the policies also control content updates.

So, can we say if a Crowdstrike customer had set up a procedure to test machines against sensor updates before approving them for general release within their company, that the outage could have been contained to test group(s)?

A bug in gpsd upon which some NTP servers rely, has been known for a couple of months, but it hasn't really become general knowledge until recently, just before the October 24, 2021 rollover that may set some NTP servers' clocks back to 2002. A patch for GPSD fixes the bug.

Since my company doesn't have high time synchronization needs with the outside world, we use the NTP pool servers as our ultimate source of accurate time. (Everything in the network synchronizes with a single device in the network, which synchronizes with the pool servers.)

The NTP pool website doesn't have any news after 2019, but interestingly, one of those items is about another GPSD week rollover that happened in 2019.

Various institutions belong to the NTP server pool on a voluntary basis, and so they're each going to have their own means of getting accurate time.

Is it known whether any of these servers use gpsd?

This other Server Fault question doesn't address the issue, but it does give an example of why the problem might be so complicated.

I have an Active Directory domain (we'll call OLD.TLD) in production and need to change the name (for reasons I won't elaborate on).

There are many, many files with links to a DFS namespace in this domain. They mostly use the NetBIOS Name, so a referral would be something like \\OLD\DFS\FOLDER which refers to \\SERVER\FOLDER.

At the end of the process, everything will be in the new domain (NEW.TLD) and the server will be SERVER.NEW.TLD. But it's necessary for \\OLD\DFS to work even after the old domain is gone.

I've considered the one-shot domain rename, changing just the FQDN but leaving the NetBIOS name intact. But this will cause a lot of havoc for people working from home. (plus it will keep NetBIOS as a requirement).

So instead, I thought about migrating to a new domain with ADMT.

In order to investigate this, I:

• created a test domain TEST.TLD in a new forest
• created a two-way forest trust between OLD.TLD and TEST.TLD
• created a DNS stub zone in OLD.TLD to point to TEST.TLD
• created DNS CNAME records in TEST.TLD to refer SERVER to SERVER.OLD.TLD and OLD to OLD.TLD. Also there are CNAMEs to point the old domain controllers to the old domain.

So now, accounts in TEST.TLD can access \\OLD\DFS without any problems. Next I tried to see if I could fool the test domain into thinking that \\OLD\DFS was in the new domain. This is a process I envision happening as the final step of migration before removing the trust, and taking the old domain controllers down.

• Created a domain DFS namespace for TEMP.TLD and added a couple of folder referrals to it, so that I can tell the two apart.
• Disabled NetBIOS over TCP/IP in TEMP.TLD
• Changed the CNAME record for OLD to point to TEST.TLD.
• cleared all three DFS caches, as well as DNS server and local caches.

However when I try to access \\OLD\DFS, I get all of the \\OLD.TLD\DFS folders. Is there another setting I need to change? Is it even possible to 'alias' a domain DFS namespace this way?

It's looking more and more like I'll have to rename my Active Directory domain.

There is a well-known process for making this change, including some very good answers on Server Fault already (like this one). I understand you may think I want to ask a duplicated question, but this includes the squishy topic of Not Triggering a Revolution.

I inherited an internal Active Directory domain from the dawn of Active Directory. We'll call it ACRO.TLD with the NetBIOS name ACRO (short for "acronym").

This was great when everybody used a grandpa box behind the firewall. But this practice is now deprecated and could cause trouble down the line. There are a lot more mobile devices and it would probably be Very Bad if the domain leaked out into the Internet at large.

I need to

1. sell the change to managers
2. minimize disruption to users, especially the ones who like convenience (see requirement 1). (Changing the NetBIOS domain name from ACRO would be a deal breaker).

There are bound to be decisions made in planning and presenting the change that increase the chance of success (i.e. users don't show up at my door with pitchforks and torches). This is clearly a subjective question and the best answers would come from people who had been through the change already.

Selling it to management probably consists of explaining the why behind the Very Bad Things, combined with "the change shouldn't be so bad".

So now the question is how to make the change not be so bad, in other words, minimize the disruption to users. I hate to sound open ended but I may be tripping over something basic.

We own domains that I'll call COMPANYNAME.COM and COMPANYNAME.NET. Our external web presence and email addresses (email is hosted externally, there is no Exchange) use COMPANYNAME.COM; we have COMPANYNAME.NET as a buffer against domain squatting.

So I think that my best alternatives are

ACRO.COMPANYNAME.COM (subdomain)
COMPANYNAME.NET

I prefer ACRO.COMPANYNAME.COM, because users are used to ACRO and COMPANYNAME.COM and we're just bringing the two together. No need to change the NetBIOS domain name, and of course the Windows 10 login screen by default uses the domain a computer is joined to.

Because of the existing practice I've already laid out, users are already trained to use separate user names and passwords for Windows login and email (probably a Good Thing with hosted email)

Some of the cons are

• ACRO.COMPANYNAME.COM is already a hostname registered in Internet DNS.
• there may be some confusion when both accounts contain companyname.
• a pain point of potentially tripling what people have to type in to enter login credentials.

But are these real barriers to going ahead with ACRO.COMPANYNAME.COM? Am I missing something?