Things got interesting when the next question was, “What is the password?”. Now, this was a year after the initial installation and I did not have the password – as a matter of principle, I encourage clients to change the initial password after an installation is completed so they have the assurance that I will not “sneak in”. They took my advise.

The problem now was, nobody knew what the password was. We gave it a few guesses and it became apparent that a reset of the domain admin password was needed. There are a few tools in the market, both free, commercial and pseudo-commercial tools (favorably called bait & switch “demo” software) that were very limited, to say the least, since most of these tools only allow you to reset the password of the local administrator, not the domain administrator’s password.

I came upon a solution that is beautiful in its simplicity. It turns out that the main tool for us is the Utilman program in Windows. Now be aware that you need physical access to the server and if you are like my friend Charles, the server is locked down tight, literally. He has his server bolted to the rack! Not only that, USB ports are disabled, there is no DVD/CD-ROM drive anywhere on the box and there is a BIOS and hard drive password, plus, the boot option is set to hard disk. You actually need a key to access the case. Nice.

So here:

1. Boot up the server using the install DVD, or a Linux LiveCD. If you are using  the Windows server 2008 DVD, you want to use the “Repair your computer” option when setup starts.
2. Gain access to the command line by doing the following
   1. rename the Utilman.exe file,  to Utilman.old or .bak
   2. Make a copy of Cmd.exe  and rename it Utilman.exe (if you are a domain admin, surely you would not embarrass yourself by asking me where Utilman.exe is located or how to rename or copy a file using the command line)
3. Restart the server and press the superkey+U (that is, press the key with the Windows logo and the “U” key at the same time) at the login screen. This will bring up the command line window.
4. Reset the domain admin password using the “NET USER” option (NET USER <admin account> <new password>
   (where admin account is whatever you renamed the administrator account to and password is the new password for the account. If you did not rename the administrator account, then it is NET USER administrator <new password>)
5. Exit out of the command line and try logging in. That should do it.
6. Reboot the server with the Windows Server 2008 DVD/LiveCD and undo the changes.

Note, if you decide to go the LiveCD route, your job is easier. Make sure your distro has ntfs-3g support built in and boot into the desktop. Access the NTFS drive, rename Utilman.exe. Then make a copy of Cmd.exe and rename the copy Utilman.exe. Reboot (don’t forget to remove the LiveCD when you reboot) and follow steps 3-6.

That’s about it.

It goes without saying that you should have/make a backup of your system before doing any of this, and more importantly, I bear absolutely no responsibility if you mess up your system. Then again, you are a domain admin, right?

Remember, we are not trying to access a box we have no business accessing in the first place – take the hint or risk going to jail.

What does this mean for owners of small and medium businesses? For one, the Server Message Block (SMB) and IIS vulnerabilities have been fixed and this is critical for owners of Small Business Servers where file sharing and web services are on by default and almost automatic. The SQL Server update will affect small businesses who use it as the back-end for websites.

Another important factor is that these updates and patches will undoubtedly require a reboot and for a company with the one server that has everything on it, that may mean some down time. More critical is that these reboots may affect IP address distribution if the patch resets your network from say a fixed IP environment to DHCP without warning. That could lead to IP address conflicts.

So expect a busy month ahead as IT admins scramble to test and deploy this monster patch release.

Happy computing everyone.

A good example of what the tool found is the exposure of what is called “Morphed Folders” in the domain controllers. Microsoft describes morphed folders as “…folders and files that have replicated to other servers and are exact copies of one another. When the File Replication Service (FRS) cannot determine which of two folders is most recent, it creates a duplicate folder. These folders are named FolderName_NTFRS_GUIDname, where FolderName is the name of the original folder and GUIDname represents a unique GUID for the morphed folder.”

When you use the Distributed File System (DFS) snap-in to create a domain DFS root or link, the DFS service creates an empty directory tree that mirrors the DFS root and link names and hierarchy on each DFS root target server. If you enable File Replication service (FRS) replication at the DFS root, FRS replicates the directory created by DFS to all other root target computers that participate in the FRS replica set. The code in DFS to create this directory is executed on each DFS root target.

Active Directory is polled by the Distributed File System for any configuration changes one time every hour and recreates these link directories. To do so, the code first deletes any existing file or folder with the associated name, and then it creates a new file or folder. When File Replication Service (FRS) finds the newly created folder, it replicates the folder to the other targets. In certain situations,  it finds a preexisting folder with the same name that was created by DFS. To handle this directory name conflict, FRS appends a suffix in the form “NTFRS_xxxxxxxx” to the end of one of the directories, and then FRS finishes the replication action. The problem is analogous to an administrator creating identically named directories on each member of the FRS replica set, where each directory has a unique file ID. This morphing of directories can lead to  a maintenance problem for the network administrator.

For example, morphed folders can cause the following problems in an Active Directory environment:

• When you try to remove folders, you receive a message that states that the folders cannot be accessed. You cannot remove the folders.
• You may find folders that have morphed. In this situation, the original folder’s properties dialog box no longer has a Security tab. When you try to modify the discretionary access control list (DACL) for the original folder or try to take ownership of the original folder, you may receive the following error message: “Access Denied”

To resolve this problem, Microsoft recommends the use one of the following methods, depending on the situation that you want to correct.

Method 1: Use the Fsutil command so that you can remove the folders

If you cannot remove folders and you find morphed directories, use the Fsutil command to remove the reparse point that is associated with the folders. The Fsutil command is included in Windows Server 2003. The syntax of the Fsutil command to remove the reparse point is as follows:

For example, to remove the reparse point that is associated with a folder named MyShare, use the following command:

After you remove the reparse point, you can remove the folders.

Note You may have to restart the DFS service for this method to work. Or, you may have to restart the DFS server. This method also resolves issues in which DFS roots were incorrectly removed and have invalid junction point (reparse point) folders that previously held link information.

Method 2: Restore the missing Security tab

If the Security tab is not present, follow these steps:

1. Click Start, click Run, type Dfsgui.msc, and then click OK.
2. Click the DFS target link to the shared resource that contains the morphed folder.
3. On the Action menu, click Stop Replication.
4. Right-click the DFS target link to the shared resource that contains the morphed folder, and then click Delete Link.
5. When you are prompted to confirm the removal of the DFS target link, click Yes.
6. Restart all the DFS servers that host the DFS target link that you removed.The changes replicate to all the DFS servers.
7. Log on to the computer that contains the morphed folder. Then, determine whether the original folder or the morphed folder is most recent.
8. If the morphed folder is most recent, rename the morphed folder to the original folder name and remove the original folder. If the original folder is most recent, remove the morphed folder and keep the original folder.

You can now create a new DFS target link to the shared resource that contains this folder.

To read more about morphed folders and Active Directory, search for KB 259033.

One thing that is not common in small business environments is process automation. Most processes are manually carried out. What we have to realize is that as hard as we try, at some point, somebody forgets to run a system scan or the backup program. Occasionally, someone could accidentally turn off or stop a backup application before the process is completed.
In many small business environments, only one employee is in charge of I.T. support, system maintenance and running backups. If that employee goes on vacation or stays home sick one day, the backups will not run.
It is very difficult for a small business owner to rely solely on human effort to keep computer systems of the business safe.
The best practice is to strive for automation in order to have consistent, reliable updates to your security software and backup systems. There is also the need for processes to run independent of any particular individual.
If you re a business owner, or you are in charge of running updates and performing regular maintenance, automation free up untold amounts of time and spare endless headaches. Automatic updates, backups and system scans, deployed system-wide, ensure that your whole business stays safe and up-to-date no matter who is in the office and who remembers to do what

The point I was trying to make to this client was that enterprise-class solutions for small businesses do not have to cost a fortune. Of course, they could decide to keep using the “home” edition of Astaro, or, as I advised, donate some money to a good cause by buying the relatively inexpensive license for updates. If you have a small business and are putting off protecting your environment because of “cost”, you are not helping your business. Security software is an investment. If you can stop the threat before it gets into your environment, you have more time to focus on growing your business, not baby-sitting a spam or virus-infested mailbox every day.