G
Guest
We've modified a security template and administrative template, based on work at UC-Berkeley, to first expose the registry value to editing by group policy, and then set the REG_MULTI_SZ value with values similar to the following
KdcNames=krb0.domain.com,krb1.domain.com,krb2.domain.co
This is equivalent to running multiple instances of the "ksetup /addkdc" command. The impetus behind all this is that we want to configure our client machines so they can use the outgoing trust we've set up with our MIT Kerberos realm, but that's only vaguely relevant to the issue at hand
The MIT Kerberos administrators would like us to be able to cycle these values, so that client misbehavior won't overload any single Kerberos server. That is, on successive machines, we'd need to be able to set the REG_MULTI_SZ value to one of the 6 possible orders of those three servers; for instance
KdcNames=krb0.domain.com,krb1.domain.com,krb2.domain.co
KdcNames=krb1.domain.com,krb0.domain.com,krb2.domain.co
KdcNames=krb1.domain.com,krb2.domain.com,krb0.domain.co
etc
It would be nice to do this in pseudo-random fashion via group policy; we had intended to use a GPO rather than a login script, though it would be much easier in a login script, just for elegance's sake and because it simplifies our administration, overall, if everything is in one place. However, from what I can tell, group policy administrative templates only offers the most basic if-then-else logic based on the OS version installed on the client. I'm having difficulty finding any documentation on this sort of syntax, which is all over the Microsoft-provided .adm files
#if version >=
SUPPORTED !!SUPPORTED_Win2
#endi
In either case, this probably won't suffice, as our population will be largely Windows XP; not patched to equivalent levels, but still pretty homogeneous, so using OS version as a randomizer won't provide the necessary randomness
Are there any undocumented features, or documented ones I'm unaware of, that could allow us to accomplish this in group policy, or are we going to be forced to revert to using a logon script in this instance? We're using primarily XP clients in a mixed-mode Active Directory forest, with both Windows 2000 and 2003 servers as domain controllers
Thanks for any help
James Ervi
Chapel Hill, NC
KdcNames=krb0.domain.com,krb1.domain.com,krb2.domain.co
This is equivalent to running multiple instances of the "ksetup /addkdc" command. The impetus behind all this is that we want to configure our client machines so they can use the outgoing trust we've set up with our MIT Kerberos realm, but that's only vaguely relevant to the issue at hand
The MIT Kerberos administrators would like us to be able to cycle these values, so that client misbehavior won't overload any single Kerberos server. That is, on successive machines, we'd need to be able to set the REG_MULTI_SZ value to one of the 6 possible orders of those three servers; for instance
KdcNames=krb0.domain.com,krb1.domain.com,krb2.domain.co
KdcNames=krb1.domain.com,krb0.domain.com,krb2.domain.co
KdcNames=krb1.domain.com,krb2.domain.com,krb0.domain.co
etc
It would be nice to do this in pseudo-random fashion via group policy; we had intended to use a GPO rather than a login script, though it would be much easier in a login script, just for elegance's sake and because it simplifies our administration, overall, if everything is in one place. However, from what I can tell, group policy administrative templates only offers the most basic if-then-else logic based on the OS version installed on the client. I'm having difficulty finding any documentation on this sort of syntax, which is all over the Microsoft-provided .adm files
#if version >=
SUPPORTED !!SUPPORTED_Win2
#endi
In either case, this probably won't suffice, as our population will be largely Windows XP; not patched to equivalent levels, but still pretty homogeneous, so using OS version as a randomizer won't provide the necessary randomness
Are there any undocumented features, or documented ones I'm unaware of, that could allow us to accomplish this in group policy, or are we going to be forced to revert to using a logon script in this instance? We're using primarily XP clients in a mixed-mode Active Directory forest, with both Windows 2000 and 2003 servers as domain controllers
Thanks for any help
James Ervi
Chapel Hill, NC