Re: [ActiveDir] Is this like AD blog season or what?

[Brett Shirley]

I can't tell if this guy is just trying to stroke my ego or what?  Anyway,
luckily that is something I know a bit about ...

-B

On Sat, 24 Jun 2006, Phil Renouf wrote:

> I'd love to hear more about repadmin :)
> 
> Becoming one of my favourite tools, would love to know as much as I can
> about it, especially any of those undocumented featuresalthough I guess
> writing a blog about them might make them documented.
> 
> Too soon to start blogging about longhorn AD stuff?
> 
> Phil
> 
> 
> On 6/22/06, Brett Shirley <[EMAIL PROTECTED]> wrote:
> >
> > I wouldn't mind hearing specific things people would like to hear about
> > ...  I have my own internal list of ideas of stuff to blog about / proto
> > blogs / etc, but wondering how much my plan matches desire.
> >
> > Cheers,
> > -BrettSh
> >
> > On Thu, 22 Jun 2006, joe wrote:
> >
> > > I wouldn't mind seeing some AD Dev guys blogging. The closest to it that
> > I
> > > am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was
> > but
> > > one of the more visible AD gurus. I would probably pay to subscribe to a
> > > blog by DonH if he told stories of all of the AD Dev work and why
> > various
> > > decisions were made.
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> > CPA
> > > aka Ebitz - SBS Rocks [MVP]
> > > Sent: Friday, June 09, 2006 4:29 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Is this like AD blog season or what?
> > >
> > > Active Directory Discussion : Introducing the Active Directory
> > > Discussion Blog:
> > > http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> > >
> > > --
> > > Letting your vendors set your risk analysis these days?
> > > http://www.threatcode.com
> > > The SBS product team wants to hear from you:
> > > http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ml/threads.aspx
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ml/threads.aspx
> > >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Is this like AD blog season or what?

[Phil Renouf]

I'd love to hear more about repadmin :)
 
Becoming one of my favourite tools, would love to know as much as I can about it, especially any of those undocumented featuresalthough I guess writing a blog about them might make them documented.
 
Too soon to start blogging about longhorn AD stuff?
 
Phil 
On 6/22/06, Brett Shirley <[EMAIL PROTECTED]> wrote:
I wouldn't mind hearing specific things people would like to hear about...  I have my own internal list of ideas of stuff to blog about / proto
blogs / etc, but wondering how much my plan matches desire.Cheers,-BrettShOn Thu, 22 Jun 2006, joe wrote:> I wouldn't mind seeing some AD Dev guys blogging. The closest to it that I> am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was but
> one of the more visible AD gurus. I would probably pay to subscribe to a> blog by DonH if he told stories of all of the AD Dev work and why various> decisions were made.>>> --
> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm>>> -Original Message-> From: 
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA> aka Ebitz - SBS Rocks [MVP]> Sent: Friday, June 09, 2006 4:29 PM
> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] Is this like AD blog season or what?>> Active Directory Discussion : Introducing the Active Directory
> Discussion Blog:> http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx>> --> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com> The SBS product team wants to hear from you:> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
>> List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx>> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspx
>List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Mitel AD Integration

[Phil Renouf]

I've been in an environment briefly that had Mitel in it already. After speaking with them about how it was set up it sounded scary indeed. I didn't get too far into it with them with regards to what was a requirement from Mitel and what was just what they had configured, but if what they were saying was correct then the requirements from Mitel for admin rights etc. was scary.

 
Not much more info to share than that unfortunately, it's been a while since I was there and didnt get too deep into it with them (wasnt the focus of why I was there). In general though their AD was working fine.

 
Phil 
On 6/20/06, Brian Desmond <[EMAIL PROTECTED]> wrote:




Has anyone dealt with Mitel's Directory Integration with regard to AD? Had the first meeting about that today and it sounds scary – I haven't read the docs yet but I didn't get the good feeling today. 

 
Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Deji Akomolafe]

Don't dare him. He does have really dangerous[1] and completely incomprehensible[2] scripts. Really.
 
[1] Still trying to figure out which is more dangerous - joe's scripts or ~Eric's DIT :)
[2] Mostly because Perl is Greek to me.
 


Sincerely,    _      (, /  |  /)   /) /)       /---| (/_  __   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)     (/   Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Myrick, Todd (NIH/CC/DCRI) [E]Sent: Fri 6/23/2006 3:07 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"
Okay, now that is a script I would like to see :)
 
Todd



From: joe [mailto:[EMAIL PROTECTED]
Sent: Fri 6/23/2006 5:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"


Hi Deji.
 
The misunderstanding here seems to be that I walked in and was suddenly empowered to make those changes at the widget factory. That so rarely happens it isn't worth mentioning. In actual fact, I looked at the existing mess and started working out what needed to be done to correct it and then started working towards that goal convincing whomever I could that it was the way that we needed to go if we actually wanted a secure/stable environment. You were there, you recall how I took DA away right? I first argued that it was dangerous for that many people to have it and then started pointing out various issues that could be caused by people having those rights and possible issues that could come up that we have been lucky not to see until I got enough management to go, yeah that makes sense even if I had to make someone look silly in the process. Then I dropped most of the DAs and the loudest folks got dropped to Account/Server Ops with all of them claiming they would never be able to do their job. Stability increased overnight. The next step was to remove the account/server op rights by showing it really wasn't needed and again could cause issues that didn't need to exist and then eventually, bam those were gone too. From what I have seen, most people on the inside aren't even trying to lock the environment down, they start with a "I will never get that done" attitude and so they never start. They are standing around hoping someone above will get a clue all of a sudden and just tell them to clean up, that isn't going to happen. The upper folks aren't thinking about your daily ops. They don't know what is dangerous unless they are told by the experts. I think some folks also don't want to bring it up as they aren't sure they would be the ones keeping the rights themselves. Me, I don't look at DA rights and think cool, I think pain in the ass.
 
As for consulting, as you know, that is a completely different ball of wax. Just the same, I don't let that stop me from telling customers that they are doing things in very insecure ways and for the most part, they listen and start correcting it. You don't say, oh wow, that is bad you shouldn't do it because x and y best practice says you shouldn't. I rarely utter the word best practice because they are all generally debatable depending on the environment. Instead I will say, hi Mr. manager, did you know that you have junior admins who can read your mail whenever they like or check out their performance reviews you are working on when they like or knock the environment down to its knees if they make simple mistakes?[1]
 
There are those times where folks don't want to listen at all and I just document what I told them and continue on doing what I am there to do. The next time I get called in to deal with something if it was something I forecast would happen I kindly point that out. Once that happens once or twice even the folks who brushed me off previously start realizing that hey, maybe there is something to this. Certainly they don't like hearing nor having their management hearing that what happened could have been avoided had they listened to the person they paid to come in and make recommendations.
 
If an environment is running perfectly stable and efficiently, there is no reason to change. I can count on 0 hands the number of business environments I have personally seen that I would say fit that criteria. That is why people are asking folks to come in and help them change. Do them a favor and tell them what they need to hear, not just what you think they want to hear and want to tell them for fear of them getting mad. 
 
If you are brought in to design something for someone, it is your job to try and design the best thing you feel you can for them. If they argue the design, try to understand what they are saying because you c

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Okay, now that is a script I would like to see :)
 
Todd



From: joe [mailto:[EMAIL PROTECTED]
Sent: Fri 6/23/2006 5:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"


Hi Deji.
 
The misunderstanding here seems to be that I walked in and was suddenly 
empowered to make those changes at the widget factory. That so rarely happens 
it isn't worth mentioning. In actual fact, I looked at the existing mess and 
started working out what needed to be done to correct it and then started 
working towards that goal convincing whomever I could that it was the way that 
we needed to go if we actually wanted a secure/stable environment. You were 
there, you recall how I took DA away right? I first argued that it was 
dangerous for that many people to have it and then started pointing out various 
issues that could be caused by people having those rights and possible issues 
that could come up that we have been lucky not to see until I got enough 
management to go, yeah that makes sense even if I had to make someone look 
silly in the process. Then I dropped most of the DAs and the loudest folks got 
dropped to Account/Server Ops with all of them claiming they would never be 
able to do their job. Stability increased overnight. The next step was to 
remove the account/server op rights by showing it really wasn't needed and 
again could cause issues that didn't need to exist and then eventually, bam 
those were gone too. From what I have seen, most people on the inside aren't 
even trying to lock the environment down, they start with a "I will never get 
that done" attitude and so they never start. They are standing around hoping 
someone above will get a clue all of a sudden and just tell them to clean up, 
that isn't going to happen. The upper folks aren't thinking about your daily 
ops. They don't know what is dangerous unless they are told by the experts. I 
think some folks also don't want to bring it up as they aren't sure they would 
be the ones keeping the rights themselves. Me, I don't look at DA rights and 
think cool, I think pain in the ass.
 
As for consulting, as you know, that is a completely different ball of wax. 
Just the same, I don't let that stop me from telling customers that they are 
doing things in very insecure ways and for the most part, they listen and start 
correcting it. You don't say, oh wow, that is bad you shouldn't do it because x 
and y best practice says you shouldn't. I rarely utter the word best practice 
because they are all generally debatable depending on the environment. Instead 
I will say, hi Mr. manager, did you know that you have junior admins who can 
read your mail whenever they like or check out their performance reviews you 
are working on when they like or knock the environment down to its knees if 
they make simple mistakes?[1]
 
There are those times where folks don't want to listen at all and I just 
document what I told them and continue on doing what I am there to do. The next 
time I get called in to deal with something if it was something I forecast 
would happen I kindly point that out. Once that happens once or twice even the 
folks who brushed me off previously start realizing that hey, maybe there is 
something to this. Certainly they don't like hearing nor having their 
management hearing that what happened could have been avoided had they listened 
to the person they paid to come in and make recommendations.
 
If an environment is running perfectly stable and efficiently, there is no 
reason to change. I can count on 0 hands the number of business environments I 
have personally seen that I would say fit that criteria. That is why people are 
asking folks to come in and help them change. Do them a favor and tell them 
what they need to hear, not just what you think they want to hear and want to 
tell them for fear of them getting mad. 
 
If you are brought in to design something for someone, it is your job to try 
and design the best thing you feel you can for them. If they argue the design, 
try to understand what they are saying because you could be missing a huge 
point. But if it is simply this is because it is the way we have always done it 
and they feel that they know everything that is good and right, why did they 
bring you in at all? You bring in outsiders to help you do something different 
and see the environment in a different way than everyone else inside sees it.
 
  joe
 
 
 
[1]  One company I wrote a script that chased through and found everyone who 
had admin rights on any DCs in any domain in the forest and printed that out 
and said, here are the people who can blow up your entire AD with a simple 
mistake. Then the output from another script dumped everyone who could escalate 
themselves to administrators on DCs without physical access to the DCs and 
printed that out and said here are the people who with minimal hacking attempts 
can e

RE: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

[Noah Eiger]

Wow! That looks like a simplified version of what I run on my home network.

-- nme

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

Try

http://iase.disa.mil/stigs/checklist/index.html

More specifically 
http://iase.disa.mil/stigs/checklist/AD_Checklist_V1R11_20060607.pdf

Deji Akomolafe wrote:

> Error 404
>  
>
> Sincerely,
>_   
>   (, /  |  /)   /) /)  
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /) 
>(/  
> Microsoft MVP - Directory Services
> www.readymaids.com  - we know IT
> www.akomolafe.com  
> *-5.75, -3.23*
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
>
> 
> *From:* Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> *Sent:* Fri 6/23/2006 11:52 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]
>
> Original Message 
>Subject:   Posting of AD Checklist (UNCLASSIFIED)
>Date:  Fri, 23 Jun 2006 14:50:37 -0400
>From:  IASE <[EMAIL PROTECTED]>
>
>
>
>Classification: _* UNCLASSIFIED*_
>Caveats: NONE
> 
>Publicly accessible area:
>
>http://iase.disa.mil/sitgs/checklist - added the Active Directory 
>Checklist Version 1, Release 1
>
> 
>Classification: _* UNCLASSIFIED*_
>Caveats: NONE
>
>
>-- 
>Letting your vendors set your risk analysis these days?  
>http://www.threatcode.com
>The SBS product team wants to hear from you:
>http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.activedir.org/ml/threads.aspx
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.3/374 - Release Date: 6/23/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.3/374 - Release Date: 6/23/2006
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

[Al Lilianstrom]

Deji Akomolafe wrote:

Error 404


Try

http://iase.disa.mil/stigs/checklist/index.html

al



*From:* Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
*Sent:* Fri 6/23/2006 11:52 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

 Original Message 
Subject:Posting of AD Checklist (UNCLASSIFIED)
Date:   Fri, 23 Jun 2006 14:50:37 -0400
From:   IASE <[EMAIL PROTECTED]>



Classification: _* UNCLASSIFIED*_
Caveats: NONE
 
Publicly accessible area:


http://iase.disa.mil/sitgs/checklist - added the Active Directory 
Checklist Version 1, Release 1


 
Classification: _* UNCLASSIFIED*_

Caveats: NONE


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Try

http://iase.disa.mil/stigs/checklist/index.html

More specifically 
http://iase.disa.mil/stigs/checklist/AD_Checklist_V1R11_20060607.pdf


Deji Akomolafe wrote:


Error 404
 


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _

 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services

www.readymaids.com  - we know IT
www.akomolafe.com  
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



*From:* Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
*Sent:* Fri 6/23/2006 11:52 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

 Original Message 
Subject:Posting of AD Checklist (UNCLASSIFIED)
Date:   Fri, 23 Jun 2006 14:50:37 -0400
From:   IASE <[EMAIL PROTECTED]>



Classification: _* UNCLASSIFIED*_
Caveats: NONE

Publicly accessible area:

http://iase.disa.mil/sitgs/checklist - added the Active Directory 
Checklist Version 1, Release 1



Classification: _* UNCLASSIFIED*_
Caveats: NONE


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

I guess I should expect this type of scenario
response since I have a .GOV pasted next to my SMTP address.  To lazy to
reply with my personal SMTP address.

 

Do not wait for Technical Solutions for
policy problems…. Hmmm I will have to reflect on that.  I agree Life
rewards action…. but I am not sure policy alone is enough.  Without
the proper controls put in place, your policies are just web pages or some
piece of paper tucked away in some manual.  You need a system of enforcement. 
I think the axiom “People do what works” applies here, and if they
can get around it they will.  I also am not waiting for MS to develop these
levels of enforcement either. That is what I think the third party developers
are for.  Although, if MS post it as a best practice, I do think they
might want to examine it as a possible improvement to their system.  If it
is best practice to make a AD DDNS server point to itself as primary DNS why
not code that in… presto… they did in 2003. 

 

You and I are debating a “Best Practice”…
While I agree with you assessment, I also realize the environment I work in has
some levels of apathy, group think, and resistance to change.  If the best
practice was an enforceable system, it would be rather interesting approach
IMHO.  Simply telling Admins not to do something is not enforceable
without a lot of documentation, policy backing.  Making it now work…
well that is pretty enforceable.  

 

Another issue most AD software is licensed
per user object.  Why should I pay for duplicate licenses for admins? 
What stops an Admin from using their credentials outside the corporate network or
remotely, etc.  (Understood …. Smart cards are a good approach for
this).     If administrative credentials were not “User
Objects”, that would be a step in the right direction as well. 

 

For the record, I tend to blame most
forest problems on the ADC and RUS. J

 

Todd









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 2:16
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

I read the below and thought... 

 

Yes Mr. President, until something bad
happens there is no reason to take that nuclear device away from the students.
They don't meet any of our terrorist criteria so there is only minimal concern.
If they cause damage, we will know better for next time...

 

Do not wait for technical solutions for
policy problems. You will wait a long time. If I received a dollar for every
time I was told someone couldn't do their job in some new way I proposed they
do it I would be retired. Not once have I run into a case where someone
couldn't do their job after the change and usually, they had better clue
what they were doing too because they tried to figure out what they couldn't do
with whatever I was taking away so they could prove they needed it.

 

This isn't anything new anywhere by any
shot. People don't like to lose power unless they actually understand with
great power comes great responsibility. If I walk into your network to check
things out for you, I want a normal ID with Exchange view, no more. People are
usually surprised and are like, don't you want Enterprise Admin... My response
is "What and be able to be blamed the moment something blows up,
NFW." Anytime something gets screwed up in a forest because of a change,
the first people to look to blame are anyone with EA or DA, the next ones are
anyone who can elevate to those levels.

 

When I was at the Widget company, I once
opened up ADUC (yeah it was a weird day...) and low and behold I see an object
where an object shouldn't be and the first words out of my mouth were to shout
across the room... Vern, you aren't supposed to use your Domain Admin ID[1].
Vern said something like... I knew I shouldn't have done that. He was trying to
help someone out. Perfect reason why he actually shouldn't have had a DA ID. :)
EAs and DAs shouldn't be "helping people out", they should follow
very strict processes and procedures that are thought up and agreed upon in
advance. While there are times you may have to fly by the seat of your pants to
figure things out, it should be a very odd case and should be done by the most
senior tech who is responsible for coming up with the processes in the first
place. Does this piss people off... yes, quite often. However, the role of the
DA/EA is not to make individual people happy, it is to keep the overall AD and
security safe and stable. Intelligent management understands that and should be
happy to hear an EA/DA say no to some stupid request they make because that is
why they pay them.

 

  joe

 

 

 

[1] Vern was my manager, we had 3
engineers with EA/DA and Vern was the manager. He had an ID because he was
always the backup to the team in case we were all hit by a bus or couldn't
otherwise respond to a page. Unlike most CIO's, he was a techie and could fix
things if required and also he used his ID to do things 

RE: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

[Deji Akomolafe]

Error 404
 


Sincerely,    _      (, /  |  /)   /) /)       /---| (/_  __   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)     (/   Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Fri 6/23/2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]
 Original Message 
Subject: 	Posting of AD Checklist (UNCLASSIFIED)
Date: 	Fri, 23 Jun 2006 14:50:37 -0400
From: 	IASE <[EMAIL PROTECTED]>



Classification: _* UNCLASSIFIED*_
Caveats: NONE
 
Publicly accessible area:

http://iase.disa.mil/sitgs/checklist - added the Active Directory 
Checklist Version 1, Release 1

 
Classification: _* UNCLASSIFIED*_
Caveats: NONE


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Deji Akomolafe]

joe, joe, joe..
 
One of these days, you'll learn that you go to war with the army you have .
 
You see, some of us take security as seriously as you do. Most of us, unfortunately, have come to the realization that there are more powerful and better-armed design and operational considerations that go into how a specific environment is operated. These considerations are, more often than not, more compelling and powerful than "best practices". It is an illusion to think that you can walk into any environment and show them the evils of EA/DA privileges, then mandate that the client yank those privileges from people, and have the client say "Yes, Sir! Doing so right now!". Much as you'd like to see IT infrastructure operated in secured fashion in conformance to "Best Practices" or any of the other prescriptive guidance out there, you will be disappointed that, more often than, your wish will not come true. There are so many competing influences and interests, and your opinion will just be one of them.
 
As Todd was saying, the admin does not get to make decisions. Sad, but true. Admins make recommendations that are, in their views, in the best interest of the infrastructure. Operational, political, budgetary, technological, philosophical, environmental, governmental, legal and many other factors combine and conspire to defeat or whittle down such proposals, and there is nothing the admin can do about it. Of course, the admin could quit. But, then how many times would the admin quit before (s)he realizes that it's a battle field out there and quitting is an exercise in futility?
 
Your present employer is in the business of designing and implementing solutions to meet clients' requirements. If you get put on a project and you went ahead and write up all these fancy industry-standard-ITIL-MOF-MSF-Best-Practices-compliant design plans, present it to the client and the client comes back to you and say "all well and good, but this is NOT  how we operate. HERE is how we operate, now please design something around our operational posture", what would you do? Tell the client to blow you? Tell the client "No, you don't understand. This is THE best/optimal way to do what you are about to do. Follow my script, or else you'll be sorry later"? What if you presented all the ramifications and implications of any other design options and make them look REALLY bad, yet the client refuses to see it your way? Because your way doesn't fit into their way? Would you up and quit?
 
I am not saying your idea is not admirable or good. I'm just saying that the way you were able to drive and influence decisions at Widget is not realistically the way most admins are able to do things. Most are more constrained than you were at Widget. And, if I were a betting man, I'd wager that you are now more constrained in your new world than you were in the previous world.
 


Sincerely,    _      (, /  |  /)   /) /)       /---| (/_  __   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)     (/   Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Fri 6/23/2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"

I read the below and thought... 
 
Yes Mr. President, until something bad happens there is no reason to take that nuclear device away from the students. They don't meet any of our terrorist criteria so there is only minimal concern. If they cause damage, we will know better for next time...
 
Do not wait for technical solutions for policy problems. You will wait a long time. If I received a dollar for every time I was told someone couldn't do their job in some new way I proposed they do it I would be retired. Not once have I run into a case where someone couldn't do their job after the change and usually, they had better clue what they were doing too because they tried to figure out what they couldn't do with whatever I was taking away so they could prove they needed it.
 
This isn't anything new anywhere by any shot. People don't like to lose power unless they actually understand with great power comes great responsibility. If I walk into your network to check things out for you, I want a normal ID with Exchange view, no more. People are usually surprised and are like, don't you want Enterprise Admin... My response is "What and be able to be blamed the moment something blows up, NFW." Anytime something gets screwed up in a forest because of a change, the first people to look to blame are anyone with EA or DA, the next ones are anyone who can elevate to those levels.
 
When I was at the Widget company, I once opened up ADUC (yeah it was a weird day...) and low and behold I see an object where a

Re: [ActiveDir] AD Security permission continues to be "auto-removed"

[Al Lilianstrom]

Myrick, Todd (NIH/CC/DCRI) [E] wrote:

No they tend to tell us to do things that will break our DC operations,
so then we inform them that we can't do this, and they say okay.  Then
the following month they ask us to do it again.  Repeat & rinse.



Our security people used to be that way. Unix was the only way to do 
things and they wanted to redo AD so that it acted like Unix with MIT 
Kerberos. Spent a couple of months proving them wrong.


The new security people understand AD, have apps that use it for 
authentication from Unix and are willing to help us out so that it's 
always available. We help them put together the policies that affect 
Windows systems here so we can nudge things our way.


al


Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 2:01 PM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Why? Do they make you change how you want to do admin work. ;o)

LOL couldn't resist. 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Not a big fan of "Security" people.  :)

Todd

-Original Message-
From: Al Lilianstrom [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:35 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Security permission continues to be
"auto-removed"

Myrick, Todd (NIH/CC/DCRI) [E] wrote:

Only Sith deal in absolutes... :P

 

When you have a CIO that likes to be in the Domain Admins group, you 
sometimes have to pick your battles.




Talk to your security people. When we first put up AD the computer 
security folks set a maximum limit to the number of people that could be


DAs. Maybe it could be a number that would keep the CIO out?


Todd

 






*From:* joe [mailto:[EMAIL PROTECTED]
*Sent:* Friday, June 23, 2006 10:18 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


 


There is no debate on admins having multiple creds, one for admin work



and one for normal work. Just do it. :)



We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work

It's a bit of a pain to keep the password straight (for some) but 
accountability is there and one uses the account you need for the job.


It's been more of a pain taking local admin access away from people on 
their desktops.

al

To put it nicely, if a company doesn't do this, they are just being 
silly[1].


 


I am trying to figure out if there is ever a valid reason I think that



an admin should have a single ID in a company. I can't come up with

one.
 


   joe

 

 

 


[1] Instead of silly think of mean words used to describe really silly



people.

 


--

O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 

 

 

 





*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick,
Todd 

(NIH/CC/DCRI) [E]
*Sent:* Friday, June 23, 2006 6:50 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


One more thing to add to this from my experience.

 

I think we had situations arise where someone was trying to 
pragmatically modify or read attributes on accounts in the protected 
groups and was not able to due to their membership within a protected 
group.  This of course started the hot debate on admins having
multiple 

credentials, one for administrative duties, the other for
collaborative 

and identity purposes.

 


Todd

 






*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, June 22, 2006 9:34 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


 

I have a 2-part discussion of this behavior starting here: 
http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx


 


It's a bit headache-inducing, but at least you will get the benefit of



knowing that it is "by design"

 


HTH


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _

 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services

www.readymaids.com  - we know IT
www.akomolafe.com 

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Brian Desmond]

Done that

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Friday, June 23, 2006 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"





 

Yeah, like rename Domain Admins to "Unimportant People"
and create a new group called Domain Admins and put the CIO in it. There is no
excuse for a CIO to be in Domain Admins unless the company is under 5
people.

 

The only people who should be in domain admins are the people you
expect to fix everything when the world hits the floor. If someone isn't in
that category, they don't get rights to modify everything because it just puts
them in a position to cause work for someone else. 

 

I would tell that to the CIO of any company. If the CIO wants, he
can hold the envelope that has the password for the builtin Admin account, that
password should be like 250 characters so he/she isn't interested in actually
trying to use it.



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Only Sith deal in absolutes… :P

 

When you have a CIO that likes to be in the Domain Admins group,
you sometimes have to pick your battles.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"



 

There is no debate on admins having multiple creds, one for admin
work and one for normal work. Just do it. :)

 

To put it nicely, if a company doesn't do this, they are just being
silly[1]. 

 

I am trying to figure out if there is ever a valid reason I think
that an admin should have a single ID in a company. I can't come up with one.



 





   joe





 





 





 





[1] Instead of silly think of mean words used to describe really
silly people.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 6:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

One more thing to add to this from my experience. 

 

I think we had situations arise where someone was trying to pragmatically
modify or read attributes on accounts in the protected groups and was not able
to due to their membership within a protected group.  This of course
started the hot debate on admins having multiple credentials, one for
administrative duties, the other for collaborative and identity purposes.

 

Todd

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"



 

I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx

 

It's a bit headache-inducing, but at least you will get the benefit
of knowing that it is "by design"



 





HTH




Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft
MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now
realize that Today is the Tomorrow you were worried about Yesterday? -anon



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J B
Sent: Thursday, June 22, 2006 5:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security permission continues to be
"auto-removed"



We
have some users that have mobile devices that connect to Exchange. 
The 3rd party application uses a dedicated account to send mail from
the devices.  This account needs to have "Send As..."
permissions on each of the user accounts' security settings.  We have set
it in all users (about two dozen) but one user in particular has a
problem.  We set the permission and give it "Send As..." rights
(just like all the others - no different), but usually within an hour, the
newly added permission is gone - not just the "Send As" setting, but
the whole account name is gone from this user's security settings as if we
never added it in the first place.  We have five DC's and I have tried
adding it from each DC with the same results.  I am baffled by this. 
Does anyone have any suggestions?

[ActiveDir] [Fwd: Posting of AD Checklist (UNCLASSIFIED)]

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

 Original Message 
Subject:Posting of AD Checklist (UNCLASSIFIED)
Date:   Fri, 23 Jun 2006 14:50:37 -0400
From:   IASE <[EMAIL PROTECTED]>



Classification: _* UNCLASSIFIED*_
Caveats: NONE

Publicly accessible area:

http://iase.disa.mil/sitgs/checklist - added the Active Directory 
Checklist Version 1, Release 1



Classification: _* UNCLASSIFIED*_
Caveats: NONE


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[joe]

I read the below and thought... 
 
Yes Mr. President, until something bad happens there is no 
reason to take that nuclear device away from the students. They don't meet any 
of our terrorist criteria so there is only minimal concern. If they cause 
damage, we will know better for next time...
 
Do not wait for technical solutions for policy problems. 
You will wait a long time. If I received a dollar for every time I was told 
someone couldn't do their job in some new way I proposed they do it I would be 
retired. Not once have I run into a case where someone couldn't do their job 
after the change and usually, they had better clue what they were doing too 
because they tried to figure out what they couldn't do with whatever I was 
taking away so they could prove they needed it.
 
This isn't anything new anywhere by any shot. People don't 
like to lose power unless they actually understand with great power comes great 
responsibility. If I walk into your network to check things out for you, I want 
a normal ID with Exchange view, no more. People are usually surprised and are 
like, don't you want Enterprise Admin... My response is "What and be able to be 
blamed the moment something blows up, NFW." Anytime something gets screwed up in 
a forest because of a change, the first people to look to blame are anyone with 
EA or DA, the next ones are anyone who can elevate to those 
levels.
 
When I was at the Widget company, I once opened up ADUC 
(yeah it was a weird day...) and low and behold I see an object where an object 
shouldn't be and the first words out of my mouth were to shout across the 
room... Vern, you aren't supposed to use your Domain Admin ID[1]. Vern said 
something like... I knew I shouldn't have done that. He was trying to help 
someone out. Perfect reason why he actually shouldn't have had a DA ID. :) EAs 
and DAs shouldn't be "helping people out", they should follow very strict 
processes and procedures that are thought up and agreed upon in advance. While 
there are times you may have to fly by the seat of your pants to figure things 
out, it should be a very odd case and should be done by the most senior tech who 
is responsible for coming up with the processes in the first place. Does this 
piss people off... yes, quite often. However, the role of the DA/EA is not to 
make individual people happy, it is to keep the overall AD and security safe and 
stable. Intelligent management understands that and should be happy to hear an 
EA/DA say no to some stupid request they make because that is why they pay 
them.
 
  joe
 
 
 
[1] Vern was my manager, we had 3 engineers with EA/DA and 
Vern was the manager. He had an ID because he was always the backup to the team 
in case we were all hit by a bus or couldn't otherwise respond to a page. Unlike 
most CIO's, he was a techie and could fix things if required and also he used 
his ID to do things that we all as a team said was stupid to do but someone from 
above absolutely ordered it to be done. Basically if something stupid was 
required to be done, he rather do it himself as the manager than force an 
engineer to do it.
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]Sent: Friday, June 23, 2006 12:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"


I guess my point of 
view is this.  I do what is equitable for the situation, and try to 
maintain the peace as best as possible.  I myself use dual credentials, 
encourage others to do it as well, but I also understand that “people do what 
works”, and CYA with a message to my direct reports about concerns I have.  
So until a situation arises that warrants a change in practice that I can 
champion, I patiently wait, and hope for no major disaster.  Now I will 
say, when we came across this issue, we were able to make a stronger case to 
remove collaboration credentials from protected groups, still there was a lot of 
resistance from admins to change the way they went about their work.  This 
has changed with more people becoming security aware, and the organizations 
going through security audits, etc.  
 
I am not disagreeing 
that multiple credentials are not a best practice, but until MS sneaks a few 
more of these tweaks into their system, we will deal bad administration 
practices for quite some time.  And getting people to do what is “Best” can 
put into a lot of “Political, Emotional, and Geopolitical” battles unless you 
have solid backing.
 
Todd
 
 




From: joe 
[mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 12:13 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"
 
Yeah, like rename 
Domain Admins to "Unimportant People" and create a new group called Domain 
Admins and put the CIO in it. There is no excu

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

No they tend to tell us to do things that will break our DC operations,
so then we inform them that we can't do this, and they say okay.  Then
the following month they ask us to do it again.  Repeat & rinse.


Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 2:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Why? Do they make you change how you want to do admin work. ;o)

LOL couldn't resist. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Not a big fan of "Security" people.  :)

Todd

-Original Message-
From: Al Lilianstrom [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Security permission continues to be
"auto-removed"

Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> Only Sith deal in absolutes... :P
> 
>  
> 
> When you have a CIO that likes to be in the Domain Admins group, you 
> sometimes have to pick your battles.
> 

Talk to your security people. When we first put up AD the computer 
security folks set a maximum limit to the number of people that could be

DAs. Maybe it could be a number that would keep the CIO out?

> 
> Todd
> 
>  
> 
>

> 
> *From:* joe [mailto:[EMAIL PROTECTED]
> *Sent:* Friday, June 23, 2006 10:18 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> There is no debate on admins having multiple creds, one for admin work

> and one for normal work. Just do it. :)
> 

We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work

It's a bit of a pain to keep the password straight (for some) but 
accountability is there and one uses the account you need for the job.

It's been more of a pain taking local admin access away from people on 
their desktops.
al

> 
> To put it nicely, if a company doesn't do this, they are just being 
> silly[1].
> 
>  
> 
> I am trying to figure out if there is ever a valid reason I think that

> an admin should have a single ID in a company. I can't come up with
one.
> 
>  
> 
>joe
> 
>  
> 
>  
> 
>  
> 
> [1] Instead of silly think of mean words used to describe really silly

> people.
> 
>  
> 
> --
> 
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm 
> 
>  
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick,
Todd 
> (NIH/CC/DCRI) [E]
> *Sent:* Friday, June 23, 2006 6:50 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
> One more thing to add to this from my experience.
> 
>  
> 
> I think we had situations arise where someone was trying to 
> pragmatically modify or read attributes on accounts in the protected 
> groups and was not able to due to their membership within a protected 
> group.  This of course started the hot debate on admins having
multiple 
> credentials, one for administrative duties, the other for
collaborative 
> and identity purposes.
> 
>  
> 
> Todd
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> *Sent:* Thursday, June 22, 2006 9:34 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> I have a 2-part discussion of this behavior starting here: 
> http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
> 
>  
> 
> It's a bit headache-inducing, but at least you will get the benefit of

> knowing that it is "by design"
> 
>  
> 
> HTH
> 
> 
> Sincerely,
>_   
>   (, /  |  /)   /) /)  
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /) 
>(/  
> Microsoft MVP - Directory Services
> www.readymaids.com  - we know IT
> www.akomolafe.com 
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *J B
> *Sent:* Thursday, June 22, 2006 5:08 PM
> *T

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[joe]

Why? Do they make you change how you want to do admin work. ;o)

LOL couldn't resist. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Not a big fan of "Security" people.  :)

Todd

-Original Message-
From: Al Lilianstrom [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Security permission continues to be
"auto-removed"

Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> Only Sith deal in absolutes... :P
> 
>  
> 
> When you have a CIO that likes to be in the Domain Admins group, you 
> sometimes have to pick your battles.
> 

Talk to your security people. When we first put up AD the computer 
security folks set a maximum limit to the number of people that could be

DAs. Maybe it could be a number that would keep the CIO out?

> 
> Todd
> 
>  
> 
>

> 
> *From:* joe [mailto:[EMAIL PROTECTED]
> *Sent:* Friday, June 23, 2006 10:18 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> There is no debate on admins having multiple creds, one for admin work

> and one for normal work. Just do it. :)
> 

We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work

It's a bit of a pain to keep the password straight (for some) but 
accountability is there and one uses the account you need for the job.

It's been more of a pain taking local admin access away from people on 
their desktops.
al

> 
> To put it nicely, if a company doesn't do this, they are just being 
> silly[1].
> 
>  
> 
> I am trying to figure out if there is ever a valid reason I think that

> an admin should have a single ID in a company. I can't come up with
one.
> 
>  
> 
>joe
> 
>  
> 
>  
> 
>  
> 
> [1] Instead of silly think of mean words used to describe really silly

> people.
> 
>  
> 
> --
> 
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm 
> 
>  
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick,
Todd 
> (NIH/CC/DCRI) [E]
> *Sent:* Friday, June 23, 2006 6:50 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
> One more thing to add to this from my experience.
> 
>  
> 
> I think we had situations arise where someone was trying to 
> pragmatically modify or read attributes on accounts in the protected 
> groups and was not able to due to their membership within a protected 
> group.  This of course started the hot debate on admins having
multiple 
> credentials, one for administrative duties, the other for
collaborative 
> and identity purposes.
> 
>  
> 
> Todd
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> *Sent:* Thursday, June 22, 2006 9:34 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> I have a 2-part discussion of this behavior starting here: 
> http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
> 
>  
> 
> It's a bit headache-inducing, but at least you will get the benefit of

> knowing that it is "by design"
> 
>  
> 
> HTH
> 
> 
> Sincerely,
>_   
>   (, /  |  /)   /) /)  
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /) 
>(/  
> Microsoft MVP - Directory Services
> www.readymaids.com  - we know IT
> www.akomolafe.com 
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *J B
> *Sent:* Thursday, June 22, 2006 5:08 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] AD Security permission continues to be
"auto-removed"
> 
> We have some users that have mobile devices that connect to Exchange.

> The 3rd party application uses a dedicated account to send mail from
the 
> devices.  This account needs to have "Send As..." permissions on each
of 
> the user accounts' security settings.  We have set it in all users 
> (about two dozen)

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Not a big fan of "Security" people.  :)

Todd

-Original Message-
From: Al Lilianstrom [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Security permission continues to be
"auto-removed"

Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> Only Sith deal in absolutes... :P
> 
>  
> 
> When you have a CIO that likes to be in the Domain Admins group, you 
> sometimes have to pick your battles.
> 

Talk to your security people. When we first put up AD the computer 
security folks set a maximum limit to the number of people that could be

DAs. Maybe it could be a number that would keep the CIO out?

> 
> Todd
> 
>  
> 
>

> 
> *From:* joe [mailto:[EMAIL PROTECTED]
> *Sent:* Friday, June 23, 2006 10:18 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> There is no debate on admins having multiple creds, one for admin work

> and one for normal work. Just do it. :)
> 

We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work

It's a bit of a pain to keep the password straight (for some) but 
accountability is there and one uses the account you need for the job.

It's been more of a pain taking local admin access away from people on 
their desktops.
al

> 
> To put it nicely, if a company doesn't do this, they are just being 
> silly[1].
> 
>  
> 
> I am trying to figure out if there is ever a valid reason I think that

> an admin should have a single ID in a company. I can't come up with
one.
> 
>  
> 
>joe
> 
>  
> 
>  
> 
>  
> 
> [1] Instead of silly think of mean words used to describe really silly

> people.
> 
>  
> 
> --
> 
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm 
> 
>  
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick,
Todd 
> (NIH/CC/DCRI) [E]
> *Sent:* Friday, June 23, 2006 6:50 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
> One more thing to add to this from my experience.
> 
>  
> 
> I think we had situations arise where someone was trying to 
> pragmatically modify or read attributes on accounts in the protected 
> groups and was not able to due to their membership within a protected 
> group.  This of course started the hot debate on admins having
multiple 
> credentials, one for administrative duties, the other for
collaborative 
> and identity purposes.
> 
>  
> 
> Todd
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> *Sent:* Thursday, June 22, 2006 9:34 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] AD Security permission continues to be 
> "auto-removed"
> 
>  
> 
> I have a 2-part discussion of this behavior starting here: 
> http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
> 
>  
> 
> It's a bit headache-inducing, but at least you will get the benefit of

> knowing that it is "by design"
> 
>  
> 
> HTH
> 
> 
> Sincerely,
>_   
>   (, /  |  /)   /) /)  
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /) 
>(/  
> Microsoft MVP - Directory Services
> www.readymaids.com  - we know IT
> www.akomolafe.com 
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
>  
> 
>  
> 
>

> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *J B
> *Sent:* Thursday, June 22, 2006 5:08 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] AD Security permission continues to be
"auto-removed"
> 
> We have some users that have mobile devices that connect to Exchange.

> The 3rd party application uses a dedicated account to send mail from
the 
> devices.  This account needs to have "Send As..." permissions on each
of 
> the user accounts' security settings.  We have set it in all users 
> (about two dozen) but one user in particular has a problem.  We set
the 
> permission and give it "Send As..." rights (just like all the others -

> no different), but usually within an hour, the newly added permission
is 
> gone - not just the "Send As" setting, but the whole account name is 
> gone from this user's security settings as if we never added it in the

> first place.  We have five DC's and I have tried adding it from each
DC 
> with the same re

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

I guess my point of view is this.  I
do what is equitable for the situation, and try to maintain the peace as best
as possible.  I myself use dual credentials, encourage others to do it as
well, but I also understand that “people do what works”, and CYA with
a message to my direct reports about concerns I have.  So until a
situation arises that warrants a change in practice that I can champion, I
patiently wait, and hope for no major disaster.  Now I will say, when we
came across this issue, we were able to make a stronger case to remove
collaboration credentials from protected groups, still there was a lot of
resistance from admins to change the way they went about their work.  This
has changed with more people becoming security aware, and the organizations
going through security audits, etc.  

 

I am not disagreeing that multiple
credentials are not a best practice, but until MS sneaks a few more of these
tweaks into their system, we will deal bad administration practices for quite
some time.  And getting people to do what is “Best” can put
into a lot of “Political, Emotional, and Geopolitical” battles
unless you have solid backing.

 

Todd

 

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 12:13
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

Yeah, like rename Domain Admins to
"Unimportant People" and create a new group called Domain Admins and
put the CIO in it. There is no excuse for a CIO to be in Domain Admins
unless the company is under 5 people.

 

The only people who should be in domain
admins are the people you expect to fix everything when the world hits the
floor. If someone isn't in that category, they don't get rights to modify
everything because it just puts them in a position to cause work for
someone else. 

 

I would tell that to the CIO of any
company. If the CIO wants, he can hold the envelope that has the password for
the builtin Admin account, that password should be like 250 characters so
he/she isn't interested in actually trying to use it.



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 11:01
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"

Only Sith deal in absolutes… :P

 

When you have a CIO that likes to be in
the Domain Admins group, you sometimes have to pick your battles.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 10:18
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

There is no debate on admins having
multiple creds, one for admin work and one for normal work. Just do it. :)

 

To put it nicely, if a company doesn't do
this, they are just being silly[1]. 

 

I am trying to figure out if there is ever
a valid reason I think that an admin should have a single ID in a company. I
can't come up with one.



 





   joe





 





 





 





[1] Instead of silly think of mean words
used to describe really silly people.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 6:50
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"

One more thing to add to this from my
experience. 

 

I think we had situations arise where
someone was trying to pragmatically modify or read attributes on accounts in
the protected groups and was not able to due to their membership within a
protected group.  This of course started the hot debate on admins having
multiple credentials, one for administrative duties, the other for collaborative
and identity purposes.

 

Todd

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

I have a 2-part discussion of this
behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx

 

It's a bit headache-inducing, but at least
you will get the benefit of knowing that it is "by design"



 





HTH




Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you
now realize that Today is the Tomorrow you were worried about Yesterday? -anon



 



 







From:

Re: [ActiveDir] AD Security permission continues to be "auto-removed"

[J B]

I should add that I have fixed the problem by using 
method #3 as posted here:  http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx  

This particular account is a member of the 
"Account Operators" group - which was the one causing the 
"problem".

  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, June 23, 2006 9:12 AM
  Subject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  
  Yeah, like rename Domain Admins to "Unimportant People" 
  and create a new group called Domain Admins and put the CIO in it. There is no 
  excuse for a CIO to be in Domain Admins unless the company is 
  under 5 people.
   
  The only people who should be in domain admins are the 
  people you expect to fix everything when the world hits the floor. If someone 
  isn't in that category, they don't get rights to modify everything because it 
  just puts them in a position to cause work for someone else. 
  
   
  I would tell that to the CIO of any company. If the CIO 
  wants, he can hold the envelope that has the password for the builtin Admin 
  account, that password should be like 250 characters so he/she isn't 
  interested in actually trying to use it.
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
  (NIH/CC/DCRI) [E]Sent: Friday, June 23, 2006 11:01 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  
  
  Only Sith deal in 
  absolutes… :P
   
  When you have a CIO 
  that likes to be in the Domain Admins group, you sometimes have to pick your 
  battles.
   
  Todd
   
  
  
  
  
  From: joe 
  [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 
  AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
   
  There is no debate on 
  admins having multiple creds, one for admin work and one for normal work. Just 
  do it. :)
   
  To put it nicely, if 
  a company doesn't do this, they are just being silly[1]. 
   
  I am trying to figure 
  out if there is ever a valid reason I think that an admin should have a single 
  ID in a company. I can't come up with one.
  
   
  
     
  joe
  
   
  
   
  
   
  
  [1] Instead of silly 
  think of mean words used to describe really silly 
  people.
  
   
  --
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
  
   
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Myrick, Todd 
  (NIH/CC/DCRI) [E]Sent: 
  Friday, June 23, 2006 6:50 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  One more thing to add 
  to this from my experience. 
   
  I think we had 
  situations arise where someone was trying to pragmatically modify or read 
  attributes on accounts in the protected groups and was not able to due to 
  their membership within a protected group.  This of course started the 
  hot debate on admins having multiple credentials, one for administrative 
  duties, the other for collaborative and identity purposes.
   
  Todd
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 
  PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
   
  I have a 2-part 
  discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
   
  It's a bit 
  headache-inducing, but at least you will get the benefit of knowing that it is 
  "by design"
  
   
  
  HTH
  Sincerely,    
  _    
    (, /  |  
  /)   
  /) /)       /---| 
  (/_  __   ___// _   //  _  ) 
  /    |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /)  
     
  (/   Microsoft MVP - 
  Directory Serviceswww.readymaids.com - we know 
  ITwww.akomolafe.comDo you now 
  realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
   
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of J BSent: Thursday, June 22, 2006 5:08 
  PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  
  We have some users that have 
  mobile devices that connect to Exchange.  The 3rd party 
  application uses a dedicated account to send mail from the devices.  
  This account needs to have "Send As..." permissions on each of the user 
  accounts' security settings.  We have set it in all users (about two 
  dozen) but one user in particular has a problem.  We set the 
  permission and give it "Send As..." rights (just like all the others - no 
  di

RE: [ActiveDir] Delegating IPSec rights

[Darren Mar-Elia]

Joseph-
IPSec objects are stored in the Domain NC in CN=IP Security, CN=System. Each
different type of IP Sec object is represented as an AD object so you could
certainly delegate each object individually. I suspect the bigger challenge
is decoding the IPSec data for each object type but perhaps you've already
skinned that.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also
check out the Windows Group Policy Guide, a soup-to-nuts resource for Group
Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, June 23, 2006 8:13 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegating IPSec rights

I'm trying to write an IPSec editor for the operations folks and I need to
make sure that they can only edit specific rules.

Does anyone know how to delegate rights to modify specific IPSec Filter
Rules and Filter Lists?  Are they stored in AD somewhere?  Or are they in
the registry on the DCs?

I was also thinking that I could use a service account with elevated
privileges to perform the operations; however, I'm not sure if I can specify
alternate creds when performing the edits.

Thanks!

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Delegating IPSec rights

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

There is a Built-in Group starting in XP and 2003 called Network
Configuration Operators that has the rights already assigned to it to
change network configurations that might point you to what rights you
need on a machine.

With regards to access to ability to modify rules, you might try using a
combination of GPO's with delegated rights.  IPsec Policies are normally
linked via GPO's if the machine is part of an AD, but you can also make
standalone policies, export them and import them from files.  I guess
the challenge will be to locate the machines in a container so that the
policies that are applied only affect the machines these users manage,
and not the general population.

Using GPO's doesn't require the use of a service account.

http://technet2.microsoft.com/WindowsServer/en/Library/0de2a247-b456-410
5-8863-21055e06a6e91033.mspx?mfr=true

Review this article and see if it answers some of your questions.

Todd

-Original Message-
From: Isenhour, Joseph [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegating IPSec rights

I'm trying to write an IPSec editor for the operations folks and I need
to make sure that they can only edit specific rules.

Does anyone know how to delegate rights to modify specific IPSec Filter
Rules and Filter Lists?  Are they stored in AD somewhere?  Or are they
in the registry on the DCs?

I was also thinking that I could use a service account with elevated
privileges to perform the operations; however, I'm not sure if I can
specify alternate creds when performing the edits.

Thanks!

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] AD Security permission continues to be "auto-removed"

[Al Lilianstrom]

Myrick, Todd (NIH/CC/DCRI) [E] wrote:

Only Sith deal in absolutes… :P

 

When you have a CIO that likes to be in the Domain Admins group, you 
sometimes have to pick your battles.




Talk to your security people. When we first put up AD the computer 
security folks set a maximum limit to the number of people that could be 
DAs. Maybe it could be a number that would keep the CIO out?




Todd

 




*From:* joe [mailto:[EMAIL PROTECTED]
*Sent:* Friday, June 23, 2006 10:18 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


 

There is no debate on admins having multiple creds, one for admin work 
and one for normal work. Just do it. :)




We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work

It's a bit of a pain to keep the password straight (for some) but 
accountability is there and one uses the account you need for the job.


It's been more of a pain taking local admin access away from people on 
their desktops.

al



To put it nicely, if a company doesn't do this, they are just being 
silly[1].


 

I am trying to figure out if there is ever a valid reason I think that 
an admin should have a single ID in a company. I can't come up with one.


 


   joe

 

 

 

[1] Instead of silly think of mean words used to describe really silly 
people.


 


--

O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 

 

 

 




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick, Todd 
(NIH/CC/DCRI) [E]

*Sent:* Friday, June 23, 2006 6:50 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


One more thing to add to this from my experience.

 

I think we had situations arise where someone was trying to 
pragmatically modify or read attributes on accounts in the protected 
groups and was not able to due to their membership within a protected 
group.  This of course started the hot debate on admins having multiple 
credentials, one for administrative duties, the other for collaborative 
and identity purposes.


 


Todd

 




*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, June 22, 2006 9:34 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] AD Security permission continues to be 
"auto-removed"


 

I have a 2-part discussion of this behavior starting here: 
http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx


 

It's a bit headache-inducing, but at least you will get the benefit of 
knowing that it is "by design"


 


HTH


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _

 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services

www.readymaids.com  - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


 

 




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *J B

*Sent:* Thursday, June 22, 2006 5:08 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] AD Security permission continues to be "auto-removed"

We have some users that have mobile devices that connect to Exchange.  
The 3rd party application uses a dedicated account to send mail from the 
devices.  This account needs to have "Send As..." permissions on each of 
the user accounts' security settings.  We have set it in all users 
(about two dozen) but one user in particular has a problem.  We set the 
permission and give it "Send As..." rights (just like all the others - 
no different), but usually within an hour, the newly added permission is 
gone - not just the "Send As" setting, but the whole account name is 
gone from this user's security settings as if we never added it in the 
first place.  We have five DC's and I have tried adding it from each DC 
with the same results.  I am baffled by this.  Does anyone have any 
suggestions?




--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[joe]

Yeah, like rename Domain Admins to "Unimportant People" and 
create a new group called Domain Admins and put the CIO in it. There is no 
excuse for a CIO to be in Domain Admins unless the company is under 5 
people.
 
The only people who should be in domain admins are the 
people you expect to fix everything when the world hits the floor. If someone 
isn't in that category, they don't get rights to modify everything because it 
just puts them in a position to cause work for someone else. 

 
I would tell that to the CIO of any company. If the CIO 
wants, he can hold the envelope that has the password for the builtin Admin 
account, that password should be like 250 characters so he/she isn't interested 
in actually trying to use it.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]Sent: Friday, June 23, 2006 11:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"


Only Sith deal in 
absolutes… :P
 
When you have a CIO 
that likes to be in the Domain Admins group, you sometimes have to pick your 
battles.
 
Todd
 




From: joe 
[mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"
 
There is no debate on 
admins having multiple creds, one for admin work and one for normal work. Just 
do it. :)
 
To put it nicely, if a 
company doesn't do this, they are just being silly[1]. 
 
I am trying to figure 
out if there is ever a valid reason I think that an admin should have a single 
ID in a company. I can't come up with one.

 

   
joe

 

 

 

[1] Instead of silly 
think of mean words used to describe really silly 
people.

 
--
O'Reilly Active 
Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]Sent: Friday, 
June 23, 2006 6:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"
One more thing to add 
to this from my experience. 
 
I think we had 
situations arise where someone was trying to pragmatically modify or read 
attributes on accounts in the protected groups and was not able to due to their 
membership within a protected group.  This of course started the hot debate 
on admins having multiple credentials, one for administrative duties, the other 
for collaborative and identity purposes.
 
Todd
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"
 
I have a 2-part 
discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
 
It's a bit 
headache-inducing, but at least you will get the benefit of knowing that it is 
"by design"

 

HTH
Sincerely,    
_    
  (, /  |  
/)   
/) /)       /---| (/_  
__   ___// _   //  _  ) 
/    |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/)  
   
(/   Microsoft MVP - 
Directory Serviceswww.readymaids.com - we know 
ITwww.akomolafe.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday? 
-anon

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of J BSent: Thursday, June 22, 2006 5:08 
PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Security permission 
continues to be "auto-removed"

We have some users that have mobile 
devices that connect to Exchange.  The 3rd party application uses 
a dedicated account to send mail from the devices.  This account needs to 
have "Send As..." permissions on each of the user accounts' security 
settings.  We have set it in all users (about two dozen) but one 
user in particular has a problem.  We set the permission and give it 
"Send As..." rights (just like all the others - no different), but usually 
within an hour, the newly added permission is gone - not just the "Send As" 
setting, but the whole account name is gone from this user's security settings 
as if we never added it in the first place.  We have five DC's and I have 
tried adding it from each DC with the same results.  I am baffled by 
this.  Does anyone have any 
suggestions?

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Marcus.Oh]

Salient point being “valid reason”…

 

J

 









































































:m:dsm:cci:mvp |
marcusoh.blogspot.com









































































 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"





 

Only Sith deal in absolutes… :P

 

When you have a CIO that likes to be in the Domain Admins group,
you sometimes have to pick your battles.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"



 

There is no debate on admins having multiple creds, one for admin
work and one for normal work. Just do it. :)

 

To put it nicely, if a company doesn't do this, they are just being
silly[1]. 

 

I am trying to figure out if there is ever a valid reason I think
that an admin should have a single ID in a company. I can't come up with one.



 





   joe





 





 





 





[1] Instead of silly think of mean words used to describe really
silly people.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI)
[E]
Sent: Friday, June 23, 2006 6:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

One more thing to add to this from my experience. 

 

I think we had situations arise where someone was trying to
pragmatically modify or read attributes on accounts in the protected groups and
was not able to due to their membership within a protected group.  This of
course started the hot debate on admins having multiple credentials, one for administrative
duties, the other for collaborative and identity purposes.

 

Todd

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"



 

I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx

 

It's a bit headache-inducing, but at least you will get the benefit
of knowing that it is "by design"



 





HTH




Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft
MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now
realize that Today is the Tomorrow you were worried about Yesterday? -anon



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J B
Sent: Thursday, June 22, 2006 5:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security permission continues to be
"auto-removed"



We
have some users that have mobile devices that connect to Exchange. 
The 3rd party application uses a dedicated account to send mail from
the devices.  This account needs to have "Send As..."
permissions on each of the user accounts' security settings.  We have set
it in all users (about two dozen) but one user in particular has a
problem.  We set the permission and give it "Send As..." rights
(just like all the others - no different), but usually within an hour, the
newly added permission is gone - not just the "Send As" setting, but
the whole account name is gone from this user's security settings as if we never
added it in the first place.  We have five DC's and I have tried adding it
from each DC with the same results.  I am baffled by this.  Does
anyone have any suggestions?

[ActiveDir] Delegating IPSec rights

[Isenhour, Joseph]

I'm trying to write an IPSec editor for the operations folks and I need
to make sure that they can only edit specific rules.

Does anyone know how to delegate rights to modify specific IPSec Filter
Rules and Filter Lists?  Are they stored in AD somewhere?  Or are they
in the registry on the DCs?

I was also thinking that I could use a service account with elevated
privileges to perform the operations; however, I'm not sure if I can
specify alternate creds when performing the edits.

Thanks!

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Only Sith deal in absolutes… :P

 

When you have a CIO that likes to be in
the Domain Admins group, you sometimes have to pick your battles.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 10:18
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

There is no debate on admins having
multiple creds, one for admin work and one for normal work. Just do it. :)

 

To put it nicely, if a company doesn't do
this, they are just being silly[1]. 

 

I am trying to figure out if there is ever
a valid reason I think that an admin should have a single ID in a company. I
can't come up with one.



 





   joe





 





 





 





[1] Instead of silly think of mean words
used to describe really silly people.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 6:50
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"

One more thing to add to this from my
experience. 

 

I think we had situations arise where
someone was trying to pragmatically modify or read attributes on accounts in the
protected groups and was not able to due to their membership within a protected
group.  This of course started the hot debate on admins having multiple
credentials, one for administrative duties, the other for collaborative and
identity purposes.

 

Todd

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

I have a 2-part discussion of this
behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx

 

It's a bit headache-inducing, but at least
you will get the benefit of knowing that it is "by design"



 





HTH




Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you
now realize that Today is the Tomorrow you were worried about Yesterday? -anon



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B
Sent: Thursday, June 22, 2006 5:08
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security
permission continues to be "auto-removed"



We have some users that have mobile devices that connect to
Exchange.  The 3rd party application uses a dedicated account to
send mail from the devices.  This account needs to have "Send
As..." permissions on each of the user accounts' security settings. 
We have set it in all users (about two dozen) but one user in particular
has a problem.  We set the permission and give it "Send As..."
rights (just like all the others - no different), but usually within an hour,
the newly added permission is gone - not just the "Send As" setting,
but the whole account name is gone from this user's security settings as if we
never added it in the first place.  We have five DC's and I have tried
adding it from each DC with the same results.  I am baffled by this. 
Does anyone have any suggestions?

Re: [ActiveDir] AD Security permission continues to be "auto-removed"

[J B]

Thanks for the info!

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, June 22, 2006 6:33 
  PM
  Subject: RE: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  
  I have a 2-part discussion of this behavior starting 
  here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
   
  It's a bit headache-inducing, but at least you will get 
  the benefit of knowing that it is "by design"
   
  HTH
  Sincerely,    
  _    
    (, /  |  
  /)   
  /) /)       /---| 
  (/_  __   ___// _   //  _  ) 
  /    |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /)  
     
  (/   Microsoft MVP - Directory 
  Serviceswww.readymaids.com - we 
  know ITwww.akomolafe.comDo 
  you now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of J 
  BSent: Thursday, June 22, 2006 5:08 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Security 
  permission continues to be "auto-removed"
  
  We have some users that have mobile devices that 
  connect to Exchange.  The 3rd party application uses a 
  dedicated account to send mail from the devices.  This account needs to 
  have "Send As..." permissions on each of the user accounts' security 
  settings.  We have set it in all users (about two dozen) but one 
  user in particular has a problem.  We set the permission and give it 
  "Send As..." rights (just like all the others - no different), but usually 
  within an hour, the newly added permission is gone - not just the "Send As" 
  setting, but the whole account name is gone from this user's security settings 
  as if we never added it in the first place.  We have five DC's and I have 
  tried adding it from each DC with the same results.  I am baffled by 
  this.  Does anyone have any 
suggestions?

RE: [ActiveDir] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

I agree Joe, three drive arrays are
overkill these days for standard DC operations.  I think you and I are on
the same page also with regards to real world DC Operations and DR scenero’s.
I didn’t go into all my reasons for Mirrors either, and you brought up a
good point, about being able to pull the drive for use in a test lab as
well.  And just to throw it in there, Dual PROC’s, Power Supplies are
part of my standard as well as iLO.  We all know the requirements change
dramatically once you add The Beast (Exchange) to the mix these days.  One
of the Techs here came up with a pretty radical design here with regards to Exchange
5.5 IMS servers based on how the mail conversion process worked.  He had a
dedicated SCSI array to make his idea work. Basically he used a combination of
RAID 5 and Raid 1 for each part of the Exchange 5.5 message conversion process
from IMS, MTA, to ESE Storage.  I think it was a Mirror for the IMS, and
the MTA got a three drive RAID 5 array.  The rest got mirrors, except I
think for the Exchange store which had an array.  This was the NT 4 days
though.  Bottom line, I think his radical approach saved out buts on the
week the “I love You” virus hit.  He used a lot of Fuzzy Math
to go with his gut, and a few MS white papers he found littered on Technet. 


 

With regards to 64bit computing, the
larger memory is really attractive, but do you think the 2 to 3 gig limit in
32bit OS’s is a problem currently with less than 5K users?  I don’t
get out much these days… so my small world brain things 3 gigs is good
enough.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 10:09
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC
Configuration



 

While I understand the three separate RAID
array design, as I have previously mentioned I don't think it is necessary for
most AD implementations because in general, the log file drive(s) will be
sleeping. Most people just do not generate enough churn to get IOs bumpin on
the log drive. The one exception I have seen was when Eric was inflating his
big DIT. The numbers he was generating for log IOPS was far more than I have
ever heard of anywhere for AD.

 

With a generic DC across the board, it is
the DIT drive that takes the pounding. I haven't seen any x64 machines with a
64bit OS on them yet to see what that looks like but obviously if there is
enough RAM and the DIT has gotten into cache, this will drammatically change
the footprint and at that point the OS disk I would guess will become the
busiest (excluding environments with tons of writes to AD). Even still, I
haven't seen an OS on a DC that required its own dedicated spindles. While it
is a cute idea for rolling back from bad updates I would rather have it figured
out in extensive testing before hand than go through the extra work in
production. I look at DCs as very expendable, if I hurt one, I don't think
twice about rebuilding it and repromoting it; this is a very different design
than say a SQL Server or Exchange Server which isn't generally expendable. So
anyway, for a generic DC configuration, anything that increases the number of
spindles for the DIT is where I go. If that means slapping the OS and logs on
with it, I am fine with it because in the hundreds of perf logs I have had to
wade through, the OS and logs are a rounding error in IOPS next to the DIT
drive. 

 

I believe 5000 is the number mentioned in
the guidance from MSFT and again as I said in the last post, it generally isn't
great to make a decision on numbers unless you have a feeling for use as well.
I can pretty much guarantee that a DC in a site with 5000 users and also a
couple of really busy Exchange servers a 32 bit GC will get pounded into
performing inadequately, I have seen it several times and they are always built
as per that silly MSFT deployment doc. Interestingly I asked the question about
how to build a DC for a given site of 3 MCS folks and Eric. The green MCS guy
said exactly what the MSFT doc said - some mirrors, the two other MCS folks
with heavy Exchange Enterprise experience indicated to use 10,0+1, or 5. Eric
said to use x64 (he always has to be different) but after I pressed him he said
to maximize the spindles as well. 

 

If you are speaking with a hardware
company for recommendations, they are pretty much going to just quote you what
the software company said, they pretty much need to. If they thought and said,
no you should change and buy more hardware at 2000 you may look at them and
say, hey now, you are trying to sell more hardware. If they say, oh no, do it
at 10,000 and then it breaks you use the MSFT guidelines to beat them
saying they gave bad advice. 

 

Me... I rather overbuild my DCs and be
happy and bored when the utilization goes over expected and the DCs are still
purring along, not living on the edge and people are wondering what is going on
and you start having to look at every single perf counter that was recorded fo

RE: [ActiveDir] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Al, I was basically saying that I think 15K drives are the better way to
go more so because it simplifies your design, reduces the number of
wearable components, etc.

As others have pointed out, this is a guestimate, if your servers are
dedicated to additional functions, you will have to consider evaluating
specific metrics to make an informed decision.

Todd

-Original Message-
From: Al Lilianstrom [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 7:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration

Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> Some of my opinions based on my own research.
> 
>  
> 
>1. I prefer hot swappable hardware RAID 1 for all boot / system
>   partitions no matter what the role of the server is.  To me this
>   gives the fastest disaster recovery option for situations you
are
>   unsure about with regards to OS updates and single drive
>   failures.  On a side note we used to use three mirrors for our
>   domain controller setups. 1 for system/boot/syslog, 1 for
>   transaction logs, and 1 for data.  We mirrored this after our
>   exchange setup, except in Exchange we used RAID 5 arrays to
store
>   the data.
>2. With regards to number of spindles and performance, I discussed
>   this with someone on the list before (Guido) and people at HP
and
>   we came to the conclusion that with the latest 15K drives you
>   won't see any tangible performance improvements going with
>   multiple mirrors unless you DC's service more than 5000 people
in
>   that location where the DC resides.

I had a feeling that 15K drives wouldn't buy me much. After some reading

last night I'm even more convinced. For our size I think I'll be going 
with 2 mirror sets and as much memory as we can afford.

>3. Judging from the original posters SMTP information, it looks
like
>   his organization has less than 5000 people in it, so I recommend
>   his first option.
> 

While my 'organization' has less that 5000 employees we can have from 
1-4000 visitors here at any time. With the Accelerator running (as it is

now) we'll be crowded for the next 1.5 years.

> 
> Follow-up thoughts looking for group input.
> 
>  
> 
> With regards to when is it best to use Software RAID, I have debated 
> this with several people and I seem to favor this approach in Virtual 
> Server Environments and using it on the System/Boot Partition for DR 
> purposes.  Another possible use for the software based mirroring might

> be to create live copy of server for duplication purposes (personally
I 
> think there are much better approaches out there.)  Any thoughts on
this?
> 
>  
> 
> What Disk type do you all recommend?  I currently still stick to the 
> Basic Disk for the most part. (Unless I want to use software based 
> fault-tolerance).
> 

We use basic for most for the most part. The only time I use dynamic is 
when I have to create a large (>5TB) volume on some of the SATA boxes 
that we have that host some large-ish SQL databases.

al

-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Is this like AD blog season or what?

[joe]

What is the RSS feed address? I didn't see it on there.

As for the slowness of the site... Six posts in three years could explain
it... ;)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 7:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is this like AD blog season or what?

You can always check my blog, www.toddm.org/adog  As you can see I am
rapidly posting all my recent AD thoughts in there.  You can also hear
crickets chirp when you goto my site.

-Original Message-
From: Brett Shirley [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is this like AD blog season or what?

I wouldn't mind hearing specific things people would like to hear about
...  I have my own internal list of ideas of stuff to blog about / proto
blogs / etc, but wondering how much my plan matches desire.

Cheers,
-BrettSh

On Thu, 22 Jun 2006, joe wrote:

> I wouldn't mind seeing some AD Dev guys blogging. The closest to it
that I
> am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was
but
> one of the more visible AD gurus. I would probably pay to subscribe to
a
> blog by DonH if he told stories of all of the AD Dev work and why
various
> decisions were made.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley, CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, June 09, 2006 4:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Is this like AD blog season or what?
> 
> Active Directory Discussion : Introducing the Active Directory 
> Discussion Blog:
> http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> The SBS product team wants to hear from you:
> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[joe]

There is no debate on admins having multiple creds, one for 
admin work and one for normal work. Just do it. :)
 
To put it nicely, if a company doesn't do this, they are 
just being silly[1]. 
 
I am trying to figure out if there is ever a valid reason I 
think that an admin should have a single ID in a company. I can't come up with 
one.
 
   joe
 
 
 
[1] 
Instead of silly think of mean words used to describe really silly 
people.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]Sent: Friday, June 23, 2006 6:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"


One more thing to add 
to this from my experience. 
 
I think we had 
situations arise where someone was trying to pragmatically modify or read 
attributes on accounts in the protected groups and was not able to due to their 
membership within a protected group.  This of course started the hot debate 
on admins having multiple credentials, one for administrative duties, the other 
for collaborative and identity purposes.
 
Todd
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Security 
permission continues to be "auto-removed"
 
I have a 2-part 
discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
 
It's a bit 
headache-inducing, but at least you will get the benefit of knowing that it is 
"by design"

 

HTH
Sincerely,    
_    
  (, /  |  
/)   
/) /)       /---| (/_  
__   ___// _   //  _  ) 
/    |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/)  
   
(/   Microsoft MVP - 
Directory Serviceswww.readymaids.com - we know 
ITwww.akomolafe.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday? 
-anon

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of J BSent: Thursday, June 22, 2006 5:08 
PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Security permission 
continues to be "auto-removed"

We have some users that have mobile 
devices that connect to Exchange.  The 3rd party application uses 
a dedicated account to send mail from the devices.  This account needs to 
have "Send As..." permissions on each of the user accounts' security 
settings.  We have set it in all users (about two dozen) but one 
user in particular has a problem.  We set the permission and give it 
"Send As..." rights (just like all the others - no different), but usually 
within an hour, the newly added permission is gone - not just the "Send As" 
setting, but the whole account name is gone from this user's security settings 
as if we never added it in the first place.  We have five DC's and I have 
tried adding it from each DC with the same results.  I am baffled by 
this.  Does anyone have any 
suggestions?

RE: [ActiveDir] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Actually,

 

I would use a RAID 1 to hold a system /
boot partition and a second partition to house a volume that holds mount points
used to establish shares for File servers and a print spooler.  I run across too
many File servers that have shares littered across multiple drives because people
needed to expand volumes, so they just add a new LUN from a SAN, or an LAS array,
etc.  This design is mainly for my own sanity.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 9:43
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC
Configuration



 

Number of users isn't critical, it is how
the system is used. While it would be odd for a 500 user system to take a
beating, I don't think we could rule it out until you understand how the system
is used. Any designs that go off of user count and nothing else is going to be
flawed. Without the details, the recommend from me is to go as big as you can.
If that doesn't end up being big enough, at least you tried and now you don't
have as much more to buy now. :)

 



> So why not a RAID 1 partition that
holds all the OS, binaries, log files, file and print facilities etc? 





 





For a low level use, I was right there
with you until you said file and print my friend. ;)





 





 





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, June 22, 2006
11:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC
Configuration



Interesting how much traffic this subject has garnered.  





 





But I have to ask, why? I mean, we haven't even heard the performance
concepts and you're ready to put this on extra hardware no questions. What if
he only had about 500 users? Would that still hold? What if it were a largely
distributed environment and they had a network such that they needed many
smaller vs. fewer larger DC's? Maybe a branch office environment? 





 





I hate software raid (joe's sure to put that definition in a wiki
somewhere) because of the false sense of hope it gives the implementer. 
But I do understand the idea of the least amount of hardware for the task at
hand and not a penny more hardware than is needed.  Not that I'm even
coming close to endorsing software level RAID - far from it.  





 





So why not a RAID 1 partition that holds all the OS, binaries, log
files, file and print facilities etc? 





 





It's a distributed app and could very easily work to the specs needed
in a largely distributed architecture. Were RODC available, it might be chosen
for some of the ones I have in mind.  
 





I'm sure you feel I'm baiting you and picking on you Gil but I am
curious what some of the thinking in the crowd is  





 






 





On 6/22/06, Gil
Kirkpatrick <[EMAIL PROTECTED]>
wrote: 

OS, DIT, logs on separate spindles.

Enough memory to store the DIT + overhead.

-gil
-Original Message- 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Lilianstrom 
Sent: Thursday, June 22, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Configuration

We have some budget money to replace domain controllers this year. Not 
all of them but probably half of them. We've pretty much decided on 64
bit Dell PowerEdge servers. Most of the discussion is about disk
configuration. Two schools of thought exist here.

1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 
20GB or so for the OS and the remainder for NTDS, Sysvol, and system
state backups

2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS,
the second is for NTDS, Sysvol, and system state backups. 

I've always liked physically separating the OS from the application
data. Others here like carving up the volume at the OS.

Any thoughts, opinions, suggestions?

   tia, al
--

Al Lilianstrom 
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




 

RE: [ActiveDir] Recall: NETBIOS Character Limitation?

[joe]

I was messing with you Jose. Even inside of Exchange it can be a bit flakey
at times. A recall notice makes me laugh, the read receipts that come to the
list, now those are a trifle annoying. I would think that everyone has that
feature turned off by now or at least set to PROMPT.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Friday, June 23, 2006 12:39 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recall: NETBIOS Character Limitation?

Hi Joe,

It works with in an Exchange Organization, and your right it does not work 
once the message has been routed through the SMTP Gateway.
My apologies for the un-necessary email.

Jose


- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] " 
<[EMAIL PROTECTED]>
To: 
Sent: Thursday, June 22, 2006 3:57 PM
Subject: Re: [ActiveDir] Recall: NETBIOS Character Limitation?


> It ALWAYS makes me look closer at the original message.
>
> It works in Novell is my understanding.
>
> joe wrote:
>
>>Does this ever work? I mean for something other than making you look at 
>>the
>>message really closely that the person wants to recall...
>>
>>
>>
>>--
>>O'Reilly Active Directory Third Edition -
>>http://www.joeware.net/win/ad3e.htm
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
>>Sent: Friday, June 16, 2006 12:04 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: [ActiveDir] Recall: NETBIOS Character Limitation?
>>
>>Medeiros, Jose would like to recall the message, "NETBIOS Character
>>Limitation?".
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.activedir.org/ml/threads.aspx
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.activedir.org/ml/threads.aspx
>>
>>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] DC Configuration

[joe]

Most politicians give stuff away for free, it is the stuff you use to spread
on your gardens in the spring... Smells a little funny, like Brett's office.


I better go look up ethical. I normally try to act in an uncategorizable
way...


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, June 22, 2006 9:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DC Configuration

I know, I know...how about the AD Party?  We're ethical, right?  joe's
probably the most ethical guy around.  And he gives stuff away for free.
When was the last time you saw a politician do that?  I nominate him for
President!  ;-)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 22, 2006 8:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DC Configuration

A party? Where? They got beer?


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, June 22, 2006 8:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration

"...whichever party that may be."

On 6/22/06, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote:
>
> Ethics? Thats the stuff the guys in the other party don't have.
> 
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:52 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:52 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Exactly...
>
> Congress: Ethics? What's that?
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Darren Mar-Elia
> Sent: Thursday, June 22, 2006 6:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Yea, it seemed an awful basic question for you joe. And, of course I
fell
> for it. Agreed though that software RAID is like Congress creating its
own
> ethics rules--just a bad idea all around.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:16 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> ROFL!
>
> That was more of a case of purposely refusing to acknowledge software
RAID
> versus truly understanding what it is. I have had far more than my
share
of
> times trying to rebuild software raid configs.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Darren Mar-Elia
> Sent: Thursday, June 22, 2006 6:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Software RAID is where the OS (in this case) handles the striping of
the
> data rather than the hardware (usually the controller).
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> o Software RAID? What's that?
>
> o Yeah I am not a fan of mirrors. I like lots of spindles. But then I
tend
> to work with big busy directories with Exchange beating on it.  Being
64
bit
> you don't have to worry _as much_ assuming you have enough RAM to
cache
your
> entire DIT but you still have to load that baby in the first place so
I
> would still recommend RAID 0+1, 10, or 5 or if you don't care about
fault
> tolerance the fastest is RAID-0.
>
> o I would say if you are going 64 bit, make sure you make it a
priority to
> get enough RAM to hold your entire DIT. That is the cool thing about
getting
> 64 bit.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al
> Mulnick
> Sent: Thursday, June 22, 2006 5:12 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] DC Configuration
>
>
> There would be a little more to gain than that but often that's the
reason.
> joe might point out that a two mirror configuration is not his optimal
> configuration. I'm pretty sure he'd also point out that compared with
> software raid, that he'd take that option. :)
>
> I can honestly say I'd agree with him on this one. Software mirroring
for
> this type of applic

RE: [ActiveDir] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Understood,

I tend to use rules of thumb a lot.  Use what ever metrics and
scientific methods work best for you to make informed decisions.

My suggestion is to mitigate a simple hardware failure of a drive, and
share what I consider acceptable performance based on published
standards and the ever changing hardware environment.  In the MS NT4
days it was considered rule of thumb to add additional domain
controllers for ever 5000 (maybe it was 2.5K) users served.

I interpreted Al's request more just a gut check, he didn't ask for
empirical evidence.

Todd   

-Original Message-
From: Brett Shirley [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 23, 2006 8:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration

I think to go from 5000 users to a load metric (across organizations) is
ridiculous ... one orgs 5000 users do not generate the same load as
anothers 5000 users.  Be careful about making comparisons like that.
Just
my 2c.

Cheers,
-BrettSh

On Fri, 23 Jun 2006, Al Lilianstrom wrote:

> Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> > Some of my opinions based on my own research.
> > 
> >  
> > 
> >1. I prefer hot swappable hardware RAID 1 for all boot / system
> >   partitions no matter what the role of the server is.  To me
this
> >   gives the fastest disaster recovery option for situations you
are
> >   unsure about with regards to OS updates and single drive
> >   failures.  On a side note we used to use three mirrors for our
> >   domain controller setups. 1 for system/boot/syslog, 1 for
> >   transaction logs, and 1 for data.  We mirrored this after our
> >   exchange setup, except in Exchange we used RAID 5 arrays to
store
> >   the data.
> >2. With regards to number of spindles and performance, I
discussed
> >   this with someone on the list before (Guido) and people at HP
and
> >   we came to the conclusion that with the latest 15K drives you
> >   won't see any tangible performance improvements going with
> >   multiple mirrors unless you DC's service more than 5000 people
in
> >   that location where the DC resides.
> 
> I had a feeling that 15K drives wouldn't buy me much. After some
reading 
> last night I'm even more convinced. For our size I think I'll be going

> with 2 mirror sets and as much memory as we can afford.
> 
> >3. Judging from the original posters SMTP information, it looks
like
> >   his organization has less than 5000 people in it, so I
recommend
> >   his first option.
> > 
> 
> While my 'organization' has less that 5000 employees we can have from 
> 1-4000 visitors here at any time. With the Accelerator running (as it
is 
> now) we'll be crowded for the next 1.5 years.
> 
> > 
> > Follow-up thoughts looking for group input.
> > 
> >  
> > 
> > With regards to when is it best to use Software RAID, I have debated

> > this with several people and I seem to favor this approach in
Virtual 
> > Server Environments and using it on the System/Boot Partition for DR

> > purposes.  Another possible use for the software based mirroring
might 
> > be to create live copy of server for duplication purposes
(personally I 
> > think there are much better approaches out there.)  Any thoughts on
this?
> > 
> >  
> > 
> > What Disk type do you all recommend?  I currently still stick to the

> > Basic Disk for the most part. (Unless I want to use software based 
> > fault-tolerance).
> > 
> 
> We use basic for most for the most part. The only time I use dynamic
is 
> when I have to create a large (>5TB) volume on some of the SATA boxes 
> that we have that host some large-ish SQL databases.
> 
>   al
> 
> -- 
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DC Configuration

[joe]

While I understand the three separate RAID array design, as 
I have previously mentioned I don't think it is necessary for most AD 
implementations because in general, the log file drive(s) will be sleeping. Most 
people just do not generate enough churn to get IOs bumpin on the log drive. The 
one exception I have seen was when Eric was inflating his big DIT. The numbers 
he was generating for log IOPS was far more than I have ever heard of anywhere 
for AD.
 
With a generic DC across the board, it is the DIT drive 
that takes the pounding. I haven't seen any x64 machines with a 64bit OS on them 
yet to see what that looks like but obviously if there is enough RAM and the DIT 
has gotten into cache, this will drammatically change the footprint and at that 
point the OS disk I would guess will become the busiest (excluding 
environments with tons of writes to AD). Even still, I haven't seen an OS on a 
DC that required its own dedicated spindles. While it is a cute idea for rolling 
back from bad updates I would rather have it figured out in extensive testing 
before hand than go through the extra work in production. I look at DCs as very 
expendable, if I hurt one, I don't think twice about rebuilding it and 
repromoting it; this is a very different design than say a SQL Server or 
Exchange Server which isn't generally expendable. So anyway, for a generic DC 
configuration, anything that increases the number of spindles for the DIT is 
where I go. If that means slapping the OS and logs on with it, I am fine with it 
because in the hundreds of perf logs I have had to wade through, the OS and logs 
are a rounding error in IOPS next to the DIT drive. 
 
I believe 5000 is the number mentioned in the guidance from 
MSFT and again as I said in the last post, it generally isn't great to make a 
decision on numbers unless you have a feeling for use as well. I can pretty much 
guarantee that a DC in a site with 5000 users and also a couple of really busy 
Exchange servers a 32 bit GC will get pounded into performing inadequately, I 
have seen it several times and they are always built as per that silly MSFT 
deployment doc. Interestingly I asked the question about how to build a DC for a 
given site of 3 MCS folks and Eric. The green MCS guy said exactly what the MSFT 
doc said - some mirrors, the two other MCS folks with heavy Exchange Enterprise 
experience indicated to use 10,0+1, or 5. Eric said to use x64 (he always has to 
be different) but after I pressed him he said to maximize the spindles as well. 

 
If you are speaking with a hardware company for 
recommendations, they are pretty much going to just quote you what the software 
company said, they pretty much need to. If they thought and said, no you should 
change and buy more hardware at 2000 you may look at them and say, hey now, you 
are trying to sell more hardware. If they say, oh no, do it at 10,000 and 
then it breaks you use the MSFT guidelines to beat them saying they gave 
bad advice. 
 
Me... I rather overbuild my DCs and be happy and bored 
when the utilization goes over expected and the DCs are still purring along, not 
living on the edge and people are wondering what is going on and you start 
having to look at every single perf counter that was recorded for a week trying 
to work out exactly which component is the one screwing you. Hardware is CHEAP! 
Downtime and poor performance is EXPENSIVE. Also, let alone downs and slow email 
or something, it is far more expensive to bring in someone like me to spend 
hours or days to try and figure out that you should have bought an extra 1 GB of 
RAM or not followed the silly multiple mirror design or something. Plus, later, 
if you decide to add more functionality or upgrade your OS, you aren't sitting 
with a design that was for that machine at that one point in time based on an 
assumption that nothing would change and have to go scrambling for hardware to 
cover what other new thing you want to do. 
 
The hardest thing is designing for a greenfield 
installation... Say you are moving from some other NOS or from a mainframe 
environment to Windows. You have no clue what the load is going to be because 
there is nothing to look at so you don't know if you are under or overbuilding. 
Then unfortunately, numbers of users gets more important as it is the only real 
starting point you have. 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]Sent: Friday, June 23, 2006 6:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration


Some of my opinions 
based on my own research.
 

  I prefer hot 
  swappable hardware RAID 1 for all boot / system partitions no matter what the 
  role of the server is.  To me this gives the fastest disaster recovery 
  option for situations you are unsure about with regards to OS updates and 
  single drive fa

Re: [ActiveDir] DC Configuration

[Al Mulnick]

Yeah, I threw that in there mostly for your benefit [1] 
That's correct, you cannot repeatedly build a successful system based on a single datapoint. Go big and you might get lucky, but that's not the science part of computer science. 
 
The biggest issue I tend to see is echoed across many many folks that design everything from datacenters to assembly lines. Spend the most time defining your requirements.  Typically that means figuring out the usage scenarios and defining the load on the components of the system and the system as a whole. Inevetibly, you come to a point where you're guesstimating the amount becuase there is just a certain amount of historical data and just so much estimation you can do on a variable such as the future usage. You try and you do the due diligence, but eventually you estimate high. 

 
Load is far more important than number of users in determining a proper installation. I get that.  I was just questioning why anyone would suggest a particular layout before hearing that information? I'll be more direct next time :)

 
[1] and Deji.  But he acts like he's been busy lately. 
 
On 6/23/06, joe <[EMAIL PROTECTED]> wrote:



Number of users isn't critical, it is how the system is used. While it would be odd for a 500 user system to take a beating, I don't think we could rule it out until you understand how the system is used. Any designs that go off of user count and nothing else is going to be flawed. Without the details, the recommend from me is to go as big as you can. If that doesn't end up being big enough, at least you tried and now you don't have as much more to buy now. :)


 

> So why not a RAID 1 partition that holds all the OS, binaries, log files, file and print facilities etc? 

 

For a low level use, I was right there with you until you said file and print my friend. ;)

 
 
 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, June 22, 2006 11:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration 


Interesting how much traffic this subject has garnered.  
 
But I have to ask, why? I mean, we haven't even heard the performance concepts and you're ready to put this on extra hardware no questions. What if he only had about 500 users? Would that still hold? What if it were a largely distributed environment and they had a network such that they needed many smaller vs. fewer larger DC's? Maybe a branch office environment? 

 
I hate software raid (joe's sure to put that definition in a wiki somewhere) because of the false sense of hope it gives the implementer.  But I do understand the idea of the least amount of hardware for the task at hand and not a penny more hardware than is needed.  Not that I'm even coming close to endorsing software level RAID - far from it.  

 
So why not a RAID 1 partition that holds all the OS, binaries, log files, file and print facilities etc? 
 
It's a distributed app and could very easily work to the specs needed in a largely distributed architecture. Were RODC available, it might be chosen for some of the ones I have in mind.   
I'm sure you feel I'm baiting you and picking on you Gil but I am curious what some of the thinking in the crowd is  
 
 
On 6/22/06, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote:
 
OS, DIT, logs on separate spindles.Enough memory to store the DIT + overhead.-gil-Original Message- 
From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Thursday, June 22, 2006 1:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC ConfigurationWe have some budget money to replace domain controllers this year. Not all of them but probably half of them. We've pretty much decided on 64
bit Dell PowerEdge servers. Most of the discussion is about diskconfiguration. Two schools of thought exist here.1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and system
state backups2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS,the second is for NTDS, Sysvol, and system state backups. I've always liked physically separating the OS from the application
data. Others here like carving up the volume at the OS.Any thoughts, opinions, suggestions?   tia, al--Al Lilianstrom CD/CSS/CSI
[EMAIL PROTECTED]List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
 

RE: [ActiveDir] DC Configuration

[joe]

Number of users isn't critical, it is how the system is 
used. While it would be odd for a 500 user system to take a beating, I don't 
think we could rule it out until you understand how the system is used. Any 
designs that go off of user count and nothing else is going to be flawed. 
Without the details, the recommend from me is to go as big as you can. If that 
doesn't end up being big enough, at least you tried and now you don't have as 
much more to buy now. :)
 

> So why not a RAID 1 partition that holds 
all the OS, binaries, log files, file and print facilities etc? 

 
For a 
low level use, I was right there with you until you said file and print my 
friend. ;)
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Thursday, June 22, 2006 11:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC 
Configuration

Interesting how much traffic this subject has garnered.  
 
But I have to ask, why? I mean, we haven't even heard the performance 
concepts and you're ready to put this on extra hardware no questions. What if he 
only had about 500 users? Would that still hold? What if it were a largely 
distributed environment and they had a network such that they needed many 
smaller vs. fewer larger DC's? Maybe a branch office environment? 
 
I hate software raid (joe's sure to put that definition in a wiki 
somewhere) because of the false sense of hope it gives the implementer.  
But I do understand the idea of the least amount of hardware for the task at 
hand and not a penny more hardware than is needed.  Not that I'm even 
coming close to endorsing software level RAID - far from it.  
 
So why not a RAID 1 partition that holds all the OS, binaries, log files, 
file and print facilities etc? 
 
It's a distributed app and could very easily work to the specs needed in a 
largely distributed architecture. Were RODC available, it might be chosen for 
some of the ones I have in mind.   
I'm sure you feel I'm baiting you and picking on you Gil but I am 
curious what some of the thinking in the crowd is  

 
 
On 6/22/06, Gil 
Kirkpatrick <[EMAIL PROTECTED]> 
wrote: 
OS, 
  DIT, logs on separate spindles.Enough memory to store the DIT + 
  overhead.-gil-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Al Lilianstrom Sent: Thursday, June 22, 2006 1:24 PMTo: 
  ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] DC ConfigurationWe have some budget money to replace 
  domain controllers this year. Not all of them but probably half of them. 
  We've pretty much decided on 64bit Dell PowerEdge servers. Most of the 
  discussion is about diskconfiguration. Two schools of thought exist 
  here.1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS 
  level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and 
  systemstate backups2) Two sets of 2x73 10K drives in RAID1. The 
  first set is for the OS,the second is for NTDS, Sysvol, and system state 
  backups. I've always liked physically separating the OS from the 
  applicationdata. Others here like carving up the volume at the 
  OS.Any thoughts, opinions, 
  suggestions?   tia, 
  al--Al Lilianstrom CD/CSS/CSI[EMAIL PROTECTED]List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspxList 
  info   : http://www.activedir.org/List.aspx 
  List FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx 
  

Re: [ActiveDir] OT: DHCP Cluster

[Al Mulnick]

IIRC, the reason it's different on the cluster is that there were a lot of changes between 2000 and 2003 DHCP. The DB's are not compatible/interchangeable. 
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/clustering/rllupnet.mspx

 
 
 
DHCP is not supported during rolling upgrades. You must follow the below instructions during rolling upgrade for DHCP resource.




1.

Confirm that your systems are running Windows 2000 and right Service packs if there is any.


2.

Move DHCP resource to a single node by double clicking the Groups folder in Cluster Administrator's console tree. Click the group that contains the resource and then in the File menu, click 
Move Group.


3.

Upgrade the operating system on each of the nodes that is not hosting the DHCP resource moved in the previous step.


4.

Move the DHCP resource that you moved in the earlier steps from the node that has not been upgraded to one of the newly upgraded nodes.
Notes:



•

After the upgrade, the DHCP resource can not failback to the Windows 2000 node.

•

Following the procedure as described above will typically give you the highest availability of the resources that do not support rolling upgrades.
On 6/22/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote:
I will look into it.  I was under the impression that it was a upgradeof the OS, but reading further it is actually a fresh install of the OS.
I guess I took the word Upgrade in the wrong context.Thanks,Nate-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Bernier,Brandon (.)Sent: Thursday, June 22, 2006 10:57 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DHCP ClusterCan you do a rolling upgrade? Meaning evict one node from the cluster,reload it with 2K3 and put DHCP back on then add it back into the
cluster and do the other node. I've done this with SQL many times, but Iforgot what changed from W2K to W2k3 for DHCP..I don't remember anythingmind blowing, but I'd look into anyways.-Brandon
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Bahta,Nathaniel V CTR USAF NASIC/SCNASent: Thursday, June 22, 2006 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DHCP Cluster
Anybody know any good knowledgebase articles or resources for migratinga 2000 DHCP cluster to a 2003 DHCP cluster?I would appreciate the information/links.Thanks,NateList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Configuration

[Al Mulnick]

Couldn't agree more. :)  
 
 
But you have to start somewhere, right? 
 
I think Todd's reasoning for NOT using software raid (joe, "Huh?") is solid and likely based on being bit in the past.  If you look at it logically, relying on the OS that you're trying to protect to protect from hardware issues, seems odd.  Makes more sense to let hardware protect hardware and software protect software. The question then becomes, "is it a software problem if the OS drive gets hosed and or is it a hardware issue?" As an old spark chaser, I say it's both.  However, the root cause is the hardware failure and the software failure is just a symptom of the issue.  

 
As for virtualization, remind why you would have mirrored anything in a VM? Or are you saying that the host is using virtualized mirroring? I'm confused by the statement, but I can't get my brain around the use of software raid to break up a VM's virtualized drive.  Help me understand the point as I'm keenly interested in that subject at the moment.

 
-ajm
 
 
 
On 6/23/06, Brett Shirley <[EMAIL PROTECTED]> wrote:
I think to go from 5000 users to a load metric (across organizations) isridiculous ... one orgs 5000 users do not generate the same load as
anothers 5000 users.  Be careful about making comparisons like that.  Justmy 2c.Cheers,-BrettShOn Fri, 23 Jun 2006, Al Lilianstrom wrote:> Myrick, Todd (NIH/CC/DCRI) [E] wrote:> > Some of my opinions based on my own research.
> >> >> >> >1. I prefer hot swappable hardware RAID 1 for all boot / system> >   partitions no matter what the role of the server is.  To me this> >   gives the fastest disaster recovery option for situations you are
> >   unsure about with regards to OS updates and single drive> >   failures.  On a side note we used to use three mirrors for our> >   domain controller setups. 1 for system/boot/syslog, 1 for
> >   transaction logs, and 1 for data.  We mirrored this after our> >   exchange setup, except in Exchange we used RAID 5 arrays to store> >   the data.> >2. With regards to number of spindles and performance, I discussed
> >   this with someone on the list before (Guido) and people at HP and> >   we came to the conclusion that with the latest 15K drives you> >   won't see any tangible performance improvements going with
> >   multiple mirrors unless you DC's service more than 5000 people in> >   that location where the DC resides.>> I had a feeling that 15K drives wouldn't buy me much. After some reading
> last night I'm even more convinced. For our size I think I'll be going> with 2 mirror sets and as much memory as we can afford.>> >3. Judging from the original posters SMTP information, it looks like
> >   his organization has less than 5000 people in it, so I recommend> >   his first option.> >>> While my 'organization' has less that 5000 employees we can have from
> 1-4000 visitors here at any time. With the Accelerator running (as it is> now) we'll be crowded for the next 1.5 years.>> >> > Follow-up thoughts looking for group input.> >
> >> >> > With regards to when is it best to use Software RAID, I have debated> > this with several people and I seem to favor this approach in Virtual> > Server Environments and using it on the System/Boot Partition for DR
> > purposes.  Another possible use for the software based mirroring might> > be to create live copy of server for duplication purposes (personally I> > think there are much better approaches out there.)  Any thoughts on this?
> >> >> >> > What Disk type do you all recommend?  I currently still stick to the> > Basic Disk for the most part. (Unless I want to use software based> > fault-tolerance).
> >>> We use basic for most for the most part. The only time I use dynamic is> when I have to create a large (>5TB) volume on some of the SATA boxes> that we have that host some large-ish SQL databases.
>>   al>> -->> Al Lilianstrom> CD/CSS/CSI> [EMAIL PROTECTED]>> List info   : 
http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: 
http://www.activedir.org/ml/threads.aspx>List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Configuration

[Brett Shirley]

I think to go from 5000 users to a load metric (across organizations) is
ridiculous ... one orgs 5000 users do not generate the same load as
anothers 5000 users.  Be careful about making comparisons like that.  Just
my 2c.

Cheers,
-BrettSh

On Fri, 23 Jun 2006, Al Lilianstrom wrote:

> Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> > Some of my opinions based on my own research.
> > 
> >  
> > 
> >1. I prefer hot swappable hardware RAID 1 for all boot / system
> >   partitions no matter what the role of the server is.  To me this
> >   gives the fastest disaster recovery option for situations you are
> >   unsure about with regards to OS updates and single drive
> >   failures.  On a side note we used to use three mirrors for our
> >   domain controller setups. 1 for system/boot/syslog, 1 for
> >   transaction logs, and 1 for data.  We mirrored this after our
> >   exchange setup, except in Exchange we used RAID 5 arrays to store
> >   the data.
> >2. With regards to number of spindles and performance, I discussed
> >   this with someone on the list before (Guido) and people at HP and
> >   we came to the conclusion that with the latest 15K drives you
> >   won?t see any tangible performance improvements going with
> >   multiple mirrors unless you DC?s service more than 5000 people in
> >   that location where the DC resides.
> 
> I had a feeling that 15K drives wouldn't buy me much. After some reading 
> last night I'm even more convinced. For our size I think I'll be going 
> with 2 mirror sets and as much memory as we can afford.
> 
> >3. Judging from the original posters SMTP information, it looks like
> >   his organization has less than 5000 people in it, so I recommend
> >   his first option.
> > 
> 
> While my 'organization' has less that 5000 employees we can have from 
> 1-4000 visitors here at any time. With the Accelerator running (as it is 
> now) we'll be crowded for the next 1.5 years.
> 
> > 
> > Follow-up thoughts looking for group input.
> > 
> >  
> > 
> > With regards to when is it best to use Software RAID, I have debated 
> > this with several people and I seem to favor this approach in Virtual 
> > Server Environments and using it on the System/Boot Partition for DR 
> > purposes.  Another possible use for the software based mirroring might 
> > be to create live copy of server for duplication purposes (personally I 
> > think there are much better approaches out there.)  Any thoughts on this?
> > 
> >  
> > 
> > What Disk type do you all recommend?  I currently still stick to the 
> > Basic Disk for the most part. (Unless I want to use software based 
> > fault-tolerance).
> > 
> 
> We use basic for most for the most part. The only time I use dynamic is 
> when I have to create a large (>5TB) volume on some of the SATA boxes 
> that we have that host some large-ish SQL databases.
> 
>   al
> 
> -- 
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] How to block particular Subjects

[AdamT]

I've not used IMF to do that before.  Perhaps you could plug in an
Exim or Postfix machine as your inbound MX and do the filtering there?

On 23/06/06, Ajay Kumar <[EMAIL PROTECTED]> wrote:


Hi AdamT,

Actually I didn't use IMF before, Is that it will really blocked the
particular
Subjects (attachement).I mean to say that If user sends their attachement
with
particular subjects, So it should be blocked.

Sam.





On 6/21/06, AdamT <[EMAIL PROTECTED]> wrote:
>
On 21/06/06, Ajay Kumar <[EMAIL PROTECTED]> wrote:
 >
>
> I just wanna to know that, Is that possible to block particulars subjects
> Ex: ( Resume ).
> when user send any mail related to same subject to other domain ( Internet
> ).
>  We are using exchange server 2003 and atleast 500 users.
>   Pls give me any suggestion / Software through I can block

Have you looked at Intelligent Message Filters?

http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html


--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx





--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Configuration

[Al Lilianstrom]

Myrick, Todd (NIH/CC/DCRI) [E] wrote:

Some of my opinions based on my own research.

 


   1. I prefer hot swappable hardware RAID 1 for all boot / system
  partitions no matter what the role of the server is.  To me this
  gives the fastest disaster recovery option for situations you are
  unsure about with regards to OS updates and single drive
  failures.  On a side note we used to use three mirrors for our
  domain controller setups. 1 for system/boot/syslog, 1 for
  transaction logs, and 1 for data.  We mirrored this after our
  exchange setup, except in Exchange we used RAID 5 arrays to store
  the data.
   2. With regards to number of spindles and performance, I discussed
  this with someone on the list before (Guido) and people at HP and
  we came to the conclusion that with the latest 15K drives you
  won’t see any tangible performance improvements going with
  multiple mirrors unless you DC’s service more than 5000 people in
  that location where the DC resides.


I had a feeling that 15K drives wouldn't buy me much. After some reading 
last night I'm even more convinced. For our size I think I'll be going 
with 2 mirror sets and as much memory as we can afford.



   3. Judging from the original posters SMTP information, it looks like
  his organization has less than 5000 people in it, so I recommend
  his first option.



While my 'organization' has less that 5000 employees we can have from 
1-4000 visitors here at any time. With the Accelerator running (as it is 
now) we'll be crowded for the next 1.5 years.




Follow-up thoughts looking for group input.

 

With regards to when is it best to use Software RAID, I have debated 
this with several people and I seem to favor this approach in Virtual 
Server Environments and using it on the System/Boot Partition for DR 
purposes.  Another possible use for the software based mirroring might 
be to create live copy of server for duplication purposes (personally I 
think there are much better approaches out there.)  Any thoughts on this?


 

What Disk type do you all recommend?  I currently still stick to the 
Basic Disk for the most part. (Unless I want to use software based 
fault-tolerance).




We use basic for most for the most part. The only time I use dynamic is 
when I have to create a large (>5TB) volume on some of the SATA boxes 
that we have that host some large-ish SQL databases.


al

--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: DHCP Cluster

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

It is DHCP, so it can be down a little bit in off hours.  I would just
rebuild to a 2K3 cluster, stop the production DHCP, backup the database,
down the original cluster, then import the old configuration to the new
cluster.  If it doesn't work, you can just turn back on the original
DHCP cluster.  The whole transfer takes less then 15 minutes if done
right.

Word of caution, watch out for IPhelper configurations on Routers, if
you assign new IP addresses to your DHCP servers, make sure that
information is passed onto the network team.

Todd

-Original Message-
From: Bahta, Nathaniel V CTR USAF NASIC/SCNA
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DHCP Cluster

I will look into it.  I was under the impression that it was a upgrade
of the OS, but reading further it is actually a fresh install of the OS.
I guess I took the word Upgrade in the wrong context.

Thanks,
Nate 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier,
Brandon (.)
Sent: Thursday, June 22, 2006 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DHCP Cluster

Can you do a rolling upgrade? Meaning evict one node from the cluster,
reload it with 2K3 and put DHCP back on then add it back into the
cluster and do the other node. I've done this with SQL many times, but I
forgot what changed from W2K to W2k3 for DHCP..I don't remember anything
mind blowing, but I'd look into anyways.

-Brandon


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNA
Sent: Thursday, June 22, 2006 10:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DHCP Cluster

Anybody know any good knowledgebase articles or resources for migrating
a 2000 DHCP cluster to a 2003 DHCP cluster?

I would appreciate the information/links.

Thanks,
Nate
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] FRS

[Rimmerman, Russ]

Has anyone seen it
where you add a target to a DFS replica set and the target never replicates with
the rest of the targets, and when you look at the eventlog on the target,
there's no errors?  The only events are the FRS service starting normally,
no errors at all.  There's never an event about it adding the share to the
DFS replica either.  It's almost like it's not being told to do
anything.

~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Is this like AD blog season or what?

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

You can always check my blog, www.toddm.org/adog  As you can see I am
rapidly posting all my recent AD thoughts in there.  You can also hear
crickets chirp when you goto my site.

-Original Message-
From: Brett Shirley [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is this like AD blog season or what?

I wouldn't mind hearing specific things people would like to hear about
...  I have my own internal list of ideas of stuff to blog about / proto
blogs / etc, but wondering how much my plan matches desire.

Cheers,
-BrettSh

On Thu, 22 Jun 2006, joe wrote:

> I wouldn't mind seeing some AD Dev guys blogging. The closest to it
that I
> am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was
but
> one of the more visible AD gurus. I would probably pay to subscribe to
a
> blog by DonH if he told stories of all of the AD Dev work and why
various
> decisions were made.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley, CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, June 09, 2006 4:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Is this like AD blog season or what?
> 
> Active Directory Discussion : Introducing the Active Directory 
> Discussion Blog:
> http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> The SBS product team wants to hear from you:
> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Is this like AD blog season or what?

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

We ran into a situation in Exchange 5.5 where the number of people
delegated rights in the container that stored recipients exceeded the
memory space allocated for permissions (we had something like 20 people
I think).  This came about more so when we upgraded to Windows 2000 I
think.  Hard to recall  

Always, the reason why we got into this situation was because the
standard practice at the time was to delegate user objects and not a
group, because I think people wanted to know who exactly had
permissions.  NG.

Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is this like AD blog season or what?

I still want to hear about the admin limit exceeded stuff.  Any stories
on
history of why things were done certain ways is always great too. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, June 22, 2006 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is this like AD blog season or what?

I wouldn't mind hearing specific things people would like to hear about
...  I have my own internal list of ideas of stuff to blog about / proto
blogs / etc, but wondering how much my plan matches desire.

Cheers,
-BrettSh

On Thu, 22 Jun 2006, joe wrote:

> I wouldn't mind seeing some AD Dev guys blogging. The closest to it
that I
> am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was
but
> one of the more visible AD gurus. I would probably pay to subscribe to
a
> blog by DonH if he told stories of all of the AD Dev work and why
various
> decisions were made.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, June 09, 2006 4:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Is this like AD blog season or what?
> 
> Active Directory Discussion : Introducing the Active Directory 
> Discussion Blog:
> http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> The SBS product team wants to hear from you:
> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

I am considering joining the Pirate Party, not necessarily for what they
stand for more so just because it sounds cool.  

I do think that the patent system and copyright system have major
problems that need to be addressed, and I am not so jazzed about the
recent laws enacted to protect IP.  More so I don't think we need a
special party just to push this agenda, that is what the Libertarian
party is pretty much for.  I do think that the Libertarian party could
adopt the pirate Parrot as its symbol though. hehe 

ARR!

http://www.pirate-party.us/

Todd

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DC Configuration

I know, I know...how about the AD Party?  We're ethical, right?  joe's
probably the most ethical guy around.  And he gives stuff away for free.
When was the last time you saw a politician do that?  I nominate him for
President!  ;-)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 22, 2006 8:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DC Configuration

A party? Where? They got beer?


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, June 22, 2006 8:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration

"...whichever party that may be."

On 6/22/06, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote:
>
> Ethics? Thats the stuff the guys in the other party don't have.
> 
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:52 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:52 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Exactly...
>
> Congress: Ethics? What's that?
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Darren Mar-Elia
> Sent: Thursday, June 22, 2006 6:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Yea, it seemed an awful basic question for you joe. And, of course I
fell
> for it. Agreed though that software RAID is like Congress creating its
own
> ethics rules--just a bad idea all around.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:16 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> ROFL!
>
> That was more of a case of purposely refusing to acknowledge software
RAID
> versus truly understanding what it is. I have had far more than my
share
of
> times trying to rebuild software raid configs.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Darren Mar-Elia
> Sent: Thursday, June 22, 2006 6:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> Software RAID is where the OS (in this case) handles the striping of
the
> data rather than the hardware (usually the controller).
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> joe
> Sent: Thursday, June 22, 2006 3:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Configuration
>
>
> o Software RAID? What's that?
>
> o Yeah I am not a fan of mirrors. I like lots of spindles. But then I
tend
> to work with big busy directories with Exchange beating on it.  Being
64
bit
> you don't have to worry _as much_ assuming you have enough RAM to
cache
your
> entire DIT but you still have to load that baby in the first place so
I
> would still recommend RAID 0+1, 10, or 5 or if you don't care about
fault
> tolerance the fastest is RAID-0.
>
> o I would say if you are going 64 bit, make sure you make it a
priority to
> get enough RAM to hold your entire DIT. That is the cool thing about
getting
> 64 bit.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al
> Mulnick
> Sent: Thursday, June 22, 2006 5:12 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] DC Configuration
>
>
> There would be a little more to gain than that but often that's the
reason.
> joe might point out that a two mirror configuration is not his optimal
> co

RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

One more thing to add to this from my experience.


 

I think we had situations arise where
someone was trying to pragmatically modify or read attributes on accounts in
the protected groups and was not able to due to their membership within a
protected group.  This of course started the hot debate on admins having
multiple credentials, one for administrative duties, the other for
collaborative and identity purposes.

 

Todd

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006 9:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD
Security permission continues to be "auto-removed"



 

I have a 2-part discussion of this
behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx

 

It's a bit headache-inducing, but at least
you will get the benefit of knowing that it is "by design"



 





HTH




Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you
now realize that Today is the Tomorrow you were worried about Yesterday? -anon



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B
Sent: Thursday, June 22, 2006 5:08
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security
permission continues to be "auto-removed"



We have some users that have mobile devices that connect to
Exchange.  The 3rd party application uses a dedicated account to
send mail from the devices.  This account needs to have "Send
As..." permissions on each of the user accounts' security settings. 
We have set it in all users (about two dozen) but one user in particular
has a problem.  We set the permission and give it "Send As..."
rights (just like all the others - no different), but usually within an hour,
the newly added permission is gone - not just the "Send As" setting,
but the whole account name is gone from this user's security settings as if we
never added it in the first place.  We have five DC's and I have tried
adding it from each DC with the same results.  I am baffled by this. 
Does anyone have any suggestions?

RE: [ActiveDir] DC Configuration

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Some of my opinions based on my own
research.

 


 I prefer hot swappable hardware
 RAID 1 for all boot / system partitions no matter what the role of the
 server is.  To me this gives the fastest disaster recovery option for
 situations you are unsure about with regards to OS updates and single
 drive failures.  On a side note we used to use three mirrors for our
 domain controller setups. 1 for system/boot/syslog, 1 for transaction
 logs, and 1 for data.  We mirrored this after our exchange setup,
 except in Exchange we used RAID 5 arrays to store the data.
 With regards to number of
 spindles and performance, I discussed this with someone on the list before
 (Guido) and people at HP and we came to the conclusion that with the
 latest 15K drives you won’t see any tangible performance
 improvements going with multiple mirrors unless you DC’s service
 more than 5000 people in that location where the DC resides.
 Judging from the original
 posters SMTP information, it looks like his organization has less than
 5000 people in it, so I recommend his first option.


 

Follow-up thoughts looking for group
input.

 

With regards to when is it best to use
Software RAID, I have debated this with several people and I seem to favor this
approach in Virtual Server Environments and using it on the System/Boot
Partition for DR purposes.  Another possible use for the software based
mirroring might be to create live copy of server for duplication purposes
(personally I think there are much better approaches out there.)  Any
thoughts on this?

 

What Disk type do you all recommend? 
I currently still stick to the Basic Disk for the most part. (Unless I want to
use software based fault-tolerance).

 

Thanks,

 

Todd

 

 

 









From: Al Mulnick
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 22, 2006
11:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC
Configuration



 



Interesting how much traffic this subject has garnered.  





 





But I have to ask, why? I mean, we haven't even heard the performance
concepts and you're ready to put this on extra hardware no questions. What if
he only had about 500 users? Would that still hold? What if it were a largely
distributed environment and they had a network such that they needed many
smaller vs. fewer larger DC's? Maybe a branch office environment? 





 





I hate software raid (joe's sure to put that definition in a wiki
somewhere) because of the false sense of hope it gives the implementer. 
But I do understand the idea of the least amount of hardware for the task at
hand and not a penny more hardware than is needed.  Not that I'm even
coming close to endorsing software level RAID - far from it.  





 





So why not a RAID 1 partition that holds all the OS, binaries, log
files, file and print facilities etc? 





 





It's a distributed app and could very easily work to the specs needed
in a largely distributed architecture. Were RODC available, it might be chosen
for some of the ones I have in mind.  
 





I'm sure you feel I'm baiting you and picking on you Gil but I am
curious what some of the thinking in the crowd is  





 






 





On 6/22/06, Gil
Kirkpatrick <[EMAIL PROTECTED]>
wrote: 

OS, DIT, logs on separate spindles.

Enough memory to store the DIT + overhead.

-gil
-Original Message- 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Lilianstrom 
Sent: Thursday, June 22, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Configuration

We have some budget money to replace domain controllers this year. Not 
all of them but probably half of them. We've pretty much decided on 64
bit Dell PowerEdge servers. Most of the discussion is about disk
configuration. Two schools of thought exist here.

1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 
20GB or so for the OS and the remainder for NTDS, Sysvol, and system
state backups

2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS,
the second is for NTDS, Sysvol, and system state backups. 

I've always liked physically separating the OS from the application
data. Others here like carving up the volume at the OS.

Any thoughts, opinions, suggestions?

   tia, al
--

Al Lilianstrom 
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx