RE: [ActiveDir] Blocking IE7

[Rob MOIR]

Yes but my point was that the moment you decide We're gonna give {someone} 
admin rights you've totally conceeded control of the machine and you're 
reliant on their co-operation. If someone wants IE7 on their machine in your 
environment, they *will* have it.

As you can see from the sig in my last message, I'm quite familiar with 
academic environments.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
 
Being an academic environment, taking administrative rights away from users is 
not an easy thing to accomplish.  The compromise was to have their domain 
account (which they are logged in as 99% of the time) a non-admin, but then 
give them the admin rights in the form of a separate local account unique to 
their workstation.

This makes them safer while browsing and requires them to go through a very 
conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served as a 
training ground both for us and the users for the upcoming Vista model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: 20 October 2006 01:11
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 Yes/No - Because we are an academic environment, the best we could do
 was to make our users domain account a user but give them their own
 local admin account.  We use restricted groups to enforce.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Kevin Brunson
 Sent: Thursday, October 19, 2006 4:10 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 Are your users local admins?  Only admins can approve IE7 for install.
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: Thursday, October 19, 2006 2:49 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 I must be missing something, I read:
 
 * The Blocker Toolkit will not prevent users from manually installing
 Internet Explorer 7 as a Recommended update from the Windows Update or
 Microsoft Update sites, from the Microsoft Download Center, or from
 external media.
 
 So it seems to me a hash rule combined with a filename rule should work
 unless they change both on me.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
 Sent: Thursday, October 19, 2006 12:40 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 You might want to re-read the page that you linked to below, since it
 answers all of your questions.
 
 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
 you would simply not approve the update.
 2. That toolkit *is* designed to block both the executable and
 automatic update installations.
 
 Laura
 
 
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: Thursday, October 19, 2006 12:55 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Blocking IE7
 I see how to block IE7 from deploying through WSUS, but what I don't
 see is a way to block a user from manually installing it.
 
 (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
 5D44-482B-9DBD-869B4A90159Cdisplaylang=en)
 
 Our users are 90% XP SP2 and managed through GP.  What about building a
 restricted software GPO that has a hash of iesetup7.exe (if that even
 exists)?
 
 I want to restrict them from getting it through microsoftupdate.com as
 well.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ

RE: [ActiveDir] Blocking IE7

[Rob MOIR]

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: 20 October 2006 01:11
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 Yes/No - Because we are an academic environment, the best we could do
 was to make our users domain account a user but give them their own
 local admin account.  We use restricted groups to enforce.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Kevin Brunson
 Sent: Thursday, October 19, 2006 4:10 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 Are your users local admins?  Only admins can approve IE7 for install.
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: Thursday, October 19, 2006 2:49 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 I must be missing something, I read:
 
 * The Blocker Toolkit will not prevent users from manually installing
 Internet Explorer 7 as a Recommended update from the Windows Update or
 Microsoft Update sites, from the Microsoft Download Center, or from
 external media.
 
 So it seems to me a hash rule combined with a filename rule should work
 unless they change both on me.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
 Sent: Thursday, October 19, 2006 12:40 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Blocking IE7
 
 You might want to re-read the page that you linked to below, since it
 answers all of your questions.
 
 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
 you would simply not approve the update.
 2. That toolkit *is* designed to block both the executable and
 automatic update installations.
 
 Laura
 
 
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
 Sent: Thursday, October 19, 2006 12:55 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Blocking IE7
 I see how to block IE7 from deploying through WSUS, but what I don't
 see is a way to block a user from manually installing it.
 
 (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
 5D44-482B-9DBD-869B4A90159Cdisplaylang=en)
 
 Our users are 90% XP SP2 and managed through GP.  What about building a
 restricted software GPO that has a hash of iesetup7.exe (if that even
 exists)?
 
 I want to restrict them from getting it through microsoftupdate.com as
 well.
 
 Bryan Lucas
 Server Administrator
 Texas Christian University
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Rob MOIR]

 2) Spy ware hangs around for a long time. Our users used to have admin
 rights so there is a lot of legacy spyware around

Create a project to re-build these machines? If you've got a standard
deployment image for workstations, this might not be too disruptive.
 
 3) We still have business critical applications that won't run without
 admin rights. Often these are tightly integrated in a large suite of
 applications, e.g. the Call Centre management suit, so we still have
 some machines where users have admin rights. I know this sucks but
 there is certainly no cash available to replace these apps

Is there a budget to deliver these 'special' apps via Citrix or at least
MS Terminal server, hence isolating them on a locked down server which
users cannot browse the web from, and allowing you to drop their local
workstation access level down to something sane? Or to virtualise these
apps on each desktop, again isolating them and allowing you to drop the
local workstation access rights down a notch or two.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] RFMAGIC

[Rob MOIR]

[EMAIL PROTECTED] ~] # mv /dev/tty0 /dev/tty0_old
[EMAIL PROTECTED] ~] # cp /dev/null /dev/tty0
[CONNECTION TO HOST LOST]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Brian Desmond
 Sent: 07 July 2006 09:03
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] RFMAGIC
 
  [EMAIL PROTECTED] ~]# dcpromo
 
 bash: dcpromo: command not found
 
 [EMAIL PROTECTED] ~]# pwd
 
 /home/bdesmond
 
 [EMAIL PROTECTED] ~]# uname
 
 Linux
 
 [EMAIL PROTECTED] ~]# whereis dcpromo
 
 dcpromo:
 
 [EMAIL PROTECTED] ~]# ls / -R | grep dcpromo
 
 [EMAIL PROTECTED] ~]#
 
 
 
 Thanks,
 
 Brian Desmond
 
 [EMAIL PROTECTED]
 
 
 
 c - 312.731.3132
 
 
 
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Robert Oytun
 Sent: Friday, July 07, 2006 2:48 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] RFMAGIC
 
 
 
 FYI,
 
 
 
 San Diego company RFMagic at www.rfmagic.com http://www.rfmagic.com/
 looking for a Linux admin.
 
 
 
 Just FYI
 
 
 
 Robert Oytun

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] pw reset domain account

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of AWS
 Sent: 25 June 2006 23:35
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] pw reset domain account
 
 There's a proposal at my company for a self service password reset
 website which uses a shared domain account. It's similar to a kiosk
 configuration, but the intent is to publicize the account and password
 so that it can be used from any users' pc when needed.
 
 They have an account-specific OU/GPO configuration which locks down
the
 typical stuff you would expect, but my position is that there are too
 many unknown vectors for such an account to be abused.
 
 Since I don't dabble in the various black hat utils du jour, does
 anyone have any thoughts on how a globally known domain account could
 be hacked upon? Conversely, is there any way such an account could be
 effectively locked down?

Joe and Laura have already given this the gimlet eye, but I'll add that
we were recently considering this here and threw it out due to security
issues. As Laura points out, you have totally lost any hope of control
or accountability on your whole network with these kinds of accounts
loose on it.

You've got a choice - lock it down like crazy (and there is a problem
with that which I'll come to in a moment) or trust your users. Right, I
don't think so either.

The problem with something like this is that your need to lock the
account down is in conflict with giving it enough rights to perform a
privileged task. So you produce all kinds of odd little hacks and tweaks
so that this account has no rights at all apart from when you need it to
have the sort of rights needed to reset a password (While I'm here, how
do you propose stopping people from being able to hack or DOS another
person's account by resetting it for them?).

Anyway, you start locking your chosen account down. You've got to be
lucky enough to have got there first for every possible attack vector
that a hacker can think of exploiting untraceably with this account. The
hacker only needs to be luckier than you once.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] pw reset domain account

[Rob MOIR]

What sort of questions? If you ask people to pick a secret question then you'll 
get poor quality questions:

Q. QWERTY
A. UIOP

Or poor quality questions:
DOB? (My friends at work know how old I am, and what day my birthday is).
Q. What sports team do I support?
A. Right like it isn't obvious from the way I was moaning about their play 
yesterday.

Or questions that anyone trying to hack a specific important account couldn't 
discover.
Q. What was my first grade teacher
A. Like this isn't documented on Friends Reunited and every silly myspace quiz 
you ever took.

Sorry to sound like I'm beating you up on this quite so much, but I've been 
down this road already and I'm trying to save you some pain.

Couple of further questions:
What will you do if someone forgets the special password resetting account's 
details? Hopefully they won't actually be logging in THAT often.

What's to stop a 'random passer by' getting on a terminal and playing with this 
account?

-Original Message-
From: [EMAIL PROTECTED] on behalf of AWS
Sent: Mon 26/06/2006 15:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account
 
Yes, the latter. This is an account a user would use to login with, then the
pw reset website would automatically run. The website has challenge/response
Q's for them to get their individual acct reset.

On 6/25/06, joe [EMAIL PROTECTED] wrote:

  Err, maybe you can fill in more detail. I am not quite sure what you are
 saying. Are you saying there is a generic ID to log into the website and it
 can reset anyone's password or are you saying there is a generic ID with
 rights to reset anyone's password or 

 Either of those solutions wouldn't be optimal and I would love to work in
 that company for a day with that implemented and have people point out who
 the dumbass managers were... Or at least their IDs.  eg

 Oh I just read that again, is this an idea to give a userid/password to
 everyone so they can get past the GINA and get to the self service website?

  --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm



  --
 *From:* [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] *On Behalf Of *AWS
 *Sent:* Sunday, June 25, 2006 6:35 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] pw reset domain account


  There's a proposal at my company for a self service password reset
 website which uses a shared domain account. It's similar to a kiosk
 configuration, but the intent is to publicize the account and password so
 that it can be used from any users' pc when needed.

 They have an account-specific OU/GPO configuration which locks down the
 typical stuff you would expect, but my position is that there are too many
 unknown vectors for such an account to be abused.

 Since I don't dabble in the various black hat utils du jour, does anyone
 have any thoughts on how a globally known domain account could be hacked
 upon? Conversely, is there any way such an account could be effectively
 locked down?

 Thanks,
 AW


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server

[Rob MOIR]

Virtual Machine Additions are a set of drivers and applets to extend and 
improve integration of a guest OS into the Virtual Server / PC application.

As for Where do you get it / Why wouldn't they just include it in the default 
install, you get it as part of the default install because it *is* included ;-) 
(unless you want the Linux additions, they are still new, if not 'beta' and 
hence are a separately available but still free download)
... but you have to choose to install it and this is frequently over looked by 
those in a rush or inexperienced with Virtual Server. VMWare, Parallels and 
other similar products all have their equivalents, btw, and the same thing 
applies there; the extras are often overlooked but the performance improvements 
can be profound.

--
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on? 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: 13 June 2006 05:08
To: ActiveDir@mail.activedir.org
Subject: RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning 
Virtual Server

The paper on running a DC on a VM is interesting, particularly this section.  
What is Virtual Machine Additions and where do you get it?  Why wouldn't they 
just include this in the default install?

You can improve performance by installing Virtual Machine Additions as soon as 
the guest operating system is up and running. Virtual Machine Additions is a 
set of features that improves the integration of the host and guest operating 
systems. It also improves the performance and manageability of the guest 
operating system. You must install Virtual Machine Additions on all virtual 
machines. Virtual Machine Additions adds the following enhancements to a guest 
operating system: 
* Improved mouse cursor tracking and control. 
* Greatly improved overall performance. 
* Virtual machine heartbeat generator. 
* Optional time synchronization with the clock of the physical computer. This 
feature is enabled by default and must be disabled for domain controllers that 
are running in virtual machines.
* Increased small computer system interface (SCSI) controller performance.
* Support for two-node clustering between virtual machines for testing and 
development scenarios.


Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, June 12, 2006 9:07 PM
To: ActiveDir@mail.activedir.org
Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning 
Virtual Server

There's this: 
http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en
 
 
And then 
http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx
 
And 
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en
 
 
But now that you mention it, I don't think a collective best practice for 
general usage is something I've seen.
 
 

 
On 6/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: 
Re-post
 
Administrator
Texas Christian University
(817) 257-6971

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, June 08, 2006 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual DCs
 
Along these lines, has anyone seen an actual best practices whitepaper for MS 
Virtual Server?  How to configure disk arrays, controller cache, how many VHDs 
per volume, memory allocation, etc. 
 
Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven
Sent: Wednesday, June 07, 2006 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual DCs
 
This is absolutely true.  I know virtualization scares a lot of people, but the 
fact is that in some environments virtualizing systems saves a great deal of 
money and actually makes managing systems much easier (here it has reportedly 
saved a significant amount in hardware cost for the enterprise).  I have been 
closely watching my Exchange servers ever since our AD side of the house 
started virtualizing DC's and with domain controllers running on ESX servers in 
an optimized configuration the performance is very close to hardware.  I have 
noticed that in terms of LDAP performance that VM's are a tad bit slower then 
hardware, but that tad is well within the range of performance that 
applications like Exchange require.  After over a year of having virtualized 
DC's we have not had any problems with virtualized domain controllers (placed 
globally on ESX servers around the world).  We do, however, work on the side of 
caution and do maintain a few hardware 

RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server

[Rob MOIR]

I have a few notes on general best practices for building Virtual Servers on my 
website if that is any help:
http://robertmoir.com/blogs/someone_else/archive/2006/03/12/2155.aspx

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 13 June 2006 03:07
 To: ActiveDir@mail.activedir.org
 Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on
 tuning Virtual Server
 
 There's this:
 http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-
 4209-8ED2-E261A117FC6Bdisplaylang=en
 
 And then
 http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx
 
 And
 http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-
 4209-8ED2-E261A117FC6Bdisplaylang=en
 
 But now that you mention it, I don't think a collective best practice
 for general usage is something I've seen.
 
 
 
 
 On 6/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
 
   Re-post
 
 
 
   Administrator
 
   Texas Christian University
 
   (817) 257-6971
 
 
 
 
 
   From: [EMAIL PROTECTED] mailto:ActiveDir-
 [EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED]
 On Behalf Of Lucas, Bryan
   Sent: Thursday, June 08, 2006 8:05 AM
   To: ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Virtual DCs
 
 
 
   Along these lines, has anyone seen an actual best practices
 whitepaper for MS Virtual Server?  How to configure disk arrays,
 controller cache, how many VHDs per volume, memory allocation, etc.
 
 
 
   Bryan Lucas
 
   Server Administrator
 
   Texas Christian University
 
   (817) 257-6971
 
 
 
 
 
   From: [EMAIL PROTECTED] mailto:ActiveDir-
 [EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED]
 On Behalf Of Presley, Steven
   Sent: Wednesday, June 07, 2006 10:23 AM
   To: ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Virtual DCs
 
 
 
   This is absolutely true.  I know virtualization scares a lot of
 people, but the fact is that in some environments virtualizing systems
 saves a great deal of money and actually makes managing systems much
 easier (here it has reportedly saved a significant amount in hardware
 cost for the enterprise).  I have been closely watching my Exchange
 servers ever since our AD side of the house started virtualizing DC's
 and with domain controllers running on ESX servers in an optimized
 configuration the performance is very close to hardware.  I have
 noticed that in terms of LDAP performance that VM's are a tad bit
 slower then hardware, but that tad is well within the range of
 performance that applications like Exchange require.  After over a year
 of having virtualized DC's we have not had any problems with
 virtualized domain controllers (placed globally on ESX servers around
 the world).  We do, however, work on the side of caution and do
 maintain a few hardware DC's in our HQ that own FSMO roles, but I've
 seen nothing to suggest that they could not be on VM's to date (it's
 just a precaution).
 
 
 
   I have to admit at first I totally dismissed virtualization
 because I considered it, like others, as more of a development\test
 environment solution, however I have since been convinced after working
 with virtualized OS's that it has it's place (we have 100's if not
 1000's of virtualized hosts currently in production).  I/O intensive
 applications are not a good place for virtualization in production, but
 other less I/O intensive applications work great with it.  Brian does
 have a point in that it has to be done correctly and with the right
 understanding of how to build a high performing virtualization
 environment it will work just fine for domain controllers\global
 catalog servers.
 
 
 
   Regards,
 
   Steven
 
 
 
 
 
 
 
   From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] mailto:ActiveDir-
 [EMAIL PROTECTED] ] On Behalf Of Brian Desmond
   Sent: Wednesday, June 07, 2006 12:04 AM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Virtual DCs
 
   I have no problem with VMWare or Virtual Server DCs if done
 correctly. Frankly, 7K users is like pocket change if you ask me.
 Really, the users generate no load – they logon to the PC and change
 their password. Things like Exchange (and OLK), machines, and other AD
 aware apps do. If properly written and the virtual hardware properly
 configured everything should still jive. If I had to make a one off
 guess with no more info I'd say go for it. The price war with MS and
 EMC on virtualization has made this far more economical, 

RE: [ActiveDir] AD integration

[Rob MOIR]

Just want to quickly say thanks to both of you, Joe and Al, you've
helped me form some thoughts around this area that I can work with. This
short discussion has been very useful. If I ever see either of you at a
MVP gathering I owe you a beverage of your choice, or two.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: 12 June 2006 15:57
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD integration
 
 The answer to this one is of course it depends.
 
 At first blush it sounds like a single threaded app. Depending on the
 vendor, this may be the best/safest thing to do. :)
 
 As for best practices. I don't think there are any best practices for
 how many domains you should pull data from at a time. It would again
 depend entirely on the app and what it is supposed to be doing and the
 dangers exposed in doing it.
 
 For a relatively fast application that works well in single and
 multidomain environments I could see cases where it is better to pull
 from the GC or better to set up a thread pool and pull from x domains
 at once or a combination. Certainly the thread pool solutions are the
 more scalable solutions but they are also the much harder to do right
 and the more costly solutions. Most customers chose apps on how cheap
 they are first, then later they start to realize the shortcomings that
 made them cheaper.
 
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
 Sent: Monday, June 12, 2006 8:31 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] AD integration
 
 Just a quick question. Is anyone aware of any best practice
 documentation of how a product ought to integrate with AD (e.g. to
pull
 out user data for its own use).
 
 Failing that, can anyone comment on what they think of a model that
can
 only pull data out of one domain at a time so for a 1 domain forest
 needs to make a connection to each domain in turn, pull down that
 information and then load it into SQL server. Am I crazy in thinking
 that anyone following this model has probably just found out that
their
 old NT4 domain integration code kinda works and did the bare minimum
 tidying up before halting any further work?
 
 --
 Robert Moir
 Microsoft MVP for Windows Servers  Security Senior IT Systems
Engineer
 Luton Sixth Form College
 Right vs. Wrong   | Good vs. Evil
 God vs. the devil | What side you on?
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Time Server for Forest Root PDC

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Teo De Las Heras
 Sent: 12 June 2006 18:23
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Time Server for Forest Root PDC
 
 How have people on this list configured their Forest Root PDC to
 synchronize the time service?  Is it O.K. to use an internal time
 server on a firewall?  Is it best to point to tick.usno.navy.mil or
 time.windows.com?

I'm coming late to this party but that hasn't stopped me throwing in my
two pennies worth before...

We have our own atomic / radio clock here, physically attached to a DC.
The DC it is connected to syncs to this hardware and all our other
servers sync to this DC.

My feeling is that while having the correct time is obviously a very
good thing, what is more important is that all your nodes are consistent
with each other; in other words, I think that what source you pick is
less important than picking just one source and making damn sure every
node uses time that is based off this source.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] AD integration

[Rob MOIR]

Just a quick question. Is anyone aware of any best practice
documentation of how a product ought to integrate with AD (e.g. to pull
out user data for its own use).

Failing that, can anyone comment on what they think of a model that can
only pull data out of one domain at a time so for a 1 domain forest
needs to make a connection to each domain in turn, pull down that
information and then load it into SQL server. Am I crazy in thinking
that anyone following this model has probably just found out that their
old NT4 domain integration code kinda works and did the bare minimum
tidying up before halting any further work?

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD integration

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 12 June 2006 13:55
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] AD integration
 
 Is there a best practice?  For what?  For making it work or for
 security purposes?
 JoeK has a book full of coding information.  That might be of use.

For making it work. I'm trying to resolve a dispute between a supplier of a 
commercial product and a customer about whether or not the connect to each 
domain in turn method is a satisfactory model (Supplier says 'what's the 
problem', customer regards it as poor practice). I'm after a general idea of 
how people feel about this.
 
 As for a model, my personal advice is to ensure that the coder doesn't
 assume that the ldap data is static.  For example, never assume that
 the items that aren't guaranteed to be unique will remain unique such
 as CN.  In a multi-domain forest, the CN is not likely going to be
 unique unless additional steps have previously been taken. DN, RDN etc
 follow suit.
 
 As for more than one domain and pulling the data from domain at a time,
 well, that's up to the application.  Is there a reason you only want it
 from one at a time that we should be aware of? Vs. say pulling
 information from a GC?

I personally would regard pulling info for the whole forest from a GC as the 
preferred model where applicable (and in this case it would work fine), I'm 
trying to find out how people feel about the other methods.

 WINNT code: yes it will still work depending on how you want to run it.
 But it won't allow you access to the GC, and it's going to have
 problems in multidomain models if the samaccountname is not unique
 across the domain boundaries.
 
 WINNT code is also legacy code and not guaranteed to work for future
 versions IIRC.
 
 Al
 
 
 
 On 6/12/06, Rob MOIR [EMAIL PROTECTED] wrote:
 
   Just a quick question. Is anyone aware of any best practice
   documentation of how a product ought to integrate with AD ( e.g.
 to pull
   out user data for its own use).
 
   Failing that, can anyone comment on what they think of a model
 that can
   only pull data out of one domain at a time so for a 1 domain
 forest
   needs to make a connection to each domain in turn, pull down that
   information and then load it into SQL server. Am I crazy in
 thinking
   that anyone following this model has probably just found out that
 their
   old NT4 domain integration code kinda works and did the bare
 minimum
   tidying up before halting any further work?
 
   --
   Robert Moir
   Microsoft MVP for Windows Servers  Security
   Senior IT Systems Engineer
   Luton Sixth Form College
   Right vs. Wrong   | Good vs. Evil
   God vs. the devil | What side you on?
 
 
   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive: http://www.activedir.org/ml/threads.aspx
 
 

RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: 08 March 2006 16:10
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Technet Magazine Active Directory 
 Component Jigsaw
 
 Subscriptions are free - to those in the U.S. only :(
 

You know, I'm not convinced that microsoft really get the whole
international thing and the interweb.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Gauging AD experience

[Rob MOIR]

Currently on my desks
1 desktop with a standard 17 TFT
2 laptops
1 KVM monster with a laptop connected to an external ADSL link (for
testing site security as an external person), and another desktop on the
same KVM with 6 3M Disk Stakkas for our software library
1 Mac Mini with a 32 TFT monitor. (save the best for last)

-- 
Robert Moir, MBCS
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on? 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega
 Sent: 24 January 2006 15:34
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
 Currently on my desk - 2 laptops (1 with external monitor 
 connected and only one running at the moment), 3 computers, 
 22 POS Modems, a Google Search appliance, a Cisco Pix 525 and 
 the head of a Coconut Monkey! Like Rich, my lab is a 
 different story. The GSA and Pix will soon find new homes in 
 the lab racks after I'm done testing and eventually all 22 
 POS modems will find new homes in far corners of the country.
 
  
 
 Lou
 
  
 
  
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
 Sent: Tuesday, January 24, 2006 10:24 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
  
 
 Ok I gotta ask, Joe you said monitors plural... how many 
 computers and monitors do you guys have in your desk?  I 
 can't imagine that I win... I certainly don't have any 100+ VMs 
 like I saw Joe mention... but I'll start... I have 6 computers, 1 
 laptop, and one touchscreen POS terminal, in my office and 
 running right now.  2 of those have VMs, and so does the 
 laptop but it's tied up for 3 or 4 hours running longhorn 
 server setup so I can try again now I know there is a 
 wireless add on component hidden somewhere... I have 4 monitors 
 plus the laptop and touchscreen.  And I have one other POS 
 terminal and 2 other PCs on standby.  This doesn't count the lab.  
 
  
 
 I'll bet that, regardless of some of the looks I get when 
 people peek in my cube (no, not office), that this is pretty
standard...
 
  
 
 Rich
 
  
 
 --
 -
 Rich Milburn
 MCSE, Microsoft MVP - Directory Services Sr Network Analyst, 
 Field Platform Development Applebee's International, Inc.
 4551 W. 107th St
 Overland Park, KS 66207
 913-967-2819
 --
 I love the smell of red herrings in the morning - anonymous
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Monday, January 23, 2006 9:10 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
  
 
 Oh great Gil thanks... now I have to clean Coca-cola off my 
 monitors. :o)
 
  
 
 Good to see you back Todd. You working for Ringling Bros now?
 
  
 
 
  
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
 Kirkpatrick
 Sent: Friday, January 20, 2006 2:16 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
 But at least you're not bitter...
 
  
 
 -g
 
  
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Myrick, Todd (NIH/CC/DNA) [E]
 Sent: Friday, January 20, 2006 12:06 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
 In my experience, when good directories go bad, it is usually 
 due to three things.
 
  
 
 1.Firewalls 
 2.Firewalls 
 3.Did I list firewalls? 
 
  
 
 Runner ups would be ADC for Exchange, Clowns posing as 
 Administrators, Clowns posing as DNS experts, Clowns posing 
 as Security experts, and no disaster recovery solution.
 
  
 
 Todd Myrick
 
 Brushing off the dust of my MVP status.  
 
  
 
  
 
 
 
 From: joe [mailto:[EMAIL PROTECTED]
 Sent: Thursday, January 19, 2006 3:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 
  
 
 When I read Al's post I thought of you Wook, I figured, hey 
 Wook could use a creative presentation name... ;o)
 
  
 
 I would say When Bad Things Happen To Good Directories is 
 more on par with When Bad Things Happen To Good People, say 
 like when your nanny gets a flat tire. When Good Directories 
 Go Bad is more like when your good little daughter hits her 
 teen years and starts going out to parties in fish net 
 stockings and Big Red gum. :o)
 
  
 
  
 
  
 
  
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
 Sent: Thursday, January 19, 2006 2:00 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Gauging AD experience
 

RE: [ActiveDir] OT: speaking of AD books...

[Rob MOIR]

 Bottom line - Mgmt needs to take ownership of the results of 
 their business decisions.  Tall order.  But necessary to some 
 degree for an IT Mgr to maintain their sanity.
 
 Warning:  YMMV - Not recommended for everyone - May be 
 hazardous to job status.

Well telling them is a hazard because they might fire you if they don't
like what you're saying.

Not telling them is a hazard because they won't understand they've set
you an impossible task, and will fire you for failing.

If I'm gonna run the risk of being executed either way, I'd rather get
it for doing the right thing...

rob
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Steve Rochford
 Sent: 08 November 2005 08:49
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Hardware Suggestions
 I can understand that with a home machine you're going to be 
 taking the top off at regular intervals to play with it (err; 
 upgrade hardware etc) but why on earth would you ever open a 
 server unless it has a fault? We have servers that go their 
 entire life without being opened up. Is there some major bit 
 of server management that I'm missing by not taking it apart 
 on a regular basis??

You mean you don't open your servers up to hoover up the binary code
when it falls off the disk platters?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange server 2003

[Rob MOIR]

Is this some kind of experiment to see how quickly hackers find your machine?

Anyway, many consumer cable companies limit the ports that their customers can 
open to the internet. Check your AUP and if it mentions that you can't run 
servers of this kind on your service then you will probably find they're 
blocking it.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Abdul
Sent: Tue 08/11/2005 18:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange server 2003
 
Thanks

My server is directly connected to internet through consumer cable No
firewall.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, November 08, 2005 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange server 2003

 

Have you opened tcp25 inbound on your firewall to the Exchange server? You
need this for other SMTP servers to communicate with you. If this is a
consumer class of cable, it's also possible they shutdown inbound smtp
globally in which case you'll have to give them a ring to see if they'll
open it for you. 

 

Thanks,
Brian Desmond

 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abdul
Sent: Tuesday, November 08, 2005 12:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange server 2003

Hi,

I have setup exchange 2003 servers on ms and dc. Both connected to internet
by cable. I can send and receive e.mail locally/internally. I can also send
e.mail to external address. But I can not receive e.mail from external
address. Any suggestion

Check from dnsreport is as under

http://dnsreport.com/tools/dnsreport.ch?domain=eitlink.com

 I am not sure how to correct the problem mentioned at the end of the
report.

Thanks

Ranga


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 07 November 2005 15:13
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Hardware Suggestions

 Bottom line, I would guess that two HP 360's (SCSI; I haven't 
 been made comfortable with SATA reliability yet) or 140's 
 with 1GB of memory each would be more than needed based on 
 those parameters. 

I'm glad to hear someone else say this. SATA can work but you need to
look closely at what you're buying and what the manufacturer recommends.
If the manufacturer doesn't trust their own products for the sort of
24*7 hammering you often get in a server then why bet against them? Who
are we to assume we know a product better than the people who designed
and built it?

 If you virtualize anything on top of that, 
 some other considerations would be needed of course. (or Dell 
 or IBM equivalent of course).

I'd still personally be uncomfortable with virtualising all my DCs, even
onto different physical virtual server hosts, I just don't believe in
adding extra layers of complexity to fundamental network services if I
can help it.

-- 
Robert Moir
Microsoft MVP (Security, Virtual PC)
Senior IT Systems Engineer
Luton Sixth Form College
He's back, and this time he's got a portable bulk-eraser!!! 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

Depends on the model. We've got some low end Dell stuff for external DNS 
(PowerEdge 800s) where i'm not too bothered if it dies, and the build quality 
is less than the normal Dell server standard (there's an open statement!).

As for the cables, they're the same no matter what so they're just as easy to 
knock out, but with the drives held in a decent cage on some of these servers 
that steers the connectors away from where your hands usually go when fitting 
stuff it isn't as bad as it could be.


-Original Message-
From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Mon 07/11/2005 17:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hardware Suggestions
 
Ok, Sue, you know that when you leave a dangling diss like that someone is
going to ask you to support it ;-) 

Beyond the connectors coming undone (something I have not experienced with
Dell desktop SATA), do you have specific criticisms about the Dell towers?

Thanks -- we are about to buy several of them (and rack-mounted too).

-- nme

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED] 
Sent: Monday, November 07, 2005 9:13 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hardware Suggestions

Stupid blonde alert

I personally have SATA experience in the tower/desktop world but none in 
the rack units.  Are the physical connections any stronger in the rack 
world?

I like SCSI and IDE not only for their proven track record [server and 
desktop respectively] but because the dang cables don't get knocked off 
each time I reach into the case.  Those cable connections on the back of 
the SATA drives are a little worrying.  I've accidentally bumped the 
connection off my workstation at home twice while adding the Happauge 
card and what not.

In SBSland early on we had issues with them getting loaded up, if they 
are underpowered, we're seeing a bit of bottlenecks, and as one of the 
SBS support gang said out of Mothership Los Colinas, if your vendor 
won't guarantee that equipment for 3 years, do you really want to put 
that data on that device?

So far the SATAs that we have running around in SBSland servers are 
okay, but I'll report back in another 2 years and let you know.

I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme 
just say I'm glad Brian steered me towards HP.



Rob MOIR wrote:
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 07 November 2005 15:13
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Hardware Suggestions
 

   
 Bottom line, I would guess that two HP 360's (SCSI; I haven't 
 been made comfortable with SATA reliability yet) or 140's 
 with 1GB of memory each would be more than needed based on 
 those parameters. 
 

 I'm glad to hear someone else say this. SATA can work but you need to
 look closely at what you're buying and what the manufacturer recommends.
 If the manufacturer doesn't trust their own products for the sort of
 24*7 hammering you often get in a server then why bet against them? Who
 are we to assume we know a product better than the people who designed
 and built it?

   
 If you virtualize anything on top of that, 
 some other considerations would be needed of course. (or Dell 
 or IBM equivalent of course).
 

 I'd still personally be uncomfortable with virtualising all my DCs, even
 onto different physical virtual server hosts, I just don't believe in
 adding extra layers of complexity to fundamental network services if I
 can help it.

   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

I've deployed SATA for storage of large files in Apple XRaid units in a Raid 
5+1 config, and so far so good. Ask me in 3 years if I'm still just as happy 
;-) but it was the only way to give the user what they wanted inside the budget 
we had.

One advantage of the XRaid is that it's fitted out from the get go to use SATA 
disks and the only reason you'd ever have to do anything to it is to replace a 
drive that you already know has gone bad.


-Original Message-
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Mon 07/11/2005 17:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hardware Suggestions
 
silly no-hair-color alert
SATA == Desktop drives.

They weren't originally concepted to be enterprise class storage.  I see 
them as being back-engineered to be used this way, but most of what I've 
seen has been to deploy them as a JBOD in situations where you can absorb 
the continuous loss of hardware and not impact performance and availability. 
  Typically in pools of disk and hsm solutions (what is it that hsm is 
called now? ILM? :)

If you plan to deploy DAS solutions (internal or external), SATA is not 
likely the way to go right now.  You may want to wait a bit longer if the 
data is important.


For large pools of inexpensive disks, SATA might be worthwhile to 
investigate if you have a large loading bay, a good support agreement, and 
close access to the highway.

-ajm



From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hardware Suggestions
Date: Mon, 07 Nov 2005 09:13:19 -0800

Stupid blonde alert

I personally have SATA experience in the tower/desktop world but none in 
the rack units.  Are the physical connections any stronger in the rack 
world?

I like SCSI and IDE not only for their proven track record [server and 
desktop respectively] but because the dang cables don't get knocked off 
each time I reach into the case.  Those cable connections on the back of 
the SATA drives are a little worrying.  I've accidentally bumped the 
connection off my workstation at home twice while adding the Happauge card 
and what not.

In SBSland early on we had issues with them getting loaded up, if they are 
underpowered, we're seeing a bit of bottlenecks, and as one of the SBS 
support gang said out of Mothership Los Colinas, if your vendor won't 
guarantee that equipment for 3 years, do you really want to put that data 
on that device?

So far the SATAs that we have running around in SBSland servers are okay, 
but I'll report back in another 2 years and let you know.

I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme 
just say I'm glad Brian steered me towards HP.



Rob MOIR wrote:
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 07 November 2005 15:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hardware Suggestions



Bottom line, I would guess that two HP 360's (SCSI; I haven't been made 
comfortable with SATA reliability yet) or 140's with 1GB of memory each 
would be more than needed based on those parameters.

I'm glad to hear someone else say this. SATA can work but you need to
look closely at what you're buying and what the manufacturer recommends.
If the manufacturer doesn't trust their own products for the sort of
24*7 hammering you often get in a server then why bet against them? Who
are we to assume we know a product better than the people who designed
and built it?


If you virtualize anything on top of that, some other considerations 
would be needed of course. (or Dell or IBM equivalent of course).


I'd still personally be uncomfortable with virtualising all my DCs, even
onto different physical virtual server hosts, I just don't believe in
adding extra layers of complexity to fundamental network services if I
can help it.



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

Nope, DASD to a Apple G5 Xserve for a very small amount of Apple clients (10) 
with very high storage requirements. To be honest, the thing that made me go 
for this solution in the end was that performance was better using the native 
Apple stuff end to end and writing to SATA than it was having to translate at 
some point on the network in order to write to SCSI.

So now I have a nice complicated totally seperate Apple Open Directory Domain 
with trusts into the Windows Forest so that all the pain of making it work 
falls on me and the network support team here instead of on the desktop user. 

Which is how it should be after all, and it doesn't do the old resume any harm 
to have this all on there!


-Original Message-
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Mon 07/11/2005 18:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hardware Suggestions
 
That's a desktop user? The apple desktop?

I don't have a problem with SATA (an upgrade from PATA) if used as designed. 
It's designed for desktop storage.  Not that it can't be adjusted to 
server/enterprise, but it's price point and architecture are intended for 
desktops (i.e. cheap but not as reliable as a shared resource).

Used appropriately, I'm quite happy with it.  But it's intended to be cheap 
and replaceable.

Cheap, fast, reliable - pick two (or something like that ;)

That shouldn't last if history is any indication, but for now I'll try not 
to build too many centrally required applications on that technology unless 
I can put a lot of abstraction in front of it (large pools that aren't 
bothered by the loss of several components at a time.)







From: Rob MOIR [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hardware Suggestions
Date: Mon, 7 Nov 2005 18:36:10 -

I've deployed SATA for storage of large files in Apple XRaid units in a 
Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still just as 
happy ;-) but it was the only way to give the user what they wanted inside 
the budget we had.

One advantage of the XRaid is that it's fitted out from the get go to use 
SATA disks and the only reason you'd ever have to do anything to it is to 
replace a drive that you already know has gone bad.


-Original Message-
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Mon 07/11/2005 17:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hardware Suggestions

silly no-hair-color alert
SATA == Desktop drives.

They weren't originally concepted to be enterprise class storage.  I see
them as being back-engineered to be used this way, but most of what I've
seen has been to deploy them as a JBOD in situations where you can absorb
the continuous loss of hardware and not impact performance and 
availability.
   Typically in pools of disk and hsm solutions (what is it that hsm is
called now? ILM? :)

If you plan to deploy DAS solutions (internal or external), SATA is not
likely the way to go right now.  You may want to wait a bit longer if the
data is important.


For large pools of inexpensive disks, SATA might be worthwhile to
investigate if you have a large loading bay, a good support agreement, and
close access to the highway.

-ajm



 From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Hardware Suggestions
 Date: Mon, 07 Nov 2005 09:13:19 -0800
 
 Stupid blonde alert
 
 I personally have SATA experience in the tower/desktop world but none in
 the rack units.  Are the physical connections any stronger in the rack
 world?
 
 I like SCSI and IDE not only for their proven track record [server and
 desktop respectively] but because the dang cables don't get knocked off
 each time I reach into the case.  Those cable connections on the back of
 the SATA drives are a little worrying.  I've accidentally bumped the
 connection off my workstation at home twice while adding the Happauge 
card
 and what not.
 
 In SBSland early on we had issues with them getting loaded up, if they 
are
 underpowered, we're seeing a bit of bottlenecks, and as one of the SBS
 support gang said out of Mothership Los Colinas, if your vendor won't
 guarantee that equipment for 3 years, do you really want to put that data
 on that device?
 
 So far the SATAs that we have running around in SBSland servers are okay,
 but I'll report back in another 2 years and let you know.
 
 I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme
 just say I'm glad Brian steered me towards HP.
 
 
 
 Rob MOIR wrote:
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 07 November 2005 15:13
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Hardware Suggestions
 
 
 
 Bottom line, I would guess that two HP 360's (SCSI; I haven't been made

RE: [ActiveDir] Hardware Suggestions

[Rob MOIR]

-Original Message-
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Mon 07/11/2005 20:41
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hardware Suggestions
 
 Interesting.  If that solution becomes a problem, have a look at 
 http://www.centrify.com and see if you can change some of that :)

Hmmm either their demo does a poor job of explaining their product or their 
product would actually be a downgrade for us! 

To cut a long story short, we use no 3rd party software, it's all done with 
default Apple and MS tools. We're using AD to hold all of our user objects and 
most of the group objects, so our password and security policies are already 
enforced out of the box. OS X desktops have computer accounts in an AD OU in 
order for the machines to authenticate to AD, and join the domain as part of 
their install routine.

What exists in Open Dir is one or two built in groups that we drop AD groups 
into and various other objects which describe various default settings to apply 
to desktop machines (vaguely like GPOs but not as sophisticated). The stuff 
that goes here is really minimal from our point of view but those little bits 
make a big difference to the user experience.

 Seriously, it is interesting and I'm interested to hear of the long term 
 results as they occur.  Shall we check back in a year or so?

Surely. I'm certain I'll have either set fire to the Apple servers we have now 
by then or purchased another one. We installed our server in August and while 
it's only been a few months now things have been working very well so far I 
have to say, and once the config was complete this setup has required very 
little day to day admin time. It's far more robust than I was probably making 
it sound earlier!

rob
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server Roles

[Rob MOIR]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 I've looked at using Virtual Server for small sites and it 
 makes sense to me.  The only drawback is that all your eggs 
 are in one basket - lose the host and you lose everything.  
 The same's true for patching as you'll need downtime on all 
 of the guest machines when the host is updated.  

Quite right, however, if you have a host that is dedicated to hosting
Virtual Server, e.g. everything except the host's core OS and Virtual
Server is hosted in a guest, then you've greatly reduced the surface
that needs patching. SQL has a problem that needs patching? So does AD?
DNS vulnerability? ...watch my Virtual Server host not care!
 
Also, while nothing is foolproof, good server hardware is much more
reliable now than it ever was, in my experience. I've seen servers fail
during burn in of course due to a fault that they came out of the
factory with, and of course drives are mechanical and fail sometimes
which is why we all use RAID, but other than that I see very very few
hardware faults at all.

-- 
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
He's back, and this time he's got a portable bulk-eraser!!! 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

[Rob MOIR]

We have to stay realistic as well, or I'm just going to add diamond studded 
admin chair with free back massager, to sit in when working on AD to the list 
;-). 
 
It's all well and good to say It isn't easy but if what you're talking about 
would essentially break the system and make it unusable for the way lots of 
server apps currently use it, then it surely isn't viable. Compatibility with 
existing LDAP-based apps, let alone stuff that ties more closely to AD, has to 
be solved before this can even make a start. Microsoft already get accused of 
subverting open protocols enough without _trying_ to pick a fight! Lastly, as I 
said before, even if they can solve this, has it just made the system too 
complex for the target SME businesses to deploy?
 
The on one OS qualifier aside, you really have just described Microsoft's or 
VMWare's virtualisation products, and given the technical issues this is 
probably the best way of delivering multiple DCs on one box.
 
As to what I would like to see, Rich's idea of a hot spare that can hold 
offline replicas for multiple domains might be an achievable compromise to this 
issue. I also want to be able to set domain account password security policies 
on a per OU basis.
 
--
Robert Moir
Microsoft MVP for Windows Servers  Security
Senior IT Systems Engineer
Luton Sixth Form College
He's back, and this time he's got a portable bulk-eraser!!!



From: [EMAIL PROTECTED] on behalf of Charlie Kaiser
Sent: Wed 05/10/2005 22:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list



Not being an OS architect, I'm not sure how MS would make it work
(obviously it's not easy) but I would think something along the lines of
different IP addresses per domain and using DNS to resolve the domain to
an IP or host headers or multiple NICs or something like that...
The idea is that it would look externally like multiple DCs, but they
would be on one OS...
If you can put multiple websites on one server and have them look
different, maybe they can do the same with domains...
Never said it was easy; this is a wish list, after all... :-)

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
 Sent: Wednesday, October 05, 2005 1:17 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Active Directory wish list

 How would LDAP apps easily address multiple AD domains hosted
 on one server? What if you wanted to make this box a GC for
 more than one domain? How easily can you configure apps like
 Exchange to cope with this? I say easily because you talk
 about SMEs using this function, which are the places that
 might be less well equipped to figure out the support impact
 on those apps from having to make them work with this arrangement.
 
 Or the cost of buying and implementing upgrades that figure
 it out for them... that money we saved on the seperate
 hardware boxes just went bye-bye... Oh well, at least
 multiple domains on one hardware box *sounds* cool.
 
 Rob
 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Charlie Kaiser
 Sent: Tuesday, October 04, 2005 6:37 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Active Directory wish list

 I'd also like to see the ability to run DCs for multiple
 domains on the same
 server. SMBs with limited resources balk at having to buy
 additional server
 hardware for redundancy on multiple domains, especially when
 the AD load on
 the DCs is minimal. This feature sounds like an offshoot of
 your list below.
 If you can run AD as a service, it might not be that hard to
 allow multiple
 domains similar to multiple websites/DBs on one server...

 I remember discussing this with Stuart Kwan at DEC a couple
 of years ago. I
 hope it makes it into the mix...

 **
 Charlie Kaiser
 W2K3 MCSA/MCSE/Security, CCNA
 Systems Engineer
 Essex Credit / Brickwalk
 510 595 5083
 **


  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of joe
  Sent: Tuesday, October 04, 2005 4:25 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Active Directory wish list
 
  Vista is the client OS. I don't believe they have named Longhorn
  Server yet.I am voting for something like Windows Server 5.4.0 or
  something like that. I realize that the marketing group would have
  something to say about it but I figure the best thing from
 them is if
  they pronounced their thoughts from the bottom of Lake Washington.
  People don't install servers because they have cool names.
 
  The biggest non-NDA pieces that I have heard announced in
 conferences
  or seen on the web already is the Read Only DC to limit security
  exposure

RE: [ActiveDir] AD Restore Problem

[Rob MOIR]

With Apple Open Directory, you'd have multiple servers running a replica
of your Open Directory information. In other words, more than one DC.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 06 October 2005 15:15
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Restore Problem

stupid question alert

Okay so unless you are insane SBS.. images of your DCs are ixnay.  What
does Sun, Linux, Mac or any other competing Server OS do in their world
to ensure the Kingdom easily and quickly comes back up?  yeah I know
they don't have AD but they have to have some competing glue, right?
What have they done if anything?


How to detect and recover from a USN rollback in Windows Server 2003:
http://support.microsoft.com/?kbid=875495

That KB is interesting as it clearly indicates that having a DC in a
Virtual Server environment is not supported... yet we SBSers have gotten
word that once Exchange 2003 sp2 supports Vserver all of the parts of
the 'standard' box will be supported in a virtual environment.


Brett Shirley wrote:

If you have any replicas of those servers, when you restore those 
VMWare images, you will have corrupted your forest during restore.

-BrettSh [msft]

This posting is provided AS IS with no warranties, and confers no 
rights.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

  

I am working my way down the VMWare path also for my ultimate DR ace 
in the hole. The environment is a TLD with 4 child domains. I am 
planning on running a single VMWare server that has virtual DCs for 
all 5 domains. I am going to peel off a dedicated site/vlan and put 
the physical VMWare server and all of the DC virt servers in that 
site. None of the virtual DCs are going to be GCs. The reason for the 
dedicated site is so I can keep people from using them for validation 
in production.
 
Once I have them running, I plan to use the VM scripting to gracefully

shut them down once a day and then shoot the image file of the 
shutdown DC off to tape, which then goes off-site. After the backup 
completes I then restart the virtual servers.
 
This plays into the different hardware scenario since I can use VMWare

to abstract the hardware.
 
Of course, this whole process is the backup to the normal system state

backup of all my backbone DCs.
 
FWIW - Frank



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
Hunter
Sent: Wednesday, October 05, 2005 5:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Restore Problem


You will still need to abandon the snapshot/image approach. Go to 
http://www.mail-archive.com/activedir@mail.activedir.org/ and search 
for usn rollback. You can get the same information by searching 
support.microsoft.com, but without the colorful and enlightening 
commentary that the list provides.
 
Hunter



  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

[Rob MOIR]

Then we should be looking at user authentication by other means than just 
passwords. But that isn't a utopia either. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: 06 October 2005 15:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

There seem to be several schools of thought on the password policy issue... 
- the execs and exec admins who should have the 4th most complex passwords 
(next to HR, accounting, and IT maybe) but lack the computer literacy to 
understand why and so unfortunately want no passwords or their dog's name as a 
password, and they have the political influence to be heard
- the security people who want 5 way complex passwords (including ASCII 
characters) and understand the threats but not the user issues
- developers who don't want the [continued] blame for leaving an open password 
policy, and who [might] now reasonably [from a technical and security 
perspective] ask why would you want to allow some people to have a weak 
password policy if others require a strong one on the same network??
- AD admins who have to figure out how to make everyone happy but may get 
blamed if the network is compromised.
- and others of course.

Personally I tend to side with the developers on this, but then it probably 
should not be mandated by the program, only set as an initial default to 
protect the ignorant.  IMHO.

Rich

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform 
Development Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
I am always doing that which I can not do, in order that I may learn how to do 
it. - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 05, 2005 7:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

The way I can see different password policies for one domain being implemented 
is if you have a product/tool in front of your directory intercepting the 
passwords and enforcing different rules as the passwords go through. The 
underlying directory (AD) will have to have no policy, or have at least a very 
relaxed policy. This would be a sort of password servicing provisioning system.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list


In our case (empty root, 4 child domains, 3500 users), it was primarily 
politics.  We brought in two consultants (one from a VAR, one from Microsoft), 
and the decision was that the best way to go, based on politics, geographical 
location of the offices, and division of administration, was the empty root and 
4 child domains.  Password policies was a small factor, but not a driving 
force...
 
That said, I personally would love to see the ability to have multiple password 
policies within a single domain.
 
Tyson.   



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list


My question would be: for a small directory of 5000 users, why do you have 3 
domains? If it is for separate password policies, then perhaps a better wish 
list item would be the ability to have multiple password policies in one 
domain. 
 
Phil

 
On 10/5/05, Rich Milburn [EMAIL PROTECTED] wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want to
only have 1 online copy of the directory.  MS didn't seem too convinced 
there was a good reason to have an 

RE: [ActiveDir] Active Directory wish list

[Rob MOIR]

As I say, it isn't utopia.
 
And what about fallback positions?
 
* You use fingerprint technology and that hand is encased in plaster and hence 
can't work with your fingerprint scanner. Now what?
 
* You use smart-cards and leave it at home one day. Now what?
 
In both cases the fall-back is probably just blow the dust off your keyboard 
and type in your password... you do remember that despite not using it for 5 
months, right? So we're right back where we started.



From: [EMAIL PROTECTED] on behalf of Rich Milburn
Sent: Thu 06/10/2005 17:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list



I have not been in many biometric/smart card discussions, but the ones I have 
been in have never addressed one particular issue:
Ok, so logons are now secured very nicely.  So how secure is the 
background mechanism that ties my fingerprint to my account?? Can Joe sniff it 
off the network with net monitor? (I'd put money on Joe.R being able to, 
anyway :)

I believe that is at least one reason for some of the disclaimers around 
certain products like I think it's a MS keyboard with fingerprint reader, about 
being for home use only or for securing Internet passwords only, etc.

Rich

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
I am always doing that which I can not do, in order that I may learn how to do 
it. - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Thursday, October 06, 2005 10:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Then we should be looking at user authentication by other means than just 
passwords. But that isn't a utopia either.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: 06 October 2005 15:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

There seem to be several schools of thought on the password policy issue...
- the execs and exec admins who should have the 4th most complex passwords 
(next to HR, accounting, and IT maybe) but lack the computer literacy to 
understand why and so unfortunately want no passwords or their dog's name as a 
password, and they have the political influence to be heard
- the security people who want 5 way complex passwords (including ASCII 
characters) and understand the threats but not the user issues
- developers who don't want the [continued] blame for leaving an open password 
policy, and who [might] now reasonably [from a technical and security 
perspective] ask why would you want to allow some people to have a weak 
password policy if others require a strong one on the same network??
- AD admins who have to figure out how to make everyone happy but may get 
blamed if the network is compromised.
- and others of course.

Personally I tend to side with the developers on this, but then it probably 
should not be mandated by the program, only set as an initial default to 
protect the ignorant.  IMHO.

Rich

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform 
Development Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
I am always doing that which I can not do, in order that I may learn how to do 
it. - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 05, 2005 7:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

The way I can see different password policies for one domain being implemented 
is if you have a product/tool in front of your directory intercepting the 
passwords and enforcing different rules as the passwords go through. The 
underlying directory (AD) will have to have no policy, or have at least a very 
relaxed policy. This would be a sort of password servicing provisioning system.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list


In our case (empty root, 4 child domains, 3500 users), it was primarily 
politics.  We brought in two consultants

RE: [ActiveDir] AD Restore Problem

[Rob MOIR]

Running a production server in Virtual PC isn't supported, Period.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 06/10/2005 18:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Restore Problem
 
What is not supported is an image restored and running in a Virtual PC.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: 06 October 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Restore Problem

 

That article might not have been caught yet, support for DC's in Virtual
Server is a relatively new thing, but it is supported.

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-
8ed2-e261a117fc6b
http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209
-8ed2-e261a117fc6bdisplaylang=en displaylang=en 

 

That doesn't help SBS much though since Exchange is not yet supported in
Virtual Server.

 

Phil

 

On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote: 

stupid question alert

Okay so unless you are insane SBS.. images of your DCs are ixnay.  What 
does Sun, Linux, Mac or any other competing Server OS do in their world
to ensure the Kingdom easily and quickly comes back up?  yeah I know
they don't have AD but they have to have some competing glue, right? 
What have they done if anything?


How to detect and recover from a USN rollback in Windows Server 2003:
http://support.microsoft.com/?kbid=875495

That KB is interesting as it clearly indicates that having a DC in a
Virtual Server environment is not supported... yet we SBSers have gotten
word that once Exchange 2003 sp2 supports Vserver all of the parts of 
the 'standard' box will be supported in a virtual environment.


Brett Shirley wrote:

If you have any replicas of those servers, when you restore those VMWare
images, you will have corrupted your forest during restore. 

-BrettSh [msft]

This posting is provided AS IS with no warranties, and confers no
rights.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

 

I am working my way down the VMWare path also for my ultimate DR ace in
the hole. The environment is a TLD with 4 child domains. I am planning
on running a single VMWare server that has virtual DCs for all 5 
domains. I am going to peel off a dedicated site/vlan and put the
physical VMWare server and all of the DC virt servers in that site. None
of the virtual DCs are going to be GCs. The reason for the dedicated 
site is so I can keep people from using them for validation in
production.

Once I have them running, I plan to use the VM scripting to gracefully
shut them down once a day and then shoot the image file of the shutdown 
DC off to tape, which then goes off-site. After the backup completes I
then restart the virtual servers.

This plays into the different hardware scenario since I can use VMWare 
to abstract the hardware.

Of course, this whole process is the backup to the normal system state
backup of all my backbone DCs.

FWIW - Frank
 


From: [EMAIL PROTECTED]
[mailto: mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Wednesday, October 05, 2005 5:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Restore Problem 


You will still need to abandon the snapshot/image approach. Go to
http://www.mail-archive.com/activedir@mail.activedir.org/ and search for
usn rollback. You can get the same information by searching
support.microsoft.com, but without the colorful and enlightening 
commentary that the list provides.

Hunter





List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

[Rob MOIR]

How would LDAP apps easily address multiple AD domains hosted on one server? 
What if you wanted to make this box a GC for more than one domain? How easily 
can you configure apps like Exchange to cope with this? I say easily because 
you talk about SMEs using this function, which are the places that might be 
less well equipped to figure out the support impact on those apps from having 
to make them work with this arrangement.
 
Or the cost of buying and implementing upgrades that figure it out for them... 
that money we saved on the seperate hardware boxes just went bye-bye... Oh 
well, at least multiple domains on one hardware box *sounds* cool.
 
Rob
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 6:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the same
server. SMBs with limited resources balk at having to buy additional server
hardware for redundancy on multiple domains, especially when the AD load on
the DCs is minimal. This feature sounds like an offshoot of your list below.
If you can run AD as a service, it might not be that hard to allow multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Tuesday, October 04, 2005 4:25 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Active Directory wish list

 Vista is the client OS. I don't believe they have named Longhorn
 Server yet.I am voting for something like Windows Server 5.4.0 or
 something like that. I realize that the marketing group would have
 something to say about it but I figure the best thing from them is if
 they pronounced their thoughts from the bottom of Lake Washington.
 People don't install servers because they have cool names.
 
 The biggest non-NDA pieces that I have heard announced in conferences
 or seen on the web already is the Read Only DC to limit security
 exposure for WAN deployments, restartable AD that can be
 stopped/started as necessary, DA/Admin separation so that you can have
 an Admin on a DC that can't achieve Domain-wide DA level rights, and
 DCs running on Server Foundation or now its called Server Core which
 is a GUI-challenged Windows Server.
 
 I can also say that there are a myriad of GUI updates for the Admin
 tools though I can't state specifics. BJ Whalen who was involved with
 the GPMC project has been brought in to work on admin experience and
 anyone who has worked with GPOs with and without GPMC know that he
 really helped out.
 
 All in all, there is some very cool stuff and MS has really been
 listening to the community on what they want and need. I know that
 this list is watched for ideas and such and has been the source of
 DCRs internally. So if you have ideas, spout them here, they will most
 certainly be heard. They may not make Longhorn as it is getting a bit
 late to add major changes but your ideas could make it into a later
 rev.
 
 
joe
 

 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
 Sent: Monday, October 03, 2005 3:46 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Active Directory wish list


 Hi,
 
 With Windows Vista on it's way what's on people's wish list as far as
 Active Directory is concerned? Also are there any big enhancements
 due?
 
 Thanks
 Steven

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/