RE: [ActiveDir] Blocking IE7
Yes but my point was that the moment you decide We're gonna give {someone} admin rights you've totally conceeded control of the machine and you're reliant on their co-operation. If someone wants IE7 on their machine in your environment, they *will* have it. As you can see from the sig in my last message, I'm quite familiar with academic environments. -Original Message- From: [EMAIL PROTECTED] on behalf of Lucas, Bryan Sent: Fri 20/10/2006 15:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Being an academic environment, taking administrative rights away from users is not an easy thing to accomplish. The compromise was to have their domain account (which they are logged in as 99% of the time) a non-admin, but then give them the admin rights in the form of a separate local account unique to their workstation. This makes them safer while browsing and requires them to go through a very conscious extra set of steps to install new hw/sw. It has worked very well, cut down on spyware/junkware as well as served as a training ground both for us and the users for the upcoming Vista model. Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Friday, October 20, 2006 6:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 And now I'm really confused. Why make your users admins and then lock down the ways they can admin the system? -- Robert Moir Senior IT Systems Engineer Luton Sixth Form College -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: 20 October 2006 01:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Yes/No - Because we are an academic environment, the best we could do was to make our users domain account a user but give them their own local admin account. We use restricted groups to enforce. Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, October 19, 2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Are your users local admins? Only admins can approve IE7 for install. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 I must be missing something, I read: * The Blocker Toolkit will not prevent users from manually installing Internet Explorer 7 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media. So it seems to me a hash rule combined with a filename rule should work unless they change both on me. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 19, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 You might want to re-read the page that you linked to below, since it answers all of your questions. 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you would simply not approve the update. 2. That toolkit *is* designed to block both the executable and automatic update installations. Laura From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7- 5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Blocking IE7
And now I'm really confused. Why make your users admins and then lock down the ways they can admin the system? -- Robert Moir Senior IT Systems Engineer Luton Sixth Form College -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: 20 October 2006 01:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Yes/No - Because we are an academic environment, the best we could do was to make our users domain account a user but give them their own local admin account. We use restricted groups to enforce. Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, October 19, 2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Are your users local admins? Only admins can approve IE7 for install. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 I must be missing something, I read: * The Blocker Toolkit will not prevent users from manually installing Internet Explorer 7 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media. So it seems to me a hash rule combined with a filename rule should work unless they change both on me. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 19, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 You might want to re-read the page that you linked to below, since it answers all of your questions. 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you would simply not approve the update. 2. That toolkit *is* designed to block both the executable and automatic update installations. Laura From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7- 5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Protecting against Spyware/Adware
2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around Create a project to re-build these machines? If you've got a standard deployment image for workstations, this might not be too disruptive. 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Is there a budget to deliver these 'special' apps via Citrix or at least MS Terminal server, hence isolating them on a locked down server which users cannot browse the web from, and allowing you to drop their local workstation access level down to something sane? Or to virtualise these apps on each desktop, again isolating them and allowing you to drop the local workstation access rights down a notch or two. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] RFMAGIC
[EMAIL PROTECTED] ~] # mv /dev/tty0 /dev/tty0_old [EMAIL PROTECTED] ~] # cp /dev/null /dev/tty0 [CONNECTION TO HOST LOST] -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 07 July 2006 09:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RFMAGIC [EMAIL PROTECTED] ~]# dcpromo bash: dcpromo: command not found [EMAIL PROTECTED] ~]# pwd /home/bdesmond [EMAIL PROTECTED] ~]# uname Linux [EMAIL PROTECTED] ~]# whereis dcpromo dcpromo: [EMAIL PROTECTED] ~]# ls / -R | grep dcpromo [EMAIL PROTECTED] ~]# Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robert Oytun Sent: Friday, July 07, 2006 2:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RFMAGIC FYI, San Diego company RFMagic at www.rfmagic.com http://www.rfmagic.com/ looking for a Linux admin. Just FYI Robert Oytun List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] pw reset domain account
-Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of AWS Sent: 25 June 2006 23:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] pw reset domain account There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down? Joe and Laura have already given this the gimlet eye, but I'll add that we were recently considering this here and threw it out due to security issues. As Laura points out, you have totally lost any hope of control or accountability on your whole network with these kinds of accounts loose on it. You've got a choice - lock it down like crazy (and there is a problem with that which I'll come to in a moment) or trust your users. Right, I don't think so either. The problem with something like this is that your need to lock the account down is in conflict with giving it enough rights to perform a privileged task. So you produce all kinds of odd little hacks and tweaks so that this account has no rights at all apart from when you need it to have the sort of rights needed to reset a password (While I'm here, how do you propose stopping people from being able to hack or DOS another person's account by resetting it for them?). Anyway, you start locking your chosen account down. You've got to be lucky enough to have got there first for every possible attack vector that a hacker can think of exploiting untraceably with this account. The hacker only needs to be luckier than you once. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] pw reset domain account
What sort of questions? If you ask people to pick a secret question then you'll get poor quality questions: Q. QWERTY A. UIOP Or poor quality questions: DOB? (My friends at work know how old I am, and what day my birthday is). Q. What sports team do I support? A. Right like it isn't obvious from the way I was moaning about their play yesterday. Or questions that anyone trying to hack a specific important account couldn't discover. Q. What was my first grade teacher A. Like this isn't documented on Friends Reunited and every silly myspace quiz you ever took. Sorry to sound like I'm beating you up on this quite so much, but I've been down this road already and I'm trying to save you some pain. Couple of further questions: What will you do if someone forgets the special password resetting account's details? Hopefully they won't actually be logging in THAT often. What's to stop a 'random passer by' getting on a terminal and playing with this account? -Original Message- From: [EMAIL PROTECTED] on behalf of AWS Sent: Mon 26/06/2006 15:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe [EMAIL PROTECTED] wrote: Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. eg Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *AWS *Sent:* Sunday, June 25, 2006 6:35 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] pw reset domain account There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down? Thanks, AW List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
Virtual Machine Additions are a set of drivers and applets to extend and improve integration of a guest OS into the Virtual Server / PC application. As for Where do you get it / Why wouldn't they just include it in the default install, you get it as part of the default install because it *is* included ;-) (unless you want the Linux additions, they are still new, if not 'beta' and hence are a separately available but still free download) ... but you have to choose to install it and this is frequently over looked by those in a rush or inexperienced with Virtual Server. VMWare, Parallels and other similar products all have their equivalents, btw, and the same thing applies there; the extras are often overlooked but the performance improvements can be profound. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: 13 June 2006 05:08 To: ActiveDir@mail.activedir.org Subject: RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server The paper on running a DC on a VM is interesting, particularly this section. What is Virtual Machine Additions and where do you get it? Why wouldn't they just include this in the default install? You can improve performance by installing Virtual Machine Additions as soon as the guest operating system is up and running. Virtual Machine Additions is a set of features that improves the integration of the host and guest operating systems. It also improves the performance and manageability of the guest operating system. You must install Virtual Machine Additions on all virtual machines. Virtual Machine Additions adds the following enhancements to a guest operating system: * Improved mouse cursor tracking and control. * Greatly improved overall performance. * Virtual machine heartbeat generator. * Optional time synchronization with the clock of the physical computer. This feature is enabled by default and must be disabled for domain controllers that are running in virtual machines. * Increased small computer system interface (SCSI) controller performance. * Support for two-node clustering between virtual machines for testing and development scenarios. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, June 12, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server There's this: http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en And then http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx And http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en But now that you mention it, I don't think a collective best practice for general usage is something I've seen. On 6/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Re-post Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a significant amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that tad is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware
RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
I have a few notes on general best practices for building Virtual Servers on my website if that is any help: http://robertmoir.com/blogs/someone_else/archive/2006/03/12/2155.aspx -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 13 June 2006 03:07 To: ActiveDir@mail.activedir.org Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server There's this: http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en And then http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx And http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en But now that you mention it, I don't think a collective best practice for general usage is something I've seen. On 6/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Re-post Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] mailto:ActiveDir- [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] mailto:ActiveDir- [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a significant amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that tad is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be done correctly and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:ActiveDir- [EMAIL PROTECTED] ] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load – they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info I'd say go for it. The price war with MS and EMC on virtualization has made this far more economical,
RE: [ActiveDir] AD integration
Just want to quickly say thanks to both of you, Joe and Al, you've helped me form some thoughts around this area that I can work with. This short discussion has been very useful. If I ever see either of you at a MVP gathering I owe you a beverage of your choice, or two. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: 12 June 2006 15:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD integration The answer to this one is of course it depends. At first blush it sounds like a single threaded app. Depending on the vendor, this may be the best/safest thing to do. :) As for best practices. I don't think there are any best practices for how many domains you should pull data from at a time. It would again depend entirely on the app and what it is supposed to be doing and the dangers exposed in doing it. For a relatively fast application that works well in single and multidomain environments I could see cases where it is better to pull from the GC or better to set up a thread pool and pull from x domains at once or a combination. Certainly the thread pool solutions are the more scalable solutions but they are also the much harder to do right and the more costly solutions. Most customers chose apps on how cheap they are first, then later they start to realize the shortcomings that made them cheaper. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Monday, June 12, 2006 8:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD integration Just a quick question. Is anyone aware of any best practice documentation of how a product ought to integrate with AD (e.g. to pull out user data for its own use). Failing that, can anyone comment on what they think of a model that can only pull data out of one domain at a time so for a 1 domain forest needs to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinking that anyone following this model has probably just found out that their old NT4 domain integration code kinda works and did the bare minimum tidying up before halting any further work? -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Time Server for Forest Root PDC
-Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Teo De Las Heras Sent: 12 June 2006 18:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time Server for Forest Root PDC How have people on this list configured their Forest Root PDC to synchronize the time service? Is it O.K. to use an internal time server on a firewall? Is it best to point to tick.usno.navy.mil or time.windows.com? I'm coming late to this party but that hasn't stopped me throwing in my two pennies worth before... We have our own atomic / radio clock here, physically attached to a DC. The DC it is connected to syncs to this hardware and all our other servers sync to this DC. My feeling is that while having the correct time is obviously a very good thing, what is more important is that all your nodes are consistent with each other; in other words, I think that what source you pick is less important than picking just one source and making damn sure every node uses time that is based off this source. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] AD integration
Just a quick question. Is anyone aware of any best practice documentation of how a product ought to integrate with AD (e.g. to pull out user data for its own use). Failing that, can anyone comment on what they think of a model that can only pull data out of one domain at a time so for a 1 domain forest needs to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinking that anyone following this model has probably just found out that their old NT4 domain integration code kinda works and did the bare minimum tidying up before halting any further work? -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD integration
-Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 12 June 2006 13:55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD integration Is there a best practice? For what? For making it work or for security purposes? JoeK has a book full of coding information. That might be of use. For making it work. I'm trying to resolve a dispute between a supplier of a commercial product and a customer about whether or not the connect to each domain in turn method is a satisfactory model (Supplier says 'what's the problem', customer regards it as poor practice). I'm after a general idea of how people feel about this. As for a model, my personal advice is to ensure that the coder doesn't assume that the ldap data is static. For example, never assume that the items that aren't guaranteed to be unique will remain unique such as CN. In a multi-domain forest, the CN is not likely going to be unique unless additional steps have previously been taken. DN, RDN etc follow suit. As for more than one domain and pulling the data from domain at a time, well, that's up to the application. Is there a reason you only want it from one at a time that we should be aware of? Vs. say pulling information from a GC? I personally would regard pulling info for the whole forest from a GC as the preferred model where applicable (and in this case it would work fine), I'm trying to find out how people feel about the other methods. WINNT code: yes it will still work depending on how you want to run it. But it won't allow you access to the GC, and it's going to have problems in multidomain models if the samaccountname is not unique across the domain boundaries. WINNT code is also legacy code and not guaranteed to work for future versions IIRC. Al On 6/12/06, Rob MOIR [EMAIL PROTECTED] wrote: Just a quick question. Is anyone aware of any best practice documentation of how a product ought to integrate with AD ( e.g. to pull out user data for its own use). Failing that, can anyone comment on what they think of a model that can only pull data out of one domain at a time so for a 1 domain forest needs to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinking that anyone following this model has probably just found out that their old NT4 domain integration code kinda works and did the bare minimum tidying up before halting any further work? -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 08 March 2006 16:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw Subscriptions are free - to those in the U.S. only :( You know, I'm not convinced that microsoft really get the whole international thing and the interweb. -- Robert Moir Microsoft MVP for Windows Servers Security List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Gauging AD experience
Currently on my desks 1 desktop with a standard 17 TFT 2 laptops 1 KVM monster with a laptop connected to an external ADSL link (for testing site security as an external person), and another desktop on the same KVM with 6 3M Disk Stakkas for our software library 1 Mac Mini with a 32 TFT monitor. (save the best for last) -- Robert Moir, MBCS Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: 24 January 2006 15:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Currently on my desk - 2 laptops (1 with external monitor connected and only one running at the moment), 3 computers, 22 POS Modems, a Google Search appliance, a Cisco Pix 525 and the head of a Coconut Monkey! Like Rich, my lab is a different story. The GSA and Pix will soon find new homes in the lab racks after I'm done testing and eventually all 22 POS modems will find new homes in far corners of the country. Lou From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 24, 2006 10:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Ok I gotta ask, Joe you said monitors plural... how many computers and monitors do you guys have in your desk? I can't imagine that I win... I certainly don't have any 100+ VMs like I saw Joe mention... but I'll start... I have 6 computers, 1 laptop, and one touchscreen POS terminal, in my office and running right now. 2 of those have VMs, and so does the laptop but it's tied up for 3 or 4 hours running longhorn server setup so I can try again now I know there is a wireless add on component hidden somewhere... I have 4 monitors plus the laptop and touchscreen. And I have one other POS terminal and 2 other PCs on standby. This doesn't count the lab. I'll bet that, regardless of some of the looks I get when people peek in my cube (no, not office), that this is pretty standard... Rich -- - Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 23, 2006 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience Oh great Gil thanks... now I have to clean Coca-cola off my monitors. :o) Good to see you back Todd. You working for Ringling Bros now? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 20, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience But at least you're not bitter... -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Friday, January 20, 2006 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience In my experience, when good directories go bad, it is usually due to three things. 1.Firewalls 2.Firewalls 3.Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with When Bad Things Happen To Good People, say like when your nanny gets a flat tire. When Good Directories Go Bad is more like when your good little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 19, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Gauging AD experience
RE: [ActiveDir] OT: speaking of AD books...
Bottom line - Mgmt needs to take ownership of the results of their business decisions. Tall order. But necessary to some degree for an IT Mgr to maintain their sanity. Warning: YMMV - Not recommended for everyone - May be hazardous to job status. Well telling them is a hazard because they might fire you if they don't like what you're saying. Not telling them is a hazard because they won't understand they've set you an impossible task, and will fire you for failing. If I'm gonna run the risk of being executed either way, I'd rather get it for doing the right thing... rob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardware Suggestions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: 08 November 2005 08:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions I can understand that with a home machine you're going to be taking the top off at regular intervals to play with it (err; upgrade hardware etc) but why on earth would you ever open a server unless it has a fault? We have servers that go their entire life without being opened up. Is there some major bit of server management that I'm missing by not taking it apart on a regular basis?? You mean you don't open your servers up to hoover up the binary code when it falls off the disk platters? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange server 2003
Is this some kind of experiment to see how quickly hackers find your machine? Anyway, many consumer cable companies limit the ports that their customers can open to the internet. Check your AUP and if it mentions that you can't run servers of this kind on your service then you will probably find they're blocking it. -Original Message- From: [EMAIL PROTECTED] on behalf of Abdul Sent: Tue 08/11/2005 18:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange server 2003 Thanks My server is directly connected to internet through consumer cable No firewall. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 08, 2005 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange server 2003 Have you opened tcp25 inbound on your firewall to the Exchange server? You need this for other SMTP servers to communicate with you. If this is a consumer class of cable, it's also possible they shutdown inbound smtp globally in which case you'll have to give them a ring to see if they'll open it for you. Thanks, Brian Desmond mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] c - 312.731.3132 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abdul Sent: Tuesday, November 08, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange server 2003 Hi, I have setup exchange 2003 servers on ms and dc. Both connected to internet by cable. I can send and receive e.mail locally/internally. I can also send e.mail to external address. But I can not receive e.mail from external address. Any suggestion Check from dnsreport is as under http://dnsreport.com/tools/dnsreport.ch?domain=eitlink.com I am not sure how to correct the problem mentioned at the end of the report. Thanks Ranga List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardware Suggestions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 07 November 2005 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Bottom line, I would guess that two HP 360's (SCSI; I haven't been made comfortable with SATA reliability yet) or 140's with 1GB of memory each would be more than needed based on those parameters. I'm glad to hear someone else say this. SATA can work but you need to look closely at what you're buying and what the manufacturer recommends. If the manufacturer doesn't trust their own products for the sort of 24*7 hammering you often get in a server then why bet against them? Who are we to assume we know a product better than the people who designed and built it? If you virtualize anything on top of that, some other considerations would be needed of course. (or Dell or IBM equivalent of course). I'd still personally be uncomfortable with virtualising all my DCs, even onto different physical virtual server hosts, I just don't believe in adding extra layers of complexity to fundamental network services if I can help it. -- Robert Moir Microsoft MVP (Security, Virtual PC) Senior IT Systems Engineer Luton Sixth Form College He's back, and this time he's got a portable bulk-eraser!!! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardware Suggestions
Depends on the model. We've got some low end Dell stuff for external DNS (PowerEdge 800s) where i'm not too bothered if it dies, and the build quality is less than the normal Dell server standard (there's an open statement!). As for the cables, they're the same no matter what so they're just as easy to knock out, but with the drives held in a decent cage on some of these servers that steers the connectors away from where your hands usually go when fitting stuff it isn't as bad as it could be. -Original Message- From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Mon 07/11/2005 17:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Ok, Sue, you know that when you leave a dangling diss like that someone is going to ask you to support it ;-) Beyond the connectors coming undone (something I have not experienced with Dell desktop SATA), do you have specific criticisms about the Dell towers? Thanks -- we are about to buy several of them (and rack-mounted too). -- nme -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Monday, November 07, 2005 9:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions Stupid blonde alert I personally have SATA experience in the tower/desktop world but none in the rack units. Are the physical connections any stronger in the rack world? I like SCSI and IDE not only for their proven track record [server and desktop respectively] but because the dang cables don't get knocked off each time I reach into the case. Those cable connections on the back of the SATA drives are a little worrying. I've accidentally bumped the connection off my workstation at home twice while adding the Happauge card and what not. In SBSland early on we had issues with them getting loaded up, if they are underpowered, we're seeing a bit of bottlenecks, and as one of the SBS support gang said out of Mothership Los Colinas, if your vendor won't guarantee that equipment for 3 years, do you really want to put that data on that device? So far the SATAs that we have running around in SBSland servers are okay, but I'll report back in another 2 years and let you know. I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme just say I'm glad Brian steered me towards HP. Rob MOIR wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 07 November 2005 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Bottom line, I would guess that two HP 360's (SCSI; I haven't been made comfortable with SATA reliability yet) or 140's with 1GB of memory each would be more than needed based on those parameters. I'm glad to hear someone else say this. SATA can work but you need to look closely at what you're buying and what the manufacturer recommends. If the manufacturer doesn't trust their own products for the sort of 24*7 hammering you often get in a server then why bet against them? Who are we to assume we know a product better than the people who designed and built it? If you virtualize anything on top of that, some other considerations would be needed of course. (or Dell or IBM equivalent of course). I'd still personally be uncomfortable with virtualising all my DCs, even onto different physical virtual server hosts, I just don't believe in adding extra layers of complexity to fundamental network services if I can help it. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardware Suggestions
I've deployed SATA for storage of large files in Apple XRaid units in a Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still just as happy ;-) but it was the only way to give the user what they wanted inside the budget we had. One advantage of the XRaid is that it's fitted out from the get go to use SATA disks and the only reason you'd ever have to do anything to it is to replace a drive that you already know has gone bad. -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 17:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions silly no-hair-color alert SATA == Desktop drives. They weren't originally concepted to be enterprise class storage. I see them as being back-engineered to be used this way, but most of what I've seen has been to deploy them as a JBOD in situations where you can absorb the continuous loss of hardware and not impact performance and availability. Typically in pools of disk and hsm solutions (what is it that hsm is called now? ILM? :) If you plan to deploy DAS solutions (internal or external), SATA is not likely the way to go right now. You may want to wait a bit longer if the data is important. For large pools of inexpensive disks, SATA might be worthwhile to investigate if you have a large loading bay, a good support agreement, and close access to the highway. -ajm From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions Date: Mon, 07 Nov 2005 09:13:19 -0800 Stupid blonde alert I personally have SATA experience in the tower/desktop world but none in the rack units. Are the physical connections any stronger in the rack world? I like SCSI and IDE not only for their proven track record [server and desktop respectively] but because the dang cables don't get knocked off each time I reach into the case. Those cable connections on the back of the SATA drives are a little worrying. I've accidentally bumped the connection off my workstation at home twice while adding the Happauge card and what not. In SBSland early on we had issues with them getting loaded up, if they are underpowered, we're seeing a bit of bottlenecks, and as one of the SBS support gang said out of Mothership Los Colinas, if your vendor won't guarantee that equipment for 3 years, do you really want to put that data on that device? So far the SATAs that we have running around in SBSland servers are okay, but I'll report back in another 2 years and let you know. I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme just say I'm glad Brian steered me towards HP. Rob MOIR wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 07 November 2005 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Bottom line, I would guess that two HP 360's (SCSI; I haven't been made comfortable with SATA reliability yet) or 140's with 1GB of memory each would be more than needed based on those parameters. I'm glad to hear someone else say this. SATA can work but you need to look closely at what you're buying and what the manufacturer recommends. If the manufacturer doesn't trust their own products for the sort of 24*7 hammering you often get in a server then why bet against them? Who are we to assume we know a product better than the people who designed and built it? If you virtualize anything on top of that, some other considerations would be needed of course. (or Dell or IBM equivalent of course). I'd still personally be uncomfortable with virtualising all my DCs, even onto different physical virtual server hosts, I just don't believe in adding extra layers of complexity to fundamental network services if I can help it. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardware Suggestions
Nope, DASD to a Apple G5 Xserve for a very small amount of Apple clients (10) with very high storage requirements. To be honest, the thing that made me go for this solution in the end was that performance was better using the native Apple stuff end to end and writing to SATA than it was having to translate at some point on the network in order to write to SCSI. So now I have a nice complicated totally seperate Apple Open Directory Domain with trusts into the Windows Forest so that all the pain of making it work falls on me and the network support team here instead of on the desktop user. Which is how it should be after all, and it doesn't do the old resume any harm to have this all on there! -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 18:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions That's a desktop user? The apple desktop? I don't have a problem with SATA (an upgrade from PATA) if used as designed. It's designed for desktop storage. Not that it can't be adjusted to server/enterprise, but it's price point and architecture are intended for desktops (i.e. cheap but not as reliable as a shared resource). Used appropriately, I'm quite happy with it. But it's intended to be cheap and replaceable. Cheap, fast, reliable - pick two (or something like that ;) That shouldn't last if history is any indication, but for now I'll try not to build too many centrally required applications on that technology unless I can put a lot of abstraction in front of it (large pools that aren't bothered by the loss of several components at a time.) From: Rob MOIR [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Date: Mon, 7 Nov 2005 18:36:10 - I've deployed SATA for storage of large files in Apple XRaid units in a Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still just as happy ;-) but it was the only way to give the user what they wanted inside the budget we had. One advantage of the XRaid is that it's fitted out from the get go to use SATA disks and the only reason you'd ever have to do anything to it is to replace a drive that you already know has gone bad. -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 17:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions silly no-hair-color alert SATA == Desktop drives. They weren't originally concepted to be enterprise class storage. I see them as being back-engineered to be used this way, but most of what I've seen has been to deploy them as a JBOD in situations where you can absorb the continuous loss of hardware and not impact performance and availability. Typically in pools of disk and hsm solutions (what is it that hsm is called now? ILM? :) If you plan to deploy DAS solutions (internal or external), SATA is not likely the way to go right now. You may want to wait a bit longer if the data is important. For large pools of inexpensive disks, SATA might be worthwhile to investigate if you have a large loading bay, a good support agreement, and close access to the highway. -ajm From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions Date: Mon, 07 Nov 2005 09:13:19 -0800 Stupid blonde alert I personally have SATA experience in the tower/desktop world but none in the rack units. Are the physical connections any stronger in the rack world? I like SCSI and IDE not only for their proven track record [server and desktop respectively] but because the dang cables don't get knocked off each time I reach into the case. Those cable connections on the back of the SATA drives are a little worrying. I've accidentally bumped the connection off my workstation at home twice while adding the Happauge card and what not. In SBSland early on we had issues with them getting loaded up, if they are underpowered, we're seeing a bit of bottlenecks, and as one of the SBS support gang said out of Mothership Los Colinas, if your vendor won't guarantee that equipment for 3 years, do you really want to put that data on that device? So far the SATAs that we have running around in SBSland servers are okay, but I'll report back in another 2 years and let you know. I can't speak for the Dell rack stuff, but the Dell tower stuff...lemme just say I'm glad Brian steered me towards HP. Rob MOIR wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 07 November 2005 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Bottom line, I would guess that two HP 360's (SCSI; I haven't been made
RE: [ActiveDir] Hardware Suggestions
-Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 20:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Interesting. If that solution becomes a problem, have a look at http://www.centrify.com and see if you can change some of that :) Hmmm either their demo does a poor job of explaining their product or their product would actually be a downgrade for us! To cut a long story short, we use no 3rd party software, it's all done with default Apple and MS tools. We're using AD to hold all of our user objects and most of the group objects, so our password and security policies are already enforced out of the box. OS X desktops have computer accounts in an AD OU in order for the machines to authenticate to AD, and join the domain as part of their install routine. What exists in Open Dir is one or two built in groups that we drop AD groups into and various other objects which describe various default settings to apply to desktop machines (vaguely like GPOs but not as sophisticated). The stuff that goes here is really minimal from our point of view but those little bits make a big difference to the user experience. Seriously, it is interesting and I'm interested to hear of the long term results as they occur. Shall we check back in a year or so? Surely. I'm certain I'll have either set fire to the Apple servers we have now by then or purchased another one. We installed our server in August and while it's only been a few months now things have been working very well so far I have to say, and once the config was complete this setup has required very little day to day admin time. It's far more robust than I was probably making it sound earlier! rob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server Roles
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] I've looked at using Virtual Server for small sites and it makes sense to me. The only drawback is that all your eggs are in one basket - lose the host and you lose everything. The same's true for patching as you'll need downtime on all of the guest machines when the host is updated. Quite right, however, if you have a host that is dedicated to hosting Virtual Server, e.g. everything except the host's core OS and Virtual Server is hosted in a guest, then you've greatly reduced the surface that needs patching. SQL has a problem that needs patching? So does AD? DNS vulnerability? ...watch my Virtual Server host not care! Also, while nothing is foolproof, good server hardware is much more reliable now than it ever was, in my experience. I've seen servers fail during burn in of course due to a fault that they came out of the factory with, and of course drives are mechanical and fail sometimes which is why we all use RAID, but other than that I see very very few hardware faults at all. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College He's back, and this time he's got a portable bulk-eraser!!! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory wish list
We have to stay realistic as well, or I'm just going to add diamond studded admin chair with free back massager, to sit in when working on AD to the list ;-). It's all well and good to say It isn't easy but if what you're talking about would essentially break the system and make it unusable for the way lots of server apps currently use it, then it surely isn't viable. Compatibility with existing LDAP-based apps, let alone stuff that ties more closely to AD, has to be solved before this can even make a start. Microsoft already get accused of subverting open protocols enough without _trying_ to pick a fight! Lastly, as I said before, even if they can solve this, has it just made the system too complex for the target SME businesses to deploy? The on one OS qualifier aside, you really have just described Microsoft's or VMWare's virtualisation products, and given the technical issues this is probably the best way of delivering multiple DCs on one box. As to what I would like to see, Rich's idea of a hot spare that can hold offline replicas for multiple domains might be an achievable compromise to this issue. I also want to be able to set domain account password security policies on a per OU basis. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College He's back, and this time he's got a portable bulk-eraser!!! From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Wed 05/10/2005 22:47 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Not being an OS architect, I'm not sure how MS would make it work (obviously it's not easy) but I would think something along the lines of different IP addresses per domain and using DNS to resolve the domain to an IP or host headers or multiple NICs or something like that... The idea is that it would look externally like multiple DCs, but they would be on one OS... If you can put multiple websites on one server and have them look different, maybe they can do the same with domains... Never said it was easy; this is a wish list, after all... :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Wednesday, October 05, 2005 1:17 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list How would LDAP apps easily address multiple AD domains hosted on one server? What if you wanted to make this box a GC for more than one domain? How easily can you configure apps like Exchange to cope with this? I say easily because you talk about SMEs using this function, which are the places that might be less well equipped to figure out the support impact on those apps from having to make them work with this arrangement. Or the cost of buying and implementing upgrades that figure it out for them... that money we saved on the seperate hardware boxes just went bye-bye... Oh well, at least multiple domains on one hardware box *sounds* cool. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have something to say about it but I figure the best thing from them is if they pronounced their thoughts from the bottom of Lake Washington. People don't install servers because they have cool names. The biggest non-NDA pieces that I have heard announced in conferences or seen on the web already is the Read Only DC to limit security exposure
RE: [ActiveDir] AD Restore Problem
With Apple Open Directory, you'd have multiple servers running a replica of your Open Directory information. In other words, more than one DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 06 October 2005 15:15 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory wish list
Then we should be looking at user authentication by other means than just passwords. But that isn't a utopia either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: 06 October 2005 15:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list There seem to be several schools of thought on the password policy issue... - the execs and exec admins who should have the 4th most complex passwords (next to HR, accounting, and IT maybe) but lack the computer literacy to understand why and so unfortunately want no passwords or their dog's name as a password, and they have the political influence to be heard - the security people who want 5 way complex passwords (including ASCII characters) and understand the threats but not the user issues - developers who don't want the [continued] blame for leaving an open password policy, and who [might] now reasonably [from a technical and security perspective] ask why would you want to allow some people to have a weak password policy if others require a strong one on the same network?? - AD admins who have to figure out how to make everyone happy but may get blamed if the network is compromised. - and others of course. Personally I tend to side with the developers on this, but then it probably should not be mandated by the program, only set as an initial default to protect the ignorant. IMHO. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The way I can see different password policies for one domain being implemented is if you have a product/tool in front of your directory intercepting the passwords and enforcing different rules as the passwords go through. The underlying directory (AD) will have to have no policy, or have at least a very relaxed policy. This would be a sort of password servicing provisioning system. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tyson Leslie Sent: Wed 10/5/2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list In our case (empty root, 4 child domains, 3500 users), it was primarily politics. We brought in two consultants (one from a VAR, one from Microsoft), and the decision was that the best way to go, based on politics, geographical location of the offices, and division of administration, was the empty root and 4 child domains. Password policies was a small factor, but not a driving force... That said, I personally would love to see the ability to have multiple password policies within a single domain. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, October 05, 2005 1:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory wish list My question would be: for a small directory of 5000 users, why do you have 3 domains? If it is for separate password policies, then perhaps a better wish list item would be the ability to have multiple password policies in one domain. Phil On 10/5/05, Rich Milburn [EMAIL PROTECTED] wrote: I think the biggest reason people want to be able to run multiple domains on one server is the same reason practically no one (except for SBS) installs just one DC, and the same reason we always install a minimum of 2 for a domain. We have a forest root and 2 child domains model, and it takes us 6 servers to run that - for basically 2 directories and fewer than 5000 users. That seems like a waste of hardware in some situations - especially if you have multiple orgs that you run. The parallel might be for a web hosting company to have 2 full web servers for each domain they host - in case 1 goes down, they still have a second. VS is an answer, yes, although you still need a full server license for each VM. The thing with domains is you don't want to only have 1 online copy of the directory. MS didn't seem too convinced there was a good reason to have an
RE: [ActiveDir] Active Directory wish list
As I say, it isn't utopia. And what about fallback positions? * You use fingerprint technology and that hand is encased in plaster and hence can't work with your fingerprint scanner. Now what? * You use smart-cards and leave it at home one day. Now what? In both cases the fall-back is probably just blow the dust off your keyboard and type in your password... you do remember that despite not using it for 5 months, right? So we're right back where we started. From: [EMAIL PROTECTED] on behalf of Rich Milburn Sent: Thu 06/10/2005 17:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I have not been in many biometric/smart card discussions, but the ones I have been in have never addressed one particular issue: Ok, so logons are now secured very nicely. So how secure is the background mechanism that ties my fingerprint to my account?? Can Joe sniff it off the network with net monitor? (I'd put money on Joe.R being able to, anyway :) I believe that is at least one reason for some of the disclaimers around certain products like I think it's a MS keyboard with fingerprint reader, about being for home use only or for securing Internet passwords only, etc. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Thursday, October 06, 2005 10:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Then we should be looking at user authentication by other means than just passwords. But that isn't a utopia either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: 06 October 2005 15:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list There seem to be several schools of thought on the password policy issue... - the execs and exec admins who should have the 4th most complex passwords (next to HR, accounting, and IT maybe) but lack the computer literacy to understand why and so unfortunately want no passwords or their dog's name as a password, and they have the political influence to be heard - the security people who want 5 way complex passwords (including ASCII characters) and understand the threats but not the user issues - developers who don't want the [continued] blame for leaving an open password policy, and who [might] now reasonably [from a technical and security perspective] ask why would you want to allow some people to have a weak password policy if others require a strong one on the same network?? - AD admins who have to figure out how to make everyone happy but may get blamed if the network is compromised. - and others of course. Personally I tend to side with the developers on this, but then it probably should not be mandated by the program, only set as an initial default to protect the ignorant. IMHO. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The way I can see different password policies for one domain being implemented is if you have a product/tool in front of your directory intercepting the passwords and enforcing different rules as the passwords go through. The underlying directory (AD) will have to have no policy, or have at least a very relaxed policy. This would be a sort of password servicing provisioning system. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tyson Leslie Sent: Wed 10/5/2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list In our case (empty root, 4 child domains, 3500 users), it was primarily politics. We brought in two consultants
RE: [ActiveDir] AD Restore Problem
Running a production server in Virtual PC isn't supported, Period. -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 06/10/2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem What is not supported is an image restored and running in a Virtual PC. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209- 8ed2-e261a117fc6b http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209 -8ed2-e261a117fc6bdisplaylang=en displaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory wish list
How would LDAP apps easily address multiple AD domains hosted on one server? What if you wanted to make this box a GC for more than one domain? How easily can you configure apps like Exchange to cope with this? I say easily because you talk about SMEs using this function, which are the places that might be less well equipped to figure out the support impact on those apps from having to make them work with this arrangement. Or the cost of buying and implementing upgrades that figure it out for them... that money we saved on the seperate hardware boxes just went bye-bye... Oh well, at least multiple domains on one hardware box *sounds* cool. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have something to say about it but I figure the best thing from them is if they pronounced their thoughts from the bottom of Lake Washington. People don't install servers because they have cool names. The biggest non-NDA pieces that I have heard announced in conferences or seen on the web already is the Read Only DC to limit security exposure for WAN deployments, restartable AD that can be stopped/started as necessary, DA/Admin separation so that you can have an Admin on a DC that can't achieve Domain-wide DA level rights, and DCs running on Server Foundation or now its called Server Core which is a GUI-challenged Windows Server. I can also say that there are a myriad of GUI updates for the Admin tools though I can't state specifics. BJ Whalen who was involved with the GPMC project has been brought in to work on admin experience and anyone who has worked with GPOs with and without GPMC know that he really helped out. All in all, there is some very cool stuff and MS has really been listening to the community on what they want and need. I know that this list is watched for ideas and such and has been the source of DCRs internally. So if you have ideas, spout them here, they will most certainly be heard. They may not make Longhorn as it is getting a bit late to add major changes but your ideas could make it into a later rev. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Monday, October 03, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory wish list Hi, With Windows Vista on it's way what's on people's wish list as far as Active Directory is concerned? Also are there any big enhancements due? Thanks Steven List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/