Title: Message
I
wasn't thinking of what it required as much as what it provides. I'd assume[1]
that it provided comparible functionality on a smaller scale, but apparently
there's a reason they want you to deploy the real deal
-
Title: Message
As it
should be. All of the advanced view everything features should be enabled on
servers and any workstations that get admin tools installed on them. I don't
understand the MS thought to hide things from admin level users in the gui's and
making them learn enough to turn the
Please help:
My company is currently migrating from an NT domain
structure to AD... I have some questions regarding how some of you
went about hooking in your DMZ web servers to AD securely... What DID
YOU DO?!! What are the recommended best practices?
The options we have dis
Hello,
Our
servers in the DMZ-zone are NOT hooked up to the AD. For security-reasons.
Greetings,
Jochen
From: Pelle, Joe
[mailto:[EMAIL PROTECTED]
Sent: donderdag 10 juli 2003 14:59
To: ActiveDir
([EMAIL PROTECTED])
Please help:
My company is currently
migra
We are the same way – any devices we
have in our DMZ our stand alone
-Original Message-
From: Jochen Andries
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 9:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] what to
do with DMZ servers
Hello,
Our servers in
Title: Message
I
keep meaning to get around to scripting that for myself, but its been a while
since I've had to do a lot of server builds.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
---
Title: Message
It
would help if you determined what was going to be public access (via DMZ or
otherwise) and determine the needs of the applications
there.
The
other option we've been talking about is AD Application Mode (ADAM) from
Microsoft.
-
Not having them in the domain is the most secure option. If you cannot do that, then recognize that you are increasing potential surface area for hacks.With a separate forest in option 2 you will still need to open several ports to allow the trust. Search technet for firewall and trust. Wi
Hello, Looking for some help on this one. We are moving from a multiple
master domain model with multiple two way trusts to Active Directory. The
issue is, currently for each domain / physical location we are using the
routers (Cisco) to create the AppleTalk zones for our Mac's with different
netwo
Title: Message
I have a question… (Assuming that
the Servers in the DMZ are already away from the in-house domain)
If before the upgrade none of the servers
needed AD or access to your in-house domain, why would you want them to have it
after the upgrade?
J Just thinking semi-log
We are in the middle of migrating users, groups, etc from an existing NT
domain into a new AD domain.
Does anyone know of a utility that will let me read the SID of objects
(users, groups) in the NT domain ?
Many thanks
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www
Title: RE: [ActiveDir] OT: A utility to read SID's
I've got 2 utils I picked up from somewhere - sid2user & user2sid, interested?
-Original Message-
From: Abbiss, Mark [mailto:[EMAIL PROTECTED]]
Sent: 10 July 2003 16:26
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] OT: A utility to
Title: Message
It provides all
of the LDAP capabilities of AD without the added baggage of things like DNS,
DHCP etc etc – it’s a standalone LDAP directory with additional
bells & whistles like:
-
doesn’t need to run on a DC
-
multiple instances running on one machine
On this note...can anyone think of any
possible reason to have public internet servers on a DMZ in the same forest as
your internal AD environment?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003
11:14 AM
To: ActiveDir
Subject:
Title: Message
Meaning being able to make changes in the metaview to replicate
out
It has
not been decided.
Todd
-Original Message-From: Jackson Shaw
[mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09,
2003 8:18 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Ide
Title: Message
Hi
All,
Was just looking this
over... very nice !
Michael, would you be so kind as to post the code
to your search etc... (do I can shamelessly steal it ) :-)
?
Kudos,
--Steve
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
O
Title: Message
We’re
going to make the MV writeable…. J
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, July 10, 2003 10:26 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Identity
Management using AD
Meaning bein
Yep, the tools return user accounts, computer accounts and groups (even on a native
W2K domain). I use them every day in a batch job.
Mike Thommes
Argonne National Laboratory
-Original Message-
From: Free, Bob [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 12:47 PM
To: [EMAIL P
Title: Message
Have the exact same situation here.
We currently have a separate NT domain
(for a security boundary) for our INET machines. These machines exist on
a DMZ...and run public internet sites that connect to a SQL backend inside
our network. An ISA server provides the firewa
Title: Message
Overview
Identity Integration Feature Pack for Microsoft®
Windows Server(tm) Active Directory® manages identities and coordinates user
details across Microsoft Active Directory, Active Directory Application Mode
(ADAM), Microsoft Exchange 2000 Server, and Exchange Server 2003
Title: Message
Question?
When provisioning AD from an ODBC source, will this
Identity Integration feature populate Group records in AD?
Thanks,
Jerry
- Original Message -
From:
Myrick, Todd
(NIH/CIT)
To: [EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 1:26
PM
S
Honestly, no. The risk, IMHO, is just too
great. Extranets with a separate forest with some (read: controlled)
synched or replicated data between the forests (internal, DMZ) - or as
someone mentioned already, ADAM strikes me as a much better and safer
option.
Rick Kingslan MCSE, MCSA,
Used them just today, as a matter of fact. Still viable. Think I got them
from the SystemTools web site some months ago (years??) as the original
author no longer supports them, IIRC.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com
Title: Message
You're that sure, are you Jackson?
;-)
I had this really interesting discussion with Kim, Chuck
(Director of AD??) a number of developers and Program and Product Mgrs. in
February at the MVP Summit. I'm absolutely floored that you folks moved
that fast on the Identity Mana
Title: Message
Are they daft or are they just convinced that there are no
bad people wanting to own your domain? And, if they implement this empty
root/ two domain model, where will each of the domains live? And the
root?
Oh, my goodness. Has anyone considered how absolutely
horrific an
We created a separate forest in the DMZ, with no tie to our internal
AD. The DMZ forest was originally deployed because we needed a MS
cluster. While it does have it's negative points, one nice thing is easier
account management. I know, separately named local accounts with different
passwor
So I'm reading Part 2 of Best Practice Guide for Securing Active Directory
Installations and Day-to-Day Operations, and I see:
"Part 1 of this guide recommends that the SYSVOL folder be excluded from virus
scanning. However, excluding SYSVOL increases the risk of a virus attack on a domain
cont
We use Norton AntiVirus Corporate Edition 7.x and 8.x. We only scan files
of certain extensions and only when modified for the real time scanner. We
have a weekly full system scan to catch anything that's missed. At least
in our environment, this seems to work fine.
I know DFS and NAV (and p
Title: Message
Separate forest, no trust. The forest because you can't have a domain out
there without one and you probably want them in one so you can use domain
accounts for services etc that need to chat across the servers unless they are
smart applications that use some form of connection
Title: Message
Two
reasons that I have really
1. If
that text file gets out, someone besides security WILL have your admin
passwords, it isn't a matter of if they will have them. A domain of cracked user
passwords is a bad thing, a domain with one cracked admin password is
disastrous. The
Title: Message
Ah I
wouldn't say better than any script, but definitey faster.
I
totally agree people should be looking at what they can do via batch and
scripts. I would go so far to say that an admin who doesn't use batch and/or
scripts is more a button pusher than an admin.
--
Title: Message
Hmm
interesting... I will keep it in mind next time I open up that code.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent:
Tuesday, July 08, 2003 8:33 AMTo:
[EMAIL PROTECTED]Subj
Title: Message
I
think you would find it more efficient if you changed it like
this
For
Each objUser In objOU objUser.lockouttime=0
objUser.setinfo()Next
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Leeuwen van, JWJ (Joost
Title: Message
Ooh
let me know if you do. I keep meaning to write a script that I can carry
on a thumb drive that I can hook into machines I step onto them. An MS guy once
told me it was impossible, usually that is enough to get me to go do it but I
have been too busy the last couple of yea
Title: Message
I
didn't read the entire post, got a new laptop and just scanning quickly so I
won't feel guilty about my community helping while wiping XP Home and loading
2k3.
e.
Thanks for the nod Rick. Nope I don't do things to this degree but it
shouldn't be overly difficult to man
Bob
I think the issue with AV and SYSVOL has largely gone away. Most of the major AV
vendors now provide software that does not update the security descriptor.
Previously, this was an issue because the modification of the security descriptor
triggered replication.
For the reasons you menti
36 matches
Mail list logo
