date:20060609

Re: [ActiveDir] OT: Security Policy Thoughts

2006-06-09 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]


Nominations for sucky apps are always welcome at www.threatcode.com


Noah Eiger wrote:

Thanks all for the thoughts. I think that the thing I will need to 
communicate to these folks is simply the tradeoffs and the risks. They 
run many apps that force full admin rights on the workstations and 
have concluded that this is an acceptable risk. We’ll see what they 
say. In the end, I feel okay about it if they are fully cognizant of 
the risks and then accept them. Maybe I’ll put something in about 
double the hourly rate for cleanup ;-)


 


-- nme

 

P.S. Brian, could you elaborate on the inexpensive NAC products? I see 
that IAS will be a RADIUS provider to 802.1x switches. Is there a 
feature set within the IOS that can handle this (Catalyst 29xx and 
35xx) or is it a separate device?


 




*From:* Brian Desmond [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, June 08, 2006 9:05 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts

 

*They’re keeping me a little busy down at the fun factory, so I’m up 
pretty late. Actually I just flew back in yesterday from a client so I 
was handling backlog.*


* *

*How is .1x cost prohibitive. Have you looked at the NAC products most 
major VPN providers have to handle your fears about viruses and such? 
Also realize you don’t need to open a lot of the ports representative 
of that sort of stuff. Lock it down by job role. *


* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED]

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger

*Sent:* Thursday, June 08, 2006 12:59 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts

 


Thanks, Brian. Don’t you sleep? It’s late in Chicago ;-)

 

802.1x is the direction they are heading. Right now, it is 
cost-prohibitive. So the question is less “can I control this access” 
but “should I”? Is that over-reacting?


 

Again with the VPN. My thoughts were to push it with an MSI, so I see 
/how/ to control its distribution. The question is /should/ I limit it 
to just the domain computers? How big is the risk? If the risk from 
home computers is virus and malware, how do I justify preventing folks 
from running it on their home Macs?


 


Thanks.

 


-- nme

 




*From:* Brian Desmond [mailto:[EMAIL PROTECTED]
*Sent:* Wednesday, June 07, 2006 10:43 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts

 

*My suggestion is that you implement 802.1x port auth to implement 
port based authentication. You can use this to implement guest vlans 
with the policy routing you describe.*


* *

*Isn’t the Cisco VPN a MSI? Use Group Policy or SMS if you have it. 
You can do some NAC stuff with Cisco VPN as well as the personal 
firewall built into it. *


* *

*I don’t see how you plan to prohibit OS X at least – put it on the 
guest vlan if you must, but, realize that the marketing, pr, etc 
people may live in a Mac world. *


* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]*

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger

*Sent:* Thursday, June 08, 2006 12:16 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] OT: Security Policy Thoughts

 


Hi:

 

I am facing some IT policy questions and wanted to get some 
perspectives. In each of these areas, I am trying determine how 
restrictive I need to be. The client has four sites connected over 
high-speed links. I have good backing from management but will 
undoubtedly get resistance on some of these.


 

The client is small, under 200 employees with most in one office. Some 
small field offices are not managed (i.e., have workgroup networks, 
often with a small server, but no AD). There are no SOX requirements 
and the data are not sensitive (e.g., no credit cards). Almost 
entirely Windows XP; all DC’s run W2k3.


 


Any thoughts on these topics welcome.

 

_Connecting to the wired network_. They do not run any IDS or 
machine-based authentication. Given that, written policy carries some 
weight. I want to require all non-domain machines to connect only to a 
“public” VLAN that goes only to the Internet. I would apply this even 
to staff “personal” computers, those of contractors (including me), 
and machines from those field offices that are not on the domain.


 

_VPN_. They run a Cisco VPN. I want to distribute the client only to 
domain-based machines. Others want the client for their home 
computers, etc.


 

_Other Operating Systems_. I don’t want to allow other OS’s on the 
network, unless we manage them. But what is the threat posed by a 
Linux or OS X box on the network?


 


As always, many thanks.

 


-- nme

 

 

 


--
No virus found in this outgoing

RE: [ActiveDir] OT: Security Policy Thoughts

2006-06-09 Thread Brian Desmond









NAC != .1x. 



The 3560 will certainly do the port based auth, and I believe
the 2950 will as well. I have the configs around. Its pretty well explained in
the config guide, though. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Friday, June 09, 2006 12:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts







Thanks all for the thoughts. I
think that the thing I will need to communicate to these folks is simply the
tradeoffs and the risks. They run many apps that force full admin rights on the
workstations and have concluded that this is an acceptable risk. Well see what
they say. In the end, I feel okay about it if they are fully cognizant of the
risks and then accept them. Maybe Ill put something in about double the hourly
rate for cleanup ;-)



-- nme



P.S. Brian, could you elaborate on
the inexpensive NAC products? I see that IAS will be a RADIUS provider to
802.1x switches. Is there a feature set within the IOS that can handle this
(Catalyst 29xx and 35xx) or is it a separate device?















From: Brian Desmond
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 08, 2006 9:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts





Theyre keeping me a little busy down at the fun factory, so Im
up pretty late. Actually I just flew back in yesterday from a client so I was
handling backlog.



How is .1x cost prohibitive. Have you looked at the NAC products
most major VPN providers have to handle your fears about viruses and such? Also
realize you dont need to open a lot of the ports representative of that sort
of stuff. Lock it down by job role. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, June 08, 2006 12:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts







Thanks,
Brian. Dont you sleep? Its late in Chicago ;-)



802.1x is
the direction they are heading. Right now, it is cost-prohibitive. So the
question is less can I control this access but should I? Is that over-reacting?



Again with
the VPN. My thoughts were to push it with an MSI, so I see how to
control its distribution. The question is should I limit it to just the
domain computers? How big is the risk? If the risk from home computers is virus
and malware, how do I justify preventing folks from running it on their home
Macs?



Thanks.



-- nme



















From: Brian Desmond
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 07, 2006 10:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts





My suggestion is that you implement 802.1x port auth to
implement port based authentication. You can use this to implement guest vlans
with the policy routing you describe.



Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have
it. You can do some NAC stuff with Cisco VPN as well as the personal firewall
built into it. 



I dont see how you plan to prohibit OS X at least  put it on
the guest vlan if you must, but, realize that the marketing, pr, etc people may
live in a Mac world. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, June 08, 2006 12:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Security Policy Thoughts







Hi:



I am facing some IT policy
questions and wanted to get some perspectives. In each of these areas, I am
trying determine how restrictive I need to be. The client has four sites connected
over high-speed links. I have good backing from management but will undoubtedly
get resistance on some of these.



The client is small, under 200
employees with most in one office. Some small field offices are not managed
(i.e., have workgroup networks, often with a small server, but no AD). There
are no SOX requirements and the data are not sensitive (e.g., no credit cards).
Almost entirely Windows XP; all DCs run W2k3.



Any thoughts on these topics
welcome.



Connecting to the wired network.
They do not run any IDS or machine-based authentication. Given that, written
policy carries some weight. I want to require all non-domain machines to
connect only to a public VLAN that goes only to the Internet. I would apply
this even to staff personal computers, those of contractors (including me),
and machines from those field offices that are not on the domain.



VPN. They run a Cisco VPN.
I want to distribute the client only to domain-based machines. Others want the
client for their home computers, etc.



Other Operating Systems. I
dont want to allow other OSs on the network, unless we manage them. But what
is the threat posed by a Linux or OS X box on the network?



As always, many

Re : [ActiveDir] AD LDAP Logging.

2006-06-09 Thread Yann

Hello Tony,

Very usefull information ! Thanks.
i enabled this config:
15 Field Engineering to 5
Expensive Search Results Threshold to 1

Here arethe LDAP operation, :

1644INFORMATIONALNTDS GeneralFri Jun 09 09:55:16 2006childdomain\user1Internal event: A client issued a search operation with the following options. Client:11.22.33.44 Starting node: OU=MyOU OU=myou1DC=childdomainDC=parentDomain DC=rootDC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenNamesAMAccountNamesn Server controls: Visited entries: 63 Returned entries: 58 

Followed by this:
1139INFORMATIONALNTDS LDAPFri Jun 09 09:55:16 2006childdomain\user1Internal event: Function ldap_search completed with an elapsed time of 16 ms.

= for 63 visited entries, only 58 are returned and the ldap search lasted16 ms (Sometimes the ldap search took 140 ms...).

Questions: 
Would the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and Expensive LDAP Query to my DC ? 

Thanks for advices,

Yann


 Message d'origine De : Tony Murray [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Mercredi, 7 Juin 2006, 11h16mn 33sObjet: RE: [ActiveDir] AD LDAP Logging.




Hi Yann

One option would be to enable logging of all LDAP searches against the DC.

http://www.activedir.org/article.aspx?aid=97

Tony
PS. We’re just loading a new version of the site, so it might take a few minutes before you can load the page.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, 8 June 2006 6:39 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD LDAP Logging.


Hello ,



I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3.

An application named ZOPE running on a linux box accesses my DC.

Users use a web page, viaZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue.



What arethe different steps to tshoot possible problem with LDAP connections to my DC ?



Thanks in advance for help,



Yann


__Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail 
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

[ActiveDir] FW: OT: Exchange OMA

2006-06-09 Thread ActiveDir









Hi, This is a bit off topic but one
of my colleagues is trying to establish if anyone has any experience of the
following issue when using OMA. This is his posting from other
newsgroups. As yet he has had no response. I know this list
is quite good even off topic so I offered to post here too.



Cheers in advance.





I have a single Exchange 2003 SP2 Server
that is also a GC running Windows

Server 2003 SP1.



The Server is setup for forms based
authentication and requires SSL for OWA.



Access to OMA is not working with the
following event being logged on the

exchange server every time the OMA app
fails.



Event Type: Error

Event Source: MSExchangeOMA

Event Category: (1000)

Event ID: 1503

Date: 02/06/2006

Time: 14:24:51

User: N/A

Computer: FLINTJACK

Description:

An unknown error occurred while processing
the current request:

Message: Input string was not in a correct
format.

Source: mscorlib

Stack trace:

 at
System.Number.ParseInt32(String s, NumberStyles style,

NumberFormatInfo info)

 at
System.Web.Mobile.MobileCapabilities.get_ScreenCharactersWidth()

 at
Microsoft.Exchange.OMA.UserInterface.MainMenu.OnInit(EventArgs e)

 at
System.Web.UI.Control.InitRecursive(Control namingContainer)

 at
System.Web.UI.Control.AddedControl(Control control, Int32 index)

 at
System.Web.UI.MobileControls.MobilePage.AddedControl(Control control,

Int32 index)

 at
System.Web.UI.ControlCollection.Add(Control child)

 at
Microsoft.Exchange.OMA.UserInterface.Page.Page_Load(Object sender,

EventArgs e)

 at
System.Web.UI.Control.OnLoad(EventArgs e)

 at
System.Web.UI.MobileControls.MobilePage.OnLoad(EventArgs e)

 at
System.Web.UI.Control.LoadRecursive()

 at
System.Web.UI.Page.ProcessRequestMain()



Message: Exception of type
System.Web.HttpUnhandledException was thrown.

Source: System.Web

Stack trace:

 at
System.Web.UI.Page.HandleError(Exception e)

 at
System.Web.UI.Page.ProcessRequestMain()

 at
System.Web.UI.Page.ProcessRequest()

 at System.Web.UI.Page.ProcessRequest(HttpContext
context)

 at

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()

 at
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean

completedSynchronously)





Also get the following in IE 6.0 SP2



A System error has occurred while
processing your request. Please try again.

If the problem persists, contact your
administrator.

Home



For more information, see Help and Support
Center at

http://go.microsoft.com/fwlink/events.asp.



I have been through KBs 817379, 842119,
898131 all with no resolution.

The server is patched up with no critical
downloads available from Microsoft

and has the following hotfixes:

907747, 911829, 916640, 916803



The server is also running Trend Micro
Scanmail version 7.0 with the latest

pattern files and updates applied. I cannot
find anything in Trend Micro

KB's on this issue and there are no
warnings of any virus detections in

either this or the file virus scanner which
is Symantect Anti Virus version

10.1.0.394 and it is excluding the exchange
directories.



Interestingly if I test this locally using
localhost/oma it works perfectly

well until I try this remotely from another
server, then after the failure

from the other server I get the issue
locally as well and OMA stops working.



So it appears that something remotely is
causing the OMA application in the

ExchangeMobileBrowseApplicationPool to die.
Recycling the app pool allows me

to restart the application and this works again
locally. The identity for

this application pool is correctly set to
Network Service.



I have have no host headers and although
ASP 2.0 is installed the Web Sites

are all set to use ASP 1.1.



OWA works perfectly, I cannot test
ActiveSync as I have no device and I have

not setup an emulator.



It seems to me OMA is not as robust as
hoped as there are still lots of

issues arounf event ID 1503.



Any help appreciated.

RE: [ActiveDir] AD LDAP Logging.

2006-06-09 Thread joe




When you change that threshhold you are specifying how 
expensive you want the query to be before AD reports it.

Changing "Expensive" to 1, according to the docs means that 
as soon as a query has to look atone or more entries it will be logged. 
So when you turn down that value, you are telling it to log pretty much 
everything. 

That being said, unless you have changed your schema, 
objectclass isn't indexed and a filter with no indexed attributes is generally 
considered inefficient unless it is properly scoped. The fact that you are 
returning 58 of 63 entries means that that isn't too bad, but just the same, I 
would work on getting the query changed to using an indexed attribute or more 
likely, because so many apps/scripts screw up around objectclass,indexing 
objectclass AND getting the query changed.

When you see big noticable deltas in how long the same 
query takes to run, it is usually a couple of things that could be at fault, 
possibly Eric will pipe in with more. The first is that the DC is tied up with 
something else and just can't give you the proc time, the other is that it has 
to go to disk instead of pulling from cache. Either way you should be looking at 
your perf counters to see how the DC is performing. I tend to really look at 
disk counters because that is where it often falls down at. Things like disk 
queue and and number of read ops for the DIT drive (write ops are usually a 
rounding error except during heavy population periods)are the things I 
immediately focus on. Just seeing the number of read ops doesn't help, you have 
to understand your disk architecture because on some systems 500 read ops may be 
just fine, but on others it could beover what the disk system is capable 
of sustaining so you start backing up. As a quick rule of thumbI start 
with the assumptionthat each spindle that is part of the volume gives you 
100 IOPS capability. That can be generous so if you are on the edge keep that in 
mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is 
unlikely disk is your bottleneck[1] and the disk queues should bear that 
out.Of course I tend to focus on disk because I memory is almost always 
boosted up there because most people realize how important RAM is but only folks 
who think about Exchange tend to think about disk and the only guideline I have 
seen from MSFT recommends 3 RAID-1 sets for anything above several thousand 
users which I don't feel is very good. Again, as a general rule I would rather 
see a single RAID 0+1 (or even better if you don't care about faul tolerance a 
RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion 
conversations we have had here on the list about disk layouts. 


 joe




[1] Virtualization really screws with this from the disk 
standpoint because you need to look at counters for the physical machine and 
while your DC may not be generating many read ops, if other virtual machines 
are, you could be slowed down considerably by those without the Read Ops 
reflecting much on the individual DC.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Friday, June 09, 2006 5:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP 
Logging.


Hello 
Tony,

Very 
usefull information ! Thanks.
i 
enabled this config:
15 Field 
Engineering to 5
Expensive Search Results 
Threshold to 1

Here 
arethe LDAP operation, :

1644INFORMATIONALNTDS 
GeneralFri Jun 09 09:55:16 2006childdomain\user1Internal 
event: A client issued a search operation with the following 
options. 
Client:11.22.33.44 Starting node: OU=MyOU 
OU=myou1DC=childdomainDC=parentDomain 
DC=rootDC=fr Filter: 
(objectClass=user) Search scope: 
subtree Attribute selection: 
givenNamesAMAccountNamesn Server 
controls: Visited entries: 
63 Returned entries: 58 

Followed 
by this:
1139INFORMATIONALNTDS 
LDAPFri Jun 09 09:55:16 2006childdomain\user1Internal event: 
Function ldap_search completed with an elapsed time of 16 ms.

= 
for 63 visited entries, only 58 are returned and the ldap search 
lasted16 ms (Sometimes the ldap search took 140 ms...).

Questions: 

Would 
the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and 
Expensive LDAP Query to my DC ? 

Thanks 
for advices,

Yann


 
Message d'origine De : Tony Murray [EMAIL PROTECTED]À 
: ActiveDir@mail.activedir.orgEnvoyé le : Mercredi, 7 Juin 2006, 11h16mn 
33sObjet: RE: [ActiveDir] AD LDAP Logging.




Hi Yann

One option would be to enable logging of 
all LDAP searches against the DC.

http://www.activedir.org/article.aspx?aid=97

Tony
PS. Were just loading a new version 
of the site, so it might take a few minutes before you can load the 
page.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Thursday, 8 June 2006 6:39 a.m.To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD LDAP 
Logging.

Re: [ActiveDir] SBS and reducing downtime on crash

2006-06-09 Thread Bart Van den Wyngaert

Totally agree on the points said by Susan. Practive is important though, it's even documented by MS and that works just fine. And I use the built in backup, no issues poped up and I had the server up and running in now time!

On 6/8/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
1.Go to TechEd 2006 in Boston2.Go to Jeff Middleton's Myths of DR on SBSAny questions?
Okay so seriously...3.Remember that under the hood we're AD.. so even though the big guysaround here cringe at a single DC, all on one box.. all the tricks forAD restoration still work.Okay Susan's first and foremost SBS rule of DR
1. Buy good hardware.I have been running SBS since SBS 4.0 and here's what nailed me in the pastNIC diedHub died (back when we did hubs)NIC diedSwitch diedHarddrive dropped off raid
Switch froze up required hard reset(just two weeks ago.. good excusefor upgrading to gig switches don't you think?)In all those years I've had minimal downtime.Notice that I've onlylost one drive and that was on my adaptec raid screaming like crazy but
the network still chugged just fine ..so these days I buy spare nics andharddrives.I've also always had SCSI drives, and with my current baby (HP) havethat lovely hardware monitoring stuff that sends me emails when the
hardware gets even a sniffle.Now I have a Dell OEM with IDE drives and it's not a server and you canso tell.The SATA drive ones are ... well ask us again in aboutanother year or so of the 'three year let's see how they do compared to
SCSI'.My home server is a cheap SATA HP but even that is better thanthe cheap Dell OEM version I got.Lesson 1 - buy HP.. buy good server quality hardware.2.Consider adding to that backup a drive image software
(okay someone go tell the Garage door guy, the AD guru and the Joewareguy to stick fingers in their ears and don't read this)We are only one DC.It's a little hard to have replication andtombstone issues when you only have one AD.Acronis may not say they
will support imaging a DC... but when you only have one... it's not abiggie and it works.We've done it.Heck we can even restore a systemstate that's getting gray hairs.When you only have one...sometimes
you can do things that in big server land you absolutely would neverever do.3.Consider adding a secondary DC.These days with virtual pc/server/vmware load up a server os on aworkstation even and park an additional domain controller to replicate
that AD.4.Practice that restore.A few days to get it back in the air?Worst case scenerio... Hurricane Katrina.. Jeff Middleton is from NewOrleans Louisiana.. you know what he found? (and I'm ccing him so he can
chat with you more directly).. ever try to buy a server hardware in acomputer store?He was buying MCE editions as they were the beefierones have offsite backups of mediaas he was scrambling in some
cases to get the right media.Sometimes it was the little things thatnailed him.Your worst case scenerio is replacing that hardware... bare metalrecovery in the 2k3 era is not the same as we had it in the 2k era with
the SFN issues.SBS is no different of a DR recovery than the big guys... it justmagnifies it is allIn a normal DR setup ... to get that back in the air.. on an SBS box?Not if you know what you are doing and have practiced.
5.Cold server rights.If you have SA you have cold serverrightsyou can park another server with a copy of the OS and thenturn it off and leave it.Okay now let's review some of that 'the firm is down'.
1.Cached credentials, cached outlook means that the server can dropoff the face of the earth and the workstations just kinda hang out untilit comes back on.2.Have alternative ways to get to key data.I have a robocopy that
pulls a copy of certain folders over to a spare drive on myworkstation.. Excel and Word docs.. should the gang absopositively needto get into a doc for a case, even if the server is down, we have aduplicate that can be gotten into.
But honestly we're no different of a DR story than the big guys..a tadmore complicated due to the all on one box... but the same rules applyRAIDHardwaredon't skimpPracticeDecide if you are not going to do the secondary DC and to a server
image...or do the secondary DC and don't image.and don't panic.and in my case I'm calling Jeff and paying him to bemy calm DR buddy should something occur...btw I don't like Veritas in a single SBS setup.. the built in SBS backup
works fine.. if you need to backup additional servers, then do VeritasQuatro Info wrote:Hi all,Have a general question / case.On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in
a SBS environment / small company.Lets keep it an easy example: -company has 15 employees -15 XP workstations -one SBS 2k3 server installed with all necessary tools etc..veritas backup exec / groupshield etc etc..
-raid mirror installed -network is configured well...firewall / updates etcLets say all ingredients are

44 matches

Mail list logo