Roger, I must agree with you and the others here...I guess my question is, have the people involved actually been informed of the risks and consequences of delegating management of Sites and Services to a "junior" admin ?
Basically, without a properly configured sites and services you can bring AD to its knees, with improper replication and inefficient use of domain controllers and GC's. I recently took over management of AD from another organisation to whom it was outsourced, and there were a number of issues with the S&S config, essentially meaning AD replication was taking several hours for a network over a gbit backbone. Users in remote sites over a 256/128k link were using servers on the other side of the country for DC and GC queries, basically some serious problems. Management of S&S is really something that should be performed by your "senior" AD Admins, or your comms team (if you have a dedicated team). Sure, you can change the rights in S&S to let lower end admins change the config, but make sure you stress on the organisation the importance of AT LEAST having some sort of change control process applied. Otherwise you can start getting weird problems affecting all sorts of AD related applications / services (like exchange), which makes for unhappy people all around (except for the guys troubleshooting I guess, they would get a fair bit of overtime *grin*). And I agree with rodger again, modifying the S&S config is something that shouldnt be done very often (unless you change your comms topology, or add additional sites or subnets), therefore leave it to the admins who are senior enough to know what they are doing. My $0.02 G. ----- Original Message ----- From: "Roger Seielstad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 29, 2003 8:41 AM Subject: RE: [ActiveDir] delegation of root domain admin > I'm not sure anyone has told me I'm right and wrong so many times in one > sentence before. Well, maybe my wife did... > > Anyway - yes, you have a valid point, and a lot of the rationale behind how > you handle it has to come from what your role is - whether you're hired to > do a specific job or if you're hired to architect the solution. If it's the > former, Rick is correct - if the latter then I'd push them against it. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 28, 2003 6:02 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > Graham, > > > > If you need to delegate specific functional abilities to a > > non-administrative person, you will need to go to Active > > Directory Sites and Services -> Sites folder <Rt-Clk> -> > > Delegate -> Select the user -> Check Site objects and Subnet > > objects -> select what you want the Jr. Admin to do from there. > > > > This is just a basic overview. There is a lot more to it > > than this, but this will give you enough to begin testing to > > see cause / effect. I'd highly recommend that you pick up a > > copy of "Inside Active Directory" which does the best job > > that I have seen to date of detailing permissions at the > > attribute level and how to apply them. This book, with a > > test server, will really boost anyone's understanding of this > > elusive topic. > > > > Now - my commentary. Roger's right - and, respectfully, > > Roger's wrong. But, Roger can be both in this case. He > > correctly says that just because the client wants it, doesn't > > mean that he should necessarily get it. > > > > Unfortunately, he's wrong here, too. If you're getting paid > > to do a job (as employee or contractor) AND you have > > explained the risks involved in the decisions that your > > employer is making AND they have agreed (get it on > > paper) to ASSUME THE RISK - then do whatever it is that they > > want. I face this daily - I am asked to do things that are > > patently wrong and insecure. But, I am told to do it. I ask > > for an e-mail from my boss or said person's boss (copying my > > boss) and I do it. Why? Because I am the doer. The other > > person is assuming the risk. > > > > Has there ever been a time when I have been ready to quit > > over a decision? Yep - but, IMHO, it's much bigger than the > > risk that is being assumed here. Yep, replication is at risk. > > Subnet objects are at risk. Life goes on. But, challenge > > HIPAA or Graham-Leach-Bliley, now we're talking risks I won't assume. > > > > Make your own decision, Graham. But, Roger does have a point. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > > Sent: Wednesday, May 28, 2003 12:44 PM > > To: [EMAIL PROTECTED] > > > > Roger i wont diasgree with a word u say !! > > > > am trying to accommodate the administrative requirement of the client > > > > can you remind me what permissions (group membership) are > > required for sites / subnet administration > > > > GT > > > > ----- Original Message ----- > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 28, 2003 6:34 PM > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > Lord no - I wouldn't trust sites and subnet changes to lower level > > > admins. One bad change and an entire site (or sites) lose > > replication. > > > > > > Also, even considering that I've worked for two fairly fast > > paced and > > > very dynamic companies, post-deployment I rarely make changes to > > > either. In > > fact, > > > I have made exactly two changes in the last 12 months, both > > supporting > > > office moves. > > > > > > Keep in mind what modifying each of these items actually > > represents - > > you're > > > affecting a number of areas of AD other than just which domain > > > controllers are used for authentication. You're affecting > > replication > > > topology, group policy application, and a number of other factors. > > > > > > Personally, I don't think any of the administration relegated to a > > > root domain within an empty root style forest should be > > done by junior > > admins. > > > Especially unsupervised. > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, May 28, 2003 12:58 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > Roger, I thank your post reply. > > > > > > > > it would seem what i am trying to separate here is the > > admin of the > > > > sites / subnets - a generally low impact change - from > > that of the > > > > rest of the forest root. > > > > > > > > not sure of the default permissions to administer sites / > > subnets - > > > > but i would guess under default ACL's needs to be fairly highly > > > > privilged ?? > > > > > > > > i would agree with totally seperate accounts for schema admin . > > > > > > > > but not necessarily sites and subnets which is a much > > more frequent > > > > occurrence and generally assigned to a more junior > > administrator and > > > > by corollary should not be assigned a privileged account. > > > > > > > > GT > > > > > > > > ----- Original Message ----- > > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Wednesday, May 28, 2003 5:12 PM > > > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > In general, I'd say not to do it at all, although there is no > > > > > *technical* reason it can't be done - at least none of > > > > which I which I > > > > > am aware. > > > > > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > > > -General User account -Production Domain admin account -Root > > > > > Domain admin account > > > > > > > > > > It is probably a little bit of overkill to have 2 > > different admin > > > > accounts, > > > > > rather than one, but the reality is that I rarely need to log in > > > > > as the > > > > root > > > > > admin account. Since that account also has Enterprise and > > > > Schema admin > > > > > priviledges, I find it a bit too powerful to use day to day > > > > for admin > > > > work. > > > > > > > > > > The other piece of the puzzle is that you created an empty root > > > > > for the reason of separating administration from the > > main (I call > > > > > it > > > > > production) domain. Why undo that by creating cross domain > > > > delegation > > > > > of > > > > adminisatrative > > > > > rights? > > > > > > > > > > Roger > > > > > -------------------------------------------------------------- > > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > > Inovis Inc. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > > > > > > apologies if i have already posted here, but this still > > > > remains on > > > > > > my issue log > > > > > > > > > > > > would very much like to be able to get information on > > > > strategies for > > > > > > the delegation of site / subnet administration (on > > foreest root > > > > > > DC's) to child domain security principals > > > > > > > > > > > > Thanks > > > > > > > > > > > > GT > > > > > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
