Joe, If you don't mind a dumb question: what tools do you use to manage that many servers?
Dan -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegate Access for DC servers (2003) Yep, we have a centralized and well organized team of three people managing our 380 or so DC's around the world. 400 servers total when you take into account Utility boxes and dedicated WINS hub servers. We are the only ones in the world who can log into those boxes interactively or even see the file system other than sysvol. Between various Domain Controller hardware issues, shutdowns, group creation requests, server object creation requests, and a hodgepodge of other issues we processed over 6000 official trouble tickets in the last year. I don't know how many thousands of email requests and questions. Our team rocks. If anyone else has to see the file system of the DC, they do it after it is demoted or after wiping the box. The security is more to prevent accidental screwups or admins who think they know more than we do more than anything else. We don't have an option but to put DC's out into sites and obviously doing that means there is a possibility of a DC being snagged and attempted to be hacked. There have been times where we couldn't shut a DC down fast enough but then I don't think anyone could have shut them down fast enough, the flood in Prague comes to mind. If worse comes to worse, someone can cut the power. We don't like powering down DC's that way but if we do, we bring them back up and hope they work. If not, we rebuild them. We use Dell's DRAC solution pretty effectively. We are now being forced to use IBM's RSAs and have to say that it is a huge step backwards. IBM needs to get take that pixie dust away from the engineers in the back room - I don't think they had a clue how people were actually doing support. Anytime you work with someone from any company and they are telling you about their scaleable enterprise solution, ask them about the CLI support. When they were first showing us the RSA stuff 12-18 months ago I asked about that (during the height of the pixie dust commercials and the where did all the servers go commercials) and I garnered blank stares for my trouble. Didn't fill me with confidence and a year later I still don't have it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, December 09, 2003 3:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegate Access for DC servers (2003) it really depends on your security requirements. I would definitly NOT grant any non-domain admin permissions to install any fixes on a DC or anything to that extend. However, if you have many distributed DCs, you will need to allow physical access to the DCs to other individuals. You've already taken the first risk, which is to allow a DC to be physically insecure (hopefully it's at least in some locked server-room). Realize, that there is no way a DC will be really secure if someone else has physical access to it - there is really only one tool on the market that helps mitigate this risk (NetPro's Directory Lockdown tool). So I wouldn't take it as far as Joe with demoting the server and then maybe re-promoting it latter on - that's not necessarily more secure either. If you can ensure via a well organized and centralized domain admin team, that they'll be capable of shutting down any DC at any time (e.g. via script, Terminal Services or even out-of-band mgmt tools such as the RILO boards), then this should be the preferred path. Local staff could then fix HW issues in dependency of a remote domain admin shutting down the DC. If you do need to be more independent in the local site and have some valid reason for requiring permissions on a per-DC basis, then you can do so by adding OUs for each site containing a DC underneath the Domain Controllers OU and configuring additional GPOs with special user-rights for the specific site (e.g. granting local IT staff the User-Rights to remotely shutdown this DC). There is some discussion at MS rgd. the supportability (this discussion has been going on for as long as AD was released almost 4 years ago...), but I've deployed this solution quite often and it works like a charm. /Guido -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Sonntag, 7. Dezember 2003 04:48 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegate Access for DC servers (2003) I would say you are going to have very little luck doing this. Our solution is to demote DC's when local site folks need to deal with hardware issues or we delete the machine from AD and let the site reload it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morley, Scott Sent: Thursday, December 04, 2003 2:26 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delegate Access for DC servers (2003) All, I am challenged with providing a level of access to Domain Controllers that would allow individuals to access the OS and fix any hardware issues, but not impact Active Directory (2003). Any thoughts or articles that anyone can point my way? Scott Morley MCSE 2000/4.0, Exchange 2000/5.5, MCT, CCNA, CNE, CNI Senior Systems Engineer/Architect Global Messaging Services, Starwood Technology Center Starwood Hotels and Resorts, Worldwide Phone: 781-348-7120 Learning is not compulsory... neither is survival. - W. Edwards Deming This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
