Oops. That's right. Sorry about that.
Forgot it is a whole new ball game now.
:o)
No more security holes in new code.
No more silly testing issues.
The disjoint namespace issues in the latest revs of MOM and
SMS are figments of bad imaginations. Who in the world at MS would not test that
supported MS configuration...
Speaking of secure though... Anyone know if anyone at MS is
looking at a security lockdown option pack for AD? Something that you apply
that tightens down Schema Default SDs that MS supports against all of their
products and you only have to worry about stuff you do or other third
parties do? That way companies don't have to figure out on their own what things
the lockdowns you want to implement break MS products using AD? Say it
locks down what users can do on their own objects, what computers can add to the
directory by default, etc etc. An alternative sort of acceptable solution would
be a guide to all of the attributes that all MS products use and need to have
access to (and what type of access to) in AD.
The whole locking things down, chasing what breaks and
hoping you got it all is a bit of a pain. Sitting there trying to reverse what
is going on with a network sniffer is a bit more difficult than actually
documenting it when you write the code.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, October 29, 2004 9:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW: Exchange 2003 on DC
But,
MS has promised us their products are secure... :-)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 28, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW: Exchange 2003 on DCAck, you said SBS... <as joe scurries back to the light...>I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are sooooo many vectors to the security bastion on that product.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Thursday, October 28, 2004 5:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW: Exchange 2003 on DCUm, SBS users don't have a choice...-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 28, 2004 3:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW: Exchange 2003 on DCDon't install Exchange on a Domain Controller, even you Michael B. Smith
Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues.CAUSE
This behavior occurs typically occurs when because they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii.RESOLUTION
To resolve this problem, remove the non authentication/authorization related services from the domain controller.STATUS
Microsoft has confirmed that this is a problem in the real world. This problem was first corrected when people started treating the DCs like a KDC and not a regular server.
APPLIES TO
All versions of Windows that run as Domain Controllers:o)joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, October 20, 2004 7:53 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FW: Exchange 2003 on DCI've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them.Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are:822179 - don't change DC status after Exchange is installed305504 - impact of making DC a GC with Exchange installed305065 - impact of removing a GC from a DC with Exchange installed829361 - long shut down time on a DC when Exchange is installed822575 - DS2MB stops running when DC status is removed and Exchange is installedThe only one I've found that directly affects the search I'm on is the last (822575).Thanks,M
