LOL. That would be me that was looking for a locked down server. That server should also not have IE on it but I digress to my favorite pet peeve at the moment (besides Exchange).
Anyway, the option of the lockdown would be a choice for me as the main admin for a network. Not only is good for some lower level admins and users to not have choices, it is immensely better than them having choices. This is the whole concept behind GPOs and security policies, you are taking away the right for others to choose what they want over what you want. I can't admit to following the rest of the conversation. I dislike DNS and try to ignore it when I can. However, I know about the security issue Dean is talking about, we discussed it at the summit. It all comes down to builtin groups being used to ACL things in AD. This is far more dangerous than using say, even domain local groups, unless we are talking about Denies and then they are both hokey. Dean and I agree on most things because we almost share a birthday. It is in the stars... joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Choices are good, and I am all for it except those nasty "paper or plastic, venti or grande, skimmed or half-and-half" choices :) When it comes to matters like this, I defer to your superior judgement. But.....how does AD-intg secondaries address either of your scenarios? I can see putting constraints on the "writeability" of ad-intg zones will be desirable and effective for your purposes, but AD-intg secs .... hmmmmm...... And, talking about choices, wasn't it you who was asking to have a new flavor of highly locked down Windows for servers alone? You wanted the "relevant people" to strip it down and lock it so that tight that the operators would find it very difficult to hurt themselves. How does that fit into the "choices" option? Maybe Joe was the one asking for this. Maybe it wasn't you. But since you and Joe seem to agree on most things, I would like to see a reconciliation of desires. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Fri 11/19/2004 9:35 AM To: Send - AD mailing list Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Real scenario - The way in which 2003 AD integrates the _msdcs subdomain (now a zone) causes it to replicate forest wide. This one zone subsequently becomes writable on every K3 DNS(/DC) server within the forest. I didn't ask it to do that, I didn't intentionally make a key component of AD available for modification ... all I said was "replicate it better" (obviously that's highly simplified but you get the idea :-). Hypothetical scenario - I'd like a non-AD related DNS zone available at every one of my hundreds of sites. Each site has DCs/DNS servers running K3. I'd like the zone's writability constrained (and enforced) to the head-office site alone. The moment I AD integrate to take advantage of the vastly superior replication semantics, I inadvertently expose it to offsite change ... again, all I wanted was to exploit replication not the multimaster nature of AD. I can, of course, re-ACL the whole thing but, believe me, that's more pain than I'm prepared to inflict on myself ... you, on the other hand, may like that ;-). My feeling is simply this; we would be better served by being offered a choice as to which features are made available when a zone is AD integrated. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? I see what you are saying, but ..... why would I want to store the zone info of DomainA in the AD of DomainB in an independent/disjointed, non-trusting environment? What would be the compelling reason? Would something improve or work better if this is implemented? Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Fri 11/19/2004 8:24 AM To: Send - AD mailing list Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Deji, There would a concept of "AD integrated secondaries" had MS decided to write it; it may be desirable (to some) to maintain read-only yet AD replicated zones. I guess the point in question is - MS didn't. I've asked the question directly to those that chose not to within MS and their response was quite simply "because we didn't :)". -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because when it's integrated, there is no concept of "secondaries" as we understood it to be in pre-2Kx world. It's there in AD, and any DC can see and write to it. Now, if you are secondarying the zones on another server located in another forest/network, why would you want to store that info in your own AD. You will not be modifying that zone locally on the secondary anyway. Or, are you intending to? Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones? OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
