If you are that concerned about students hacking then honestly I wouldn't be relying on filters on your routers/switches and would be putting a Firewall in place so that you can easily view the logs and alert on anyone trying to do anything that they shouldn't.
Phil On 7/6/05, rubix cube <[EMAIL PROTECTED]> wrote: > Ok, I have 15 VLANs and filtering traffic between them because we have > IT students who like to test if they can access their exams a head of > the exam time through trying to hack their teacher's PCs, and students > who tries to mess with their grading system , etc.... > If you have students, then each student is a potential hacker, > especially if they are high motivated and study computer! > > I filter all kind of traffic (ICMP,TCP,UDP) from student networks to > faculty networks, also traffic to financial network or student > information system network , etc.... > > I have almost a DC for each category of users who are accessing the > same category of PCs and having the same ranges of IPs, the DC itself > contains data that shouldn't be accessible to students for example, I > of course have access controls in place, physical control, and almost > all levels of security, but still I don't want a student to be able to > ping a machine that she shouldn't know that it existed, you can call > me paranoid, its ok, I am here to make sure my network is secure and > every one is accessing only what they should be accessing. > > so back to the original subject, you are saying that the only problem > if one of the GCs went down is outlook which will be fixed upon > restarting it? but the client shouldn't have problems accessing other > network services (thier network share, dns, dhcp, etc..) > > > r.c. > > > On 7/6/05, Brian Desmond <[EMAIL PROTECTED]> wrote: > > Well, he can leave the filters in place between the vlans on the routers. > > They're there for a good reason maybe. But add exceptions to these ACLs to > > allow traffic from the clients to any DC. We have three DCs servicing I > > don't know how many vlans in one building at the CO, I'd guess in the 500+ > > range. Works like a charm. > > > > How many clients, outlook clients, exchange servers, etc in this > > environment? 7 DCs in one place is a damn big number of DCs. Must be a > > pretty big building. Then they should all be GCs too if its oen daomin. But > > 7 DCs/GCs is a lot of them in one place. You'd usually have a maintenance > > window which for one building is a lot easier than for four continents. This > > way even if what you're doing affects clients, most of your users aren't on > > Outlook at 11PM at night anyway, and if it's a scheduled window, well they > > can deal. > > > > --brian > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Tuesday, July 05, 2005 8:44 AM > > To: [email protected] > > Subject: RE: [ActiveDir] GC > > > > This configuration kind of scares me. The question that keeps bubbling to > > the surface is why why why why? > > > > Sites are used to define well connected networks. This is both for > > replication and for resource location services by clients looking for > > resources. It sounds like you have a case where all DCs would be considered > > equal to all clients but you are forcing them to only be able to use certain > > DCs because they can only reach those. I would expect that the clients get > > confused every now and then and work less than optimimally. I expect > > watching network traces on your network for a while would be quite > > entertaining. > > > > Personally I would tend to say, rip out the filters, if you have high > > connectivity between all of these DCs then they should be in one site and > > there should be no network filters in place. However before I would > > recommend that to a customer, I would really need to understand why they are > > doing what they are doing and what they think they are getting out of it. > > You might have an amazingly good reason for doing this that isn't > > immediately apparent. > > > > > > On the Exchange topic, I think this is secondary to getting your network > > topology straightened out. However, I dislike the idea of hard coding which > > GCs Exchange uses, it can bite you as people often forget it is being done. > > If someone wants to do that, I tend to recommmend that they create an > > Exchange specific site and throw the Exchange servers and the Exchange GCs > > into that site. Exchange can and will reach out of that site, but it will > > tend to stay within it. It just makes the overall architecture more clear in > > my opinion without having to dig into specifics. If you stop doing the VLAN > > filtering I would then enable all DCs to be GCs. Then if you still have > > Exchange issues, start working them individually and possibly find more > > unusual design decisions. > > > > As previously mentioned, a lot of Exchange failover is actually Outlook > > failover which varies radically based on the client rev. Some versions of > > outlook never fail over and you have to stop the client and restart it so it > > will reask the Exchange server for a GC. Some will failover once it detects > > a GC is unavailable. Exchange itself can be a little hokey, I have seen > > cases where it gets confused (E2K) and won't start failing over properly for > > 30 minutes. This is why it is critical to keep Exchange GCs generally > > running well. > > > > > > With WINS there was a subnet affinity built into the name resolution > > process, a client would choose the IP address that was in the same subnet as > > the client for any names it resolved that had multiple IP addresses. DNS is > > not like this. It takes the first IP address returned and uses it unless it > > can't reach it and then it uses the next and next, etc. It is up to the > > server to return the addresses in some specific order. I haven't done a lot > > of traces of Windows DNS servers but the general Bind/QIP configuration I > > have seen is to round robin the addresses returned. > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > Sent: Tuesday, July 05, 2005 6:14 AM > > To: [email protected] > > Subject: Re: [ActiveDir] GC > > > > As I understand sites are used if you have a remote site and you want to > > replicate AD traffic, this is not my case and so I have 1 site. > > I have a backbone main switches which I create the VLANs on and setup > > filters on these VLANs so which IP ranges can access which servers and > > resources, I have 15 IP ranges and different DHCPs, I have DHCP relay agents > > on all my edge switches so the IP addresses setup and distribution is being > > taken care of properly. > > > > How to prevent users? through filtering all traffic from passing by from one > > subnet to other subnets. easy but I don't' think it can be done depending on > > AD and windows, I guess I can create child domains and prevent users from > > logging in except for specific domains, but I didn't try that yet since my > > solution is working fine for me currently. > > > > Why is that odd? :) > > > > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > > I don't understand how this can work in one site :) > > > > > > If all DC/GCs are defined in the same site, then clients may be 'offered' > > any of these DCs from a DNS perspective, since they are all 'equal'. > > > > > > You appear to several odd environmental issues which need to be addressed > > before attacking the Outlook related issues. > > > > > > neil > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > > Sent: 05 July 2005 10:22 > > > To: [email protected] > > > Subject: Re: [ActiveDir] GC > > > > > > > > > seems very good but I have 1 domain but I have 15 VLANs, not all domain > > controllers accessible by all VLANs, if I set all the domain controllers to > > GC will that cause a problem? the 2 that I chose to set as GCs are > > accessible from all VLANs. > > > > > > thanks. > > > r.c. > > > > > > > > > On 7/5/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> > > wrote: > > > > I also don't agree with what you are saying concerning the > > > > maintenance of the GCs. > > > > > > > > If you only have 1 domain in the forest there is NO OVERHEAD in > > > > making all DCs GCs. The size of your DIT will not grow in size > > > > because there are no other domains. For its own and single domain > > > > the GCs will use pointers to the domain data. > > > > > > > > So if you have 1 domain, make all DCs GCs. > > > > > > > > Even if you have multiple domains there as less issues in W2K3 > > > > compared to W2K because W2K3 DCs/GCs use Linked Value Replication > > > > (only in FFL > > > > w2k3) and for the partial attribute set it only replicates the deltas. > > > > So even for a multiple domain forest I would consider making all DCs > > > > GCs. > > > > > > > > Concerning exchange I would not manually define the DCs and GCs it > > > > uses. Let exchange itself figure that out. What are the reasons to > > > > manually define the DCs/GCs it uses? > > > > > > > > Cheers, > > > > #JORGE# > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > > > Sent: dinsdag 5 juli 2005 10:51 > > > > To: [email protected] > > > > Subject: Re: [ActiveDir] GC > > > > > > > > One site and all servers in that one site. > > > > > > > > > > > > On 7/5/05, Rops, Arjan <[EMAIL PROTECTED]> wrote: > > > > > How many sites do you have configured in your AD? > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > > > cube > > > > > Sent: dinsdag 5 juli 2005 10:34 > > > > > To: [email protected] > > > > > Subject: Re: [ActiveDir] GC > > > > > > > > > > Suffering = users loose connectivity to their mailbox (the Outlook > > > > > shows a message saying Trying to connect to your exchange server), > > > > > users can't use their home directories on the servers, users not > > > > > being able to print, basically users goes offline, waiting for the > > > > > GC to be online, now this I understand if there was only one GC, > > > > > but if 2, then this shouldn't happen, > > > > > > > > > > i.e. the network appears to be seeing each GC as the only one. > > > > > > > > > > Is there anything else other than checking the Global Catalogue > > > > > check box to make a server GC? (and add it in the system manager > > > > > in the exchange server as a GC too) ? > > > > > > > > > > Thanks, > > > > > r.c. > > > > > > > > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > > > > > I don't agree with the below at all, to be candid. I would > > > > > > rather > > > > have > > > > > 7 servers, knowing I can lose 1 or 2 without issue, rather than > > > > working > > > > > round the clock to keep 2 servers up all the time. To me, that's > > > > > the beauty of systems like AD, where the system is distributed and > > > > > self resilient. You however, have removed some of that resilience > > > > > from the system and have thus moved the maintenance effort from > > > > > the system onto your own lap. > > > > > > > > > > > > Anyway, now that's off my chest - I think you need to explain > > > > > > what > > > > > 'the network suffers' means. What symptoms do you see when a GC > > > > > goes offline? I'd also like to know why your GCs are going offline. > > > > > > > > > > > > We have 100+ GCs here and we probably have 4-5 issues per year. > > > > > > When > > > > > we do have an issue, the net effect on the end user is negligible > > > > > due > > > > to > > > > > the self healing and resilient nature of AD/GCs themselves. > > > > > > > > > > > > neil > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > > > cube > > > > > > Sent: 05 July 2005 08:48 > > > > > > To: [email protected] > > > > > > Subject: Re: [ActiveDir] GC > > > > > > > > > > > > > > > > > > Thanks for teh reply :) > > > > > > > > > > > > I will tell you, because now I have to maintain 2 servers (the > > > > > > GCs) > > > > > online 24/7 I can't take one offline for maitenance for a second > > > > > cause the network goes down, imagine if I upgrade the other 5, > > > > > then I will have to keep 7 servers alive 24/7!!!!!!! > > > > > > > > > > > > I configure the exchange to use multiple GC, but why the network > > > > > suffers if one of them goes offline? I dont' know? is it by design? > > > > > or am I missing something > > > > > > > > > > > > thaks, > > > > > > r.c. > > > > > > > > > > > > > > > > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > > > > > > "rough and ready" response :) > > > > > > > > > > > > > > 1. Client logons, Exchange GAL lookups and various other > > > > components > > > > > > > require a GC to be available, ideally in the same site. 2. Why > > > > > > > are only 2 of the 7 DCs also GCs? > > > > > > > > > > > > > > Given that you are experiencing issues, I'd be inclined to > > > > 'upgrade' > > > > > > > the remaining 5 DCs to GC status and ensure that your Exchange > > > > > servers > > > > > > > are configured to use multiple GCs. > > > > > > > > > > > > > > When all DCs are GCs, the infra master FSMO becomes redundant > > > > > > > too, > > > > > so > > > > > > > that's one less FSMO to worry about catering for :) > > > > > > > > > > > > > > neil > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: [EMAIL PROTECTED] > > > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > > cube > > > > > > > Sent: 05 July 2005 08:16 > > > > > > > To: [email protected] > > > > > > > Subject: [ActiveDir] GC > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > I have 2 GC and 7 domain controllers, I made 2 GC so that if I > > > > > > > had > > > > > to > > > > > > > take any one of them offline the other will be functional and > > > > > > > the network will be ok, what happens is that if any of them > > > > > > > goes > > > > > offline, > > > > > > > the network goes down, (includeing email service exchange). > > > > > > > Any > > > > > thing > > > > > > > I should have done ? > > > > > > > > > > > > > > Thanks, > > > > > > > r.c. > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > > List archive: > > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > > > > ================================================================== > > > > > == > > > > > == > > > > > > > ======== > > > > > > > Please access the attached hyperlink for an important > > > > > > > electronic > > > > > communications disclaimer: > > > > > > > > > > > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtm > > > > > > > l > > > > > > > > > > > > > > > > > > > ================================================================== > > > > > == > > > > > == > > > > > > > ======== > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > > List archive: > > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > > > > > > ==================================================================== > > > > == > > > > == > > > > > ====== > > > > > > Please access the attached hyperlink for an important electronic > > > > > communications disclaimer: > > > > > > > > > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > > > > > > > > > > > > > > > > > > > > ==================================================================== > > > > == > > > > == > > > > > ====== > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > This e-mail and any attachment is for authorised use by the > > > > > intended > > > > recipient(s) only. It may contain proprietary material, confidential > > > > information and/or be subject to legal privilege. It should not be > > > > copied, disclosed to, retained or used by, any other party. If you > > > > are not an intended recipient then please promptly delete this > > > > e-mail and any attachment and all copies and inform the sender. Thank > > you. > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > ====================================================================== > > > ======== Please access the attached hyperlink for an important > > > electronic communications disclaimer: > > > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > > > > > ====================================================================== > > > ======== > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
