Personally I hate Tivoli, big giant overly complex POS which seems to do a lot of things poorly instead of any one thing well. One company I was at tried it, tossed it out and sued IBM for their money back (millions) and got it; unfortunately they couldn't sue for time the analysts spent trying to integrate it over several years, it would have been millions more. A few years later with an ex-IBM sales manager now as CTO they started integrating it again. It was being integrated about as successfully as it was the first time even though it was supposed to be "completely better now". I fought the adding of it to the domain controllers at every step. It never got on them while I was there. The software delivery was installed at one point because it was part of the load, I simply disabled that after the folks running Software Delivery decided to run an audit against all of our DCs looking for disk space of the spinning disks that was requested by someone not in the Enterprise Admin group. I had been looking for an excuse and that was all I needed because it proved the point I had been arguing which I will expand on below.
 
In general, I don't recommend any applications being installed on DCs that run as admin or localsystem that the Domain Admins do not completely and utterly control. Be it monitoring, software delivery, asset management, AV, Directory Synch (assuming the synch ID runs as admin or localsystem on DCs), etc. It makes no sense to run those things on DCs from a security standpoint.
 
The moment you put the Tivoli agent (or MOM or SMS or AV or whatever) on a single DC, whomever admins the foreign application is now effectively a domain/enterprise admin as well. Any attack vectors into their monitoring servers, etc are now all vectors into the core of your security for the Enterprise. Basically you could have the greatest security practices in the world (barring this one) for your DCs and then some bonehead move over on the monitoring platform (because it isn't quite as critical to be secure, it is ONLY watching...) and bam you can be utterly compromised.
 
  joe
 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, March 10, 2006 4:19 PM
To: activedirectory
Subject: [ActiveDir] Monitoring DC's

We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option).
Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well.
 
How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general?
 
 
Thanks

Reply via email to