Personally I hate Tivoli, big giant overly complex POS
which seems to do a lot of things poorly instead of any one thing well. One
company I was at tried it, tossed it out and sued IBM for their money back
(millions) and got it; unfortunately they couldn't sue for time the analysts
spent trying to integrate it over several years, it would have been millions
more. A few years later with an ex-IBM sales manager now as CTO they
started integrating it again. It was being integrated about as successfully as
it was the first time even though it was supposed to be "completely better now".
I fought the adding of it to the domain controllers at every step. It never got
on them while I was there. The software delivery was installed at one point
because it was part of the load, I simply disabled that after the folks running
Software Delivery decided to run an audit against all of our DCs looking for
disk space of the spinning disks that was requested by someone not in the
Enterprise Admin group. I had been looking for an excuse and that was all I
needed because it proved the point I had been arguing which I will expand on
below.
In general, I don't recommend any applications being
installed on DCs that run as admin or localsystem that the Domain Admins do not
completely and utterly control. Be it monitoring, software delivery, asset
management, AV, Directory Synch (assuming the synch ID runs as admin or
localsystem on DCs), etc. It makes no sense to run those things on DCs from a
security standpoint.
The moment you put the Tivoli agent (or MOM or SMS or AV or
whatever) on a single DC, whomever admins the foreign application is now
effectively a domain/enterprise admin as well. Any attack vectors into their
monitoring servers, etc are now all vectors into the core of your security for
the Enterprise. Basically you could have the greatest security practices in the
world (barring this one) for your DCs and then some bonehead move over on the
monitoring platform (because it isn't quite as critical to be secure, it is ONLY
watching...) and bam you can be utterly compromised.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, March 10, 2006 4:19 PM
To: activedirectory
Subject: [ActiveDir] Monitoring DC's
We currently run Tivoli for monitoring and software distribution here(No,
SMS and MOM are not an option).
Right now there are talks about installing Tivoli endpoints on our Win2k3
DC's for monitoring those as well.
How do people on this list feel about Tivoli for monitoring, specifically,
and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC
availability,etc, in general?
Thanks
