I probably shouldn't respond as I haven't read what Steve
said (I prefer him live versus memorex) but I can "see" geographic forests as an
implementation design. Not sure I like it a lot but I can see the angle.
Exchange I would then pull out into its own separate resource forest that
trusted all of the geographic forests. Multiforest Exchange within a single
company isn't something I would consider optimal with the current design. If you
have a heavily distributed Exchange environment that probably won't work so well
but if centralized to main data centers it could be quite decent.
Depending on the size, I would say my first choice is
single forest single domain assuming the DAs are also in charge of Exchange. If
you need separate admins for Exchange (outsourced, too much workload, etc) then
multiple forest with an Exchange Resource forest starts getting tasty quickly.
The geographic forest thing would come from only if there was so much political
posturing and infighting that I couldn't get the admins locked down to a small
single management chain set. I would rather have multiple forests with
different admins than multiple domains in a single forest with different admins.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, March 14, 2006 4:15 PM
To: [email protected]
Subject: Re: [ActiveDir] Securing that DC ( the physical question)
I guess you're right that trying to talk to sriley via written comm is
klunky. This was his last response
===
I guess I'm having difficulty understanding the specific scenarios you've
got in mind. In my own world (Microsoft corpnet), I live with multiple forests
just fine. And I've known customers for whom multi-forest deployments work
smoothly.
Regarding my 60-second design, many of the customers I work with tend to manage environments regionally -- it's their business model and administrative model. Like I said, it's one suggestion among many, one that's worked well for some organizations.
===
Regarding my 60-second design, many of the customers I work with tend to manage environments regionally -- it's their business model and administrative model. Like I said, it's one suggestion among many, one that's worked well for some organizations.
===
That's a lot different than what he wrote. Maybe we should have him meet
bpuhl and find out how they manage those mutliple forests, the custom code that
goes into it, the lack of folder sharing in Exchange and any other issues that
multi-forests bring up? Maybe not. Maybe we should just believe that
sriley means well but is misunderstood (as am I apparently; so who am I to pick?
) :)
Interesting though.
On 3/13/06, Steve
Evans <[EMAIL PROTECTED]>
wrote:
Yeah I forget about the geography == forest sentence. I read the blog post a few days ago and didn't go back in read it before I chimed in.I have heard him say several times, in several different contexts's (sp?), his 30 second version of how to migrate from NT4 to AD, and then goes on about how much better AD is and everyone has to just get over the hump, etc, etc.Steve is much better giving a presentation than the written word (at least short written word). His ideas usually take a good 20 minutes to get across. ~5 minutes reading a blog post usually ends up with a bunch of people arguing about what he was really trying to say.Steve Evans
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Monday, March 13, 2006 12:02 PM
To: [email protected]
Subject: Re: [ActiveDir] Securing that DC ( the physical question)
Interesting. They've (Microsoft) said for years not to use your internally protected AD forest for external usage. (side note: Steve has in the past maintained that network boundaries are useless and that there should the trusted network and the internet without any of this DMZ stuff. In short, I think differently. This is not the first time I"ve had to ask questions to fully understand what Steve is getting at. He's a very smart individual and it pays to listen to what he has to say.). They've also mentioned many times that the forest is the security boundary.I did read Steve's blog to indicate that he is suggesting a security boundary per geographic boundary might make more sense. I read that in contrast to the way you see it as " there may be some good reasons to have multiple forests." They've said that for years. Trust me on that.Keep in mind that when Windows 2000 came out, Microsoft honestly believed that everyone would work from a single directory and would discard all other directories in favor of Windows 2000 Active Directory. They heavily sold the idea of reduced administration as one reason you would want this single directory. They also built one of their flagship applications (Exchange) on top of this single directory. They've done a stellar job of accomplishing that vision (which by the way has been a goal of the messaging industry for many years (a scalable messaging system that relies on a shared directory for reduced administration)) IMHO. But to suggest that a company align forests against anything other than company process and boundaries, seems counter to the Active Directory design philosophy. Is it more secure? Of course. Is Steve's primary focus security? Last I checked. Is he good at it? I think so. Is he out of his mind on this one? Either I totally don't get what he's getting at else I think one of us is off our rocker.Maybe I'm misreading it and you're right Steve. Seems out of context to think he means anything other than geographical boundaries the way it's written though. Of course, that's why I posted questions. I was and am trying to get clarification. He's worth asking :)Al (aka -ajm)
On 3/13/06, Steve Evans <[EMAIL PROTECTED] > wrote:Al,The way I read it is when Windows 2000 came out they said there's virtually no reason to have two forests. Now they say there are some decent reasons to have multiple forests. I don't think they're recommending multiple forests as a standard good thing, but they admit that there are situtations where they do make sense (eg web farms)Susan,I don't think passwords are considered company secrets. They're just the means to get at the company secrets. Just like the file server, or the database server isn't the company secrets, but the data inside of those file shares are databases.Steve Evans
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Monday, March 13, 2006 6:52 AM
To: [email protected]
Subject: Re: [ActiveDir] Securing that DC ( the physical question)
If you haven't yet read the comments on the page, you might be interested. In looking back, it looks like a cop-out on my part for being lazy and signing it as "-ajm" but I'll do better next time.Something to keep in mind with this suggestion though:Sometimes multiple forests makes sense. When it does, don't be afraid to do so. Sometimes a single forest with mulitple domains makes sense. When it does, don't be afraid to do so. Sometimes a single forest with a single domain makes sense....you get the idea. The key is to know the trade-offs and to help match them to the business requirements. That implies that you can get good solid business requirements of course and that you realize that like other plumbing types, it's difficult and costly (but not impossible) to change the plumbing later. Choose carefully for the right reasons and you have nothing to be ashamed about later, right?The biggest problem I see with the blog is that it comes across as if Microsoft were wrong all these years about the multiple forest vs. the single forest vs. going from the NT model to the AD model etc. He mentions "..Surely you've learned that Microsoft long ago stopped recommending single forest/single domain AD designs; yes, we were wrong about that." Did they? Hmm.... Might be interesting to see that in writing and to see it consistently communicated across the websites etc. I haven't seen that so far nor do I follow that recommendation. It changes way too much for me to follow it that closely other than to say, "Microsoft has a blanket recommendation that you deploy like this <insert recommendation of the moment> but because of your unique requirements I recommend we deploy like this: <insert recommendation> and get a supportability review prior to testing, implementation, etc." That's common because the software was written for a finite number of scenarios but the places it gets deployed have a seemingly infinite number of ways of doing business that require some flexibility.Susan, while reading the Art of War you may want to consider a sister book, Musashi's Book of Five Rings."When you have attained the Way of strategy there will be not one thing that you cannot understand" is one of his quotes as is his idea that (paraphrase) if you can successfully do something for 1 you can do it for 10. If you can do it for 10, you can do it for 100. The list goes on :) Relation: If you can make one forest secure, you can make more than 1 secure. If you can make one DC secure, you can make more than one secure.My take? Go with the business processes and understand your technical issues and risks. You'll be changing your architecture from time to time anyway and you'll always have risks that you'll need to mitigate. I can think of ways to mitigate DC theft. I can think of ways that it wouldn't matter if one forest was compromised with physical theft. There are tradeoffs in the amount of effort and the return on effort, so knowing the issues and how to mitigate or whom to ask to help figure out how to mitigate is always helpful.Would be nice if the entire product line/architecture would help support some of these practices in native ways, but then, what would the consultants and third party ecosystem do? :)My ramblings anyway.Al
On 3/13/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] > wrote:I guess you agreed or at least sympathised with my views then ? :)
As to the war - England and France have been at war so many times in the
last 1000 years, you could be referring to one of a dozen historic
moments :)
As to your analogy - I rather see the situation of multiple forests are
an increase in attack surface (for the attacker) rather than as a
decrease in defensive walls, personally :)
neil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 13 March 2006 08:51
To: [email protected]
Subject: Re: [ActiveDir] Securing that DC ( the physical question)
The statement... "So protect those domain controllers! No, they don't
store your company secrets; yes, they're pretty much just plumbing in
your network"
wanna make a bet? ...certainly not exactly in SBSland ... we kinda have
the kitchen sink up there. And to me... those passwords are a pretty
important part of my company's secrets. And whether you are SBS where
we have a schrub or the Sierra National Forest of Domains...isn't that
still important?
At the same time...there's times as much as I'm thinking I'm insane for
all on one box, I know that I sure pay attention to that one box...
There's something to be said about having less things to look at.
<insane comments feel free to disregard>
There was either a History channel or a PBS show on a famous battle back
ages and ages ago (sorry..forget the King but I think it was England and
France) and when the army stayed together in a clump and attacked as a
clump the smaller army was actually holding their own and making an
impact. When they army spread out and broke rank and started to run
after the attackers and thus opened up a entry point.... anyway you get
my drift.
The Art of War says:
If he prepares to defend many places, then the forces will be few in
number.
Therefore, if he prepares to defend the front, the back will be weak.
If he prepares to defend the back, the front will be weak.
If he prepares to defend the left, the right will be weak.
If he prepares to defend the right, the left will be weak.
If he prepares to defend everywhere, everywhere will be weak.
There's an implied thought to that blog...and maybe it's just me in
reading that undercurrent in seeing what has happened in my world and in
my sister's larger implementations. Consultants cannot know your firm
like you do. And they don't always get the right people at the table to
talk to. The bosses listen to the consultants and sales folks when they
should be listening to the people who work at the firm and getting their
input.
[EMAIL PROTECTED] wrote:
> The suggestion that we all deploy multiple forests as a way of
> lessening the risk is a bit of a 'cop out' :)
>
> That sounds as though he's suggesting the only way to secure the
> environment is to spread it more thinly across more and more forests!
> The more forests I deploy, the more cost I incur to the business. The
> more costs I incur to the business, the more awkward questions I
> receive asking why we don't consider other offerings in the NOS space
> :)
>
> Perhaps I'm too cynical on Monday mornings :)
>
>
> neil
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: 11 March 2006 07:39
> To: [email protected]
> Subject: [ActiveDir] Securing that DC ( the physical question)
>
> http://blogs.technet.com/steriley/archive/2006/03/10/421782.aspx
>
> (The Seattle Riley clan)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> PLEASE READ: The information contained in this email is confidential
> and intended for the named recipient(s) only. If you are not an
> intended recipient of this email please notify the sender immediately
> and delete your copy from your system. You must not copy, distribute
> or take any further action in reliance on it. Email is not a secure
> method of communication and Nomura International plc ('NIplc') will
> not, to the extent permitted by law, accept responsibility or
> liability for (a) the accuracy or completeness of, or (b) the presence
> of any virus, worm or similar malicious or disabling code in, this
> message or any attachment(s) to it. If verification of this email is
> sought then please request a hard copy. Unless otherwise stated this
> email: (1) is not, and should not be treated or relied upon as,
> investment research; (2) contains views or opinions that are solely
> those of the author and do not necessarily represent those of NIplc;
> (3) is intended for informational purposes only and is not a
> recommendation, solicitation or offer to buy or sell securities or
> related financial instruments. NIplc does not provide investment
> services to private customers. Authorised and regulated by the
> Financial Services Authority. Registered in England no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London,
EC1A 4NP. A member of the Nomura group of companies.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
