Ignore Dean. He's going to try and D.O.S. a couple of companies I specified to him. If you see Dean's name in the papers next to buildings that are burning to the ground then you can listen to the conspiracy theories that require running S-DDNS. ;o) How many times was your NT environment DOS'ed by purposeful attacks on WINS? If you had an issue with WINS being unauthenticated at any point it was one of a couple of items
1. You screwed up WINS yourself some how by doing something stupid or through inaction allowing something stupid to happen. 2. Someone fired up a SAMBA box and had no flipping clue what they were doing on Linux OR Windows. 3. Someone tried to set up a test domain using production WINS and using the real name of the production domains. Even with those three items I can think of 2 cases in 10 years of these things and one was cleared up in about a week and the other was cleared up in about 15 minutes. The first should have been cleared up in 15 minutes too except the people working on it didn't understand Windows nor WINS nor did the Alliance people working the issue. In the meanwhile, if an employee of a company wants to hurt AD, there are more subtle and less trackable mechanisms to do so than going after DNS. Anyone that attacked AD by going after AD is just a script kiddie punk with no vision. Heck even the script kiddies aren't going after it. BTW, anyone know what a mucker is? I am trying to figure out if I am supposed to be morally outraged. <eg> joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, May 17, 2006 2:55 PM To: Send - AD mailing list Subject: RE: [ActiveDir] DNS on a DC or NOT Ignore joe ... he's just an LDAP/DS purist ... as a general rule of thumb, keep the AD representative DNS zones within the directory configured to accept secure updates only. Use app. NCs or don't depending upon the forest's config., too many variables and much discussion for me right now on that one I'm afraid ... but suffice it to say that for me; I prefer app. NCs where possible. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, May 17, 2006 10:01 AM > To: [email protected] > Subject: RE: [ActiveDir] DNS on a DC or NOT > > SO you are concerned about overall load then. This is something that > is addressed in larger orgs often by segregating the PDC off in its > own logical site which is hung off the main site it would normally be > part of. That means it will usually not be used for autocoverage of > other WAN sites and it will not become a large site bridgehead[1] and > naturally avoided by any Exchange in that site if Exchange for some > reason decides to beat on it due to some bad decision by an Exchange > admin during configuration. This is especially helpful if you have a > large legacy client load or lots of stupid applications that are using > the old NET API (or WinNT provider) primarily which already overly > target PDCs. > > joe > > > [1] I recall asking way back at the 2003 RAP/RDP conference for a > switch to say use all DCs but these special ones for bridgeheads, I > would rather manage exceptions than manage the ones that are the ones > to be used. Best is to be able to specify either way. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Carlos Magalhaes > Sent: Wednesday, May 17, 2006 9:44 AM > To: [email protected] > Subject: Re: [ActiveDir] DNS on a DC or NOT > > Let me put that into perspective (and from reading the post > again I thought it came across), the blog entry refers to > networks with a large client load. > I don't mean do NOT have DNS on your server it recommends > (Option 2) releasing some of the load with the two registry > settings, i.e. > *LdapSrvPriority *and *LdapSrvWeight*.which is explained in > the entry :) > > These settings I have only ever used on large networks when I > have noticed a large amount of DNS traffic being routed to > the PDC DNS Service. :) > > Does that explain the post if not just let me know what more > information you need and I will explain it :) > > Carlos Magalhaes > > ASB wrote: > > Which blog entry... > > > > -ASB > > > > > > On 5/17/06, *Krenceski, William* <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > I was reading Carlos's blog about not running DNS on the PDC > > emulator. It all makes perfect sense to not have DNS running on > > it. In my relatively small setup we have @60 servers, > 560pc's, on > > 8 networks (some remote some vlans). I have 2 DC's at > my main site > > with one at each remote site. All DC's are GC and DNS. I always > > thought that in order for DNS to work as AD integrated > you're DNS > > servers had to be DC's. If that is NOT true my face is red for > > believing so for so long. > > > > > > > > ** > > ** > > *William Krenceski* > > *Network Administrator* > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
