RE: [ActiveDir] Vendor Domain

[Kevin Brunson]

So they’re blowin a lot of smoke to disguise their actual thought process:   “You” are a liability we do not want to expose our servers to.  We do not believe you to be capable of managing an Active Directory environment, and therefore we put in our own stuff without giving you the passwords.  That way you can’t screw something up. Personally I would be offended.  Professionally I would question whether they are any more qualified to manage my AD than I am.  Kevin   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 20, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain   Thank you all.   The vendor in question is bringing in a medical solution. Here is the response from the vendor so far. Mind you that we have lots of medical device solutions that exist in our domain, the FDA card is played as a blanket so you stop asking questions... we ran into the same issue with security patches. "why can't I patch that device?". When we've looked at these FDA regulations in the past it turned out that there was more liability by not patching.   From the vendor:   "Let me start by thanking you for considering our support model and continuing to pursue supporting it in your organization.  Our designers have architected the system to comply with Microsoft’s best practices. We have implemented our own XXXX.local domain in an effort to provide solid system integrity founded on Kerberos authentication and a single sign-on experience for your clinicians.   Our system relies heavily on the integrity of the Active Directory structure. We have integrated the launching of services and control of processes using this Microsoft recommended model.   It has been our experience that relying on a hospital’s Active Directory structure is a dependency that has opened our customer’s up to liabilities for the integrity of our XXXX regulated medical device. I liken the servers to a respirator. Having an outside person, no matter how qualified, work on a respirator would be a concern from a clinical standpoint.  We have witnessed Group Policies applied to servers in a more open environment. This is a liability we do not want to expose our business partners to. Any change, no matter how minute to our system, would endanger our validation and designation as a XXX regulated medical device and would open you to failing FDA auditing." Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 20, 2006 12:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain I would tend to agree except in the case of Exchange, I am ALL FOR Exchange being run in a separate single domain forest, it solves an incredible number of problems such as the GC/NSPI problems as well as administrative isolation, etc. The exception there is if Exchange is deployed in a decentralized fashion out to all of the sites you already have DCs at, at that point, you probably want to fight with the issues with it in the main forest.   The biggest complaint I have seen for running a separate Single Domain Forest for Exchange is around provisioning and quite frankly, that really isn't all that involved and doesn't necessarily need a full blown MIIS/IIFP solution. It depends on what data is needed where. If you need all of the GAL info in the main NOS forest as well as the Exchange forest then you looking more into metadat sync tools unless your provisioning is all being handled through a centralized mechanism and then that can be used to send the info in both directions and actual tie between the domains for syncing isn't necessarily required.   But if this isn't Exchange, I would be curious to hear the details of the app and why they want a separate forest. Most vendors if they told me they did it in a stupid way that had that requirement I would beat and tell them to fix it. With MSFT and Exchange, that only works a little bit. :)   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, July 20, 2006 2:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain I think everyone would be conceptually opposed - would be good to hear the vendor's reasoning for this. What does the app do? What benefit do you have from running their app in a speparate (single domain) forest?   I can think of many downsides, but if the app is supposed to protect really sensitive data (isolation scenario), this may potentially be the reason for them to demand a separate forest. Certainly not, if the same folks manage both forests though...  So pls. aks them for more details - doesn't hurt to understand their thinking.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Wednesday, July 19, 2006 8:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vendor Domain We are a 2003 Forest with an empty root domain and a single child domain. We have a vendor looking to bring in a product that utilizes its own domain and has a one way trust to our domain.   I do not know anything about the product yet but I am almost conceptually opposed to these vendor domains. I am looking for pros and cons... really ammunition to say no.   Thanks   Johnny Figueroa Supervisor Network Operations & Support Network Services Banner Health Voice (602) 747-4195 Fax (602) 747-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited.  If you receive this communication in error, please notify us immediately