RE: [ActiveDir] RE: [ActiveDir] Read-Only Domain Controller and Server Core

Sun, 30 Jul 2006 17:56:56 -0700

I think the story is the fault of the blog post writer. That wasn't someone who actually knows what is going on, that was someone who say an internal pres that was put on by a PM, probably Nathan, of what they are thinking right now and the writer tried to get across the points as he/she understood them because he/she thought it was (and it really is) cool. I wouldn't take that blog entry to be authoritative for anything on the topic.
 
Heck it was even stated that "These features in-turn reduce the attack surface of a Windows Server." and it absolutely does nothing to reduce the attack surface of a Windows Server, it helps reduce the attack surface on AD as a service.
 
  joe
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, July 28, 2006 1:23 PM
To: [email protected]
Subject: Re: [ActiveDir] RE: [ActiveDir] Read-Only Domain Controller and Server Core

 
To be completely fair, I'm NOT the one that said that it doesn't store anything.  I questioned that from the blog link that was posted, because I know that it can/does store some information which would make it useful.   Not that you can get anything from that information, but then again, it's early in the adoption cycle (just before it really) so there hasn't been a large enough crowd to hammer away at it. 
 
Being highly familiar with BO environments, I agree it opens plenty of opportunity to deploy more DC's where before we could not. In some industries, that is far more important than others, but useful nonetheless.
 
Note that my original concern was the way that the blog post mentioned the product and that it might be a deviation from the original story when the RODC concept was created and brought to life. I have seen the RODC before, but I am far more limited with what I can talk about and can't.  Since I don't know what those limits are, I'm erring on the side of not even coming close to mentioning what I do and don't know nor some of the other questions that come to mind regarding that concept and it's boundaries. This is not the forum for that.
 


 
On 7/28/06, Tim Vander Kooi <[EMAIL PROTECTED]> wrote:

I'm not sure why you say it doesn't store anything??? It stores EVERYTHING, it simply doesn't get the rights to write anything new back to your core DCs. This is a HUGE breakthrough for those of us with smaller branch offices that today can't cost justify putting an entire server in a BO just to handle authentication, but at the same time we are not willing to open the security hole that is created if you put the DC services on a file server in those offices.. With a RODC I can deploy authentication, as well as hopefully sites, etc. to those file servers without concern that a user might hack in and take over my AD.  The number of doors this opens to a spread server architecture is really big. Granted, if you have no branch offices it won't a thing to you.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Friday, July 28, 2006 10:08 AM

Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core

 

The part that makes me wonder about the "story" is if it stores no secrets is the server doing anything for me? Is there a point to deploying the server in a remote office other than just being able to point to it in the closet and say, "see, I do to earn my paycheck!"  

 

I'm sure there's more, but I don't yet know which parts are public information and which are NDA.

 

Can you tell I'm concerned about the story being created? I like stories; don't get me wrong.  But I'm concerned that the story being spun up might be missing the mark and lead a few people astray.

 

Safe to note that there are some features that differentiate the RODC from a NT4 BDC and that make it appealing in some cases.

But if it actually does not store anything locally, ever, then I'm not sure it's worth the time to deploy one now is it?

 

Al

 



 

On 7/27/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:

FYI:

http://blogs.msdn.com/jolson/archive/2006/07/27/679801.aspx


         Read-Only Domain Controller and Server Core




List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 


Reply via email to