Saying that, I'm trying to see the benefit of using ADAM for, in essence a single user application. Seems overkill in my mind. If they want to have centralized control over the identities in an off-line fashion, then I suggest that ADAM might not be the right technology for their needs. As the others have alluded to, the replication would be difficult to manage as it's not really intended to be managed that way in my opinion. And relying on the client to sync up with the mothership is no way to enforce security. That's similar to asking a child to make sure he guards the cookie jar from himself. :)
Al
On 10/5/06, Lee Flight <[EMAIL PROTECTED]> wrote:
I had an exchange with a vendor who was planning on a similar approach:
http://groups.google.co.uk/group/microsoft.public.windows.server.active_
directory/browse_frm/thread/83248bf50f9f76ec/2aac67203f612e2a
my summary, see the end of the archived thread, was that they
should talk to Microsoft about this use of the replication model
as it did not seem appropriate use of a multimaster replication
model to me. Even if we had RO ADAM instances I still think it
would be a pain to manage... let us know how you get on
Thanks
Lee Flight
On Wed, 4 Oct 2006, Tony Murray wrote:
> Thanks Dmitri
>
> Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options ( e.g. hardware encryption).
>
> I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-)
>
> Tony
> ---------- Original Message ----------------------------------
> From: Dmitri Gavrilov <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date: Wed, 4 Oct 2006 20:18:28 -0700
>
> ADAM on XP is no different from ADAM on w2k3 security-wise. The big
> differences are that it is throttled somewhat perf-wise, and also
> there's no auditing.
>
> I do not see any serious security problems with this approach. Unless
> you are thinking that somebody steals the laptop, cracks the DIT open
> and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In
> any case, these are ADAM users, not windows...
>
> The only problem will be replication -- instances will complain that
> they are unable to replicate when in offline mode. Perhaps this can be
> resolved by creating a separate site for every instance and setting up
> manual links to the hub instance. Hmm. Not sure. I guess it depends on
> how long they'll stay offline. KCC is not really optimized to work well
> in such scenarios.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Tony Murray
> Sent: Wednesday, October 04, 2006 7:34 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] ADAM on XP Pro
>
> I've been talking to a vendor about an application they are developing.
> It involves running ADAM instances on XP Pro machines (laptops) that
> replicate with a centralised ADAM instance running on W2K3. I don't
> have further details at this stage, but I believe the they are planning
> to use the local ADAM instance to authenticate laptop users to an
> application when they are off-line.
>
> In addition to security concerns with this approach, I'm not really
> comfortable with the idea of ADAM instances on laptops being part of a
> configuration set. I had always understool ADAM on XP to be used for a
> personal data store
> ( http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45
> 77-bf7c-ba4b08df48431033.mspx?mfr=true).
>
> Any thoughts on this?
>
> Tony
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
