Hopefully "Whole" disk encryption will mitigate this risk.....
________________________________ From: KenM [mailto:[email protected]] Sent: Tuesday, July 07, 2009 12:00 PM To: NT System Admin Issues Subject: Re: Win2003 DC on Win2000 domain I dont think this is all about trust. What happens when your laptop gets stolen and someone has full access to the DC image files. On Tue, Jul 7, 2009 at 12:47 PM, Erik Goldoff <[email protected]> wrote: With all due respect, if they cannot trust a network security engineer that helps to maintain and improve their security ( have remote access to firewall and TS ) then they may as well still run on paper. Their internal security knowledge, as well as any BCP is practically non-existant. But from a best practices perspective, you are right. Erik Goldoff IT Consultant Systems, Networks, & Security ________________________________ From: Brian Desmond [mailto:[email protected]] Sent: Tuesday, July 07, 2009 12:28 PM To: NT System Admin Issues Subject: RE: Win2003 DC on Win2000 domain That is pretty scary from a risk management perspective that you're walking off with a copy of the customer's AD. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: Erik Goldoff [mailto:[email protected]] Sent: Tuesday, July 07, 2009 9:18 AM To: NT System Admin Issues Subject: RE: Win2003 DC on Win2000 domain Yep, FALLBACK is my concern. I'll be doing most of the work remotely, as the two new 2003 servers are in place and on the wire. Low level help desk type will be on site, but as of yet, no spare/temp machine as a 2000 DC ... ( I normally bring in my laptop with a 2000 server and a 2003 server running virtually and promote to DC to grab a copy for 'just in case' in the first few days, but I won't be on site this time ) once forestprep & domainprep run, it's a one way race to the finish Erik Goldoff IT Consultant Systems, Networks, & Security ________________________________ From: Jon Harris [mailto:[email protected]] Sent: Tuesday, July 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Win2003 DC on Win2000 domain Agreed. The only difference is since you have Exchange on a DC you might want to make a 2000 DC on some desktop as a fall back. Once the fall back is finished with the sync turn it off. Do the domain/forest prep if all go well put the fall back on the network again let it sync again then turn it off while bringing up the new DC's. Once all is well and good bring it up and kill it off. Jon On Tue, Jul 7, 2009 at 9:59 AM, KenM <[email protected]> wrote: Why not just install 2003 on the new hardware run dcpromo /forestprep and /domainprep and run dcpromo on 2003 servers and transfer roles. On Tue, Jul 7, 2009 at 9:54 AM, Erik Goldoff <[email protected]> wrote: Client wants to bring in two new servers ( forklift new hardware ) into their current Windows 2000 domain, but wants to upgrade Active Directory to 2003 ... two new servers will ultimately replace two existing 2000 servers which are File/Print/DC and Exchange/DC My normally cautious method would be to bring in a temp 2000 box, promote it to DC in the 2000 domain, move FSMOs to it, then demote existing DCs... upgrade OS on temp box to 2003, then promote new 2003 servers to DC, moving FSMOs to one of them. Question : Is there an unreasonable risk to promoting a 2003 server to DC on the 2000 domain with 2000 DCs in place when there is no plan ( or license ) to upgrade the OS on the 2000 boxes to 2003 ? Erik Goldoff IT Consultant Systems, Networks, & Security ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
