You're entitled to your opinion ... but from my experience, providing and offsite backup at my expense ( zero charge if not needed ) is a very VALUABLE service to most of these small businesses. And I *NEVER* do this without fully informing the client, so they always have right of refusal. Most have no idea about proper business continuity planning, and don't think ahead on how to get the business runnining again after a network shutdown. That said, I think your characterization of 'walking off with a copy' a bit harsh, it's not like I'm stealing a copy for my own benefit, selling to black hats, or putting them at extended risk. I would hope, given YOUR background, that you already have fallback plans in place, and it would not be necessary for ME to cover your behind like I do for many of my clients that don't know any better.
Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Brian Desmond [mailto:[email protected]] Sent: Tuesday, July 07, 2009 2:39 PM To: NT System Admin Issues Subject: RE: Win2003 DC on Win2000 domain IMO a "network security engineer" would know better than to take copies of sensitive customer data like that. Put it this way, if you were on my payroll and I found out you were walking off with a copy of my DIT you'd be shown the door straight away. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/> http://www.briandesmond.com/ad4/ Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian> https://mvp.support.microsoft.com/profile/Brian From: Sherry Abercrombie [mailto:[email protected]] Sent: Tuesday, July 07, 2009 11:52 AM To: NT System Admin Issues Subject: Re: Win2003 DC on Win2000 domain Agree with best practices, but with personal experience in dealing with consultants, we make them sign a contract/NDA that prohibits them from using any information or disclosing it outside our organization. On Tue, Jul 7, 2009 at 11:47 AM, Erik Goldoff <[email protected]> wrote: With all due respect, if they cannot trust a network security engineer that helps to maintain and improve their security ( have remote access to firewall and TS ) then they may as well still run on paper. Their internal security knowledge, as well as any BCP is practically non-existant. But from a best practices perspective, you are right. Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Brian Desmond [mailto:[email protected]] Sent: Tuesday, July 07, 2009 12:28 PM To: NT System Admin Issues Subject: RE: Win2003 DC on Win2000 domain That is pretty scary from a risk management perspective that you're walking off with a copy of the customer's AD. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/> http://www.briandesmond.com/ad4/ Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian> https://mvp.support.microsoft.com/profile/Brian From: Erik Goldoff [mailto:[email protected]] Sent: Tuesday, July 07, 2009 9:18 AM To: NT System Admin Issues Subject: RE: Win2003 DC on Win2000 domain Yep, FALLBACK is my concern. I'll be doing most of the work remotely, as the two new 2003 servers are in place and on the wire. Low level help desk type will be on site, but as of yet, no spare/temp machine as a 2000 DC ... ( I normally bring in my laptop with a 2000 server and a 2003 server running virtually and promote to DC to grab a copy for 'just in case' in the first few days, but I won't be on site this time ) once forestprep & domainprep run, it's a one way race to the finish Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Jon Harris [mailto:[email protected]] Sent: Tuesday, July 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Win2003 DC on Win2000 domain Agreed. The only difference is since you have Exchange on a DC you might want to make a 2000 DC on some desktop as a fall back. Once the fall back is finished with the sync turn it off. Do the domain/forest prep if all go well put the fall back on the network again let it sync again then turn it off while bringing up the new DC's. Once all is well and good bring it up and kill it off. Jon On Tue, Jul 7, 2009 at 9:59 AM, KenM <[email protected]> wrote: Why not just install 2003 on the new hardware run dcpromo /forestprep and /domainprep and run dcpromo on 2003 servers and transfer roles. On Tue, Jul 7, 2009 at 9:54 AM, Erik Goldoff <[email protected]> wrote: Client wants to bring in two new servers ( forklift new hardware ) into their current Windows 2000 domain, but wants to upgrade Active Directory to 2003 ... two new servers will ultimately replace two existing 2000 servers which are File/Print/DC and Exchange/DC My normally cautious method would be to bring in a temp 2000 box, promote it to DC in the 2000 domain, move FSMOs to it, then demote existing DCs... upgrade OS on temp box to 2003, then promote new 2003 servers to DC, moving FSMOs to one of them. Question : Is there an unreasonable risk to promoting a 2003 server to DC on the 2000 domain with 2000 DCs in place when there is no plan ( or license ) to upgrade the OS on the 2000 boxes to 2003 ? Erik Goldoff IT Consultant Systems, Networks, & Security -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
