Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server. I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess. On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote: Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about it.Experience has taught
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
We agree on security as a journey. We seem to disagree about putting an application on a DC. Exchange especially. Will it work? Yes. But the tradeoffs in thatsituation can be distasteful from an operational and security point of view if security, flexibility, scalability, and availability are of any concern whatsoever. I have no issues with SBS. I'm thankfully able to avoid that product line in most of my dealings to date. My issue has more to do with the applications and intended purpose of the functions deployed when you try to put them all on the same box. If those applications were meant to be together, then Microsoft would have built them with that in mind. Until then, I'll continue to be leery of them working together. -ajm On 10/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year) BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server. I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess. On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote: Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Granted external FTP isn't one that SBSers recommend either and we're freaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid. Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard. I'm watching them, they're golden. (Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more. Don' neeed no steeenkin' SBS's! ;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there?? It's NOT an AD server, it refuses to become one... This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!. Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Friday, October 06, 2006 1:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now SNIP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about it.Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse.Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it!FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there??It's NOT an AD server, it refuses to become one...This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!.Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve
