Re: ADAM woes
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Sun, 13 Aug 2006 19:39:58 -0400
Good point, but for the full effect, virtualization would have been my
choice.
I don't think I'd use anything even resembling production data sets, but
rather I'd create new ones that bore resemblance only. Why? Same as joe
said, you could be rightfully fired if you put secured data on an unsecured
device regardless of the reason.
Anyhow, you can run VMWARE server or Virtual Server on your laptop and
create all kinds of environments there. Both are freely available. And as a
bonus, you can get familiar with AD, W2K3/R2 server, and you can test to
destruction as you do it. You can install it, own it, etc. And the data
that's in there wouldn't be a compromise of your security policy (intent
anyway; I haven't seen the letter lately.)
The adamsync is going to have trouble on one side of the security realm or
the other. Either local creds or AD creds, and if I recall it wants to
update some SPN's etc. Not my choice to use such a thing for what are now 2
articulated reasons in this thread alone. I'm quite sure there are more.
Pulling production data to your laptop may not even be enough for what
you're after. Do as JoeK suggests and let us know what you're wanting to
accomplish and it might be easier to make a more focused suggestion.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:eDkZ50xvGHA.724@xxxxxxxxxxxxxxxxxxxxxxx
I'm pretty sure you can supply credentials to ADAMSync in order to access
AD. The domain membership thing makes it convenient, but I don't think it
is necessary. Unfortunately, I'm not an ADAMSync expert, so I don't know
exactly how to do it. :)
I think the approach you are taking (with a local ADAM instance) could
work fine, as long as you are doing mostly LDAP stuff against AD and know
where they differ.
I'm not sure if I'd use ADAMSync in your case, though. I think you mght
be better off building up an LDIF script based on a dump of fixed AD data
so that you can quickly bring up an ADAM instance into a know state and
then just leave it alone. The LDIF script gives you a text-based file you
can stick in source control so that when you bring on new devs, you can
easily give them the same test bed ADAM instance. I'm thinking of more of
a database continuous integration-type of approach, except using ADAM/LDAP
as the data store instead of SQL. :)
You can definitely supply credentials to LDIF in order to pull the data
down from AD using the appropriate command line parameters.
If you tell us a little more about what you are doing, we might be able to
provide some other tips as well. If you are doing .NET stuff (far-fetched
in your organization, but you never know :)), you might get some mileage
out of my book too.
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Lars W. Andersen" <larswandersen@xxxxxxxxxxxxxxxx> wrote in message
news:e3yaHSxvGHA.2232@xxxxxxxxxxxxxxxxxxxxxxx
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23W86pAxvGHA.416@xxxxxxxxxxxxxxxxxxxxxxx
Not that I think you're going down the right path, but what you're
asking (in my words) is if you should be able to sync the AD to ADAM
with adamsync, correct?
Hi Al,
I hear you ... and even though I am working for what is the largest IT
service provider in the world (take a guess) having a development machine
that is part of an AD ( a competitors product) is not an option. Far-out
when we actually need it as we have customers requiring MS solutiong, but
sadlye true. Believe me ... us being a MS shop in an anti-MS organisation
have tried almost everything. Next time i reinstall my laptop I have
sworn that I'm gonna install a W2K3 server and create my own ad ... if
nothing else .. out of spite =8-)
Virtualization is an option- but I was looing for something simple and
quicker for now.
. You must have Read or Dirsync access to the objects or partitionsThe user I have on the AD is enterprise admin. That ought to do the trick
in the Active Directory forest that you want to synchronize.
:)
. You must have full control of an application directory partitionI own that as well.
on an ADAM instance to run this command.
You should have that via your AD account rights, however you'll run into
an issue by not being part of the domain with these workstations because
the account you want to use for AD won't be known for the local
instance.
Is that just simply not possible? Or is it possible to "breach" the DC
security to let me do this?
Another possible way around that would be to install adam on another of
the servers on the domain ... sync the ad to that adam and then copy the
adam to my local workgroup machine and restore it there?
.
- Follow-Ups:
- Re: ADAM woes
- From: Lars W. Andersen
- Re: ADAM woes
- References:
- ADAM woes
- From: Lars W. Andersen
- Re: ADAM woes
- From: Al Mulnick
- Re: ADAM woes
- From: Lars W. Andersen
- Re: ADAM woes
- From: Joe Kaplan \(MVP - ADSI\)
- ADAM woes
- Prev by Date: Re: ADAM woes
- Next by Date: Re: Adding Windows 2003 to Windows 2000 Domain
- Previous by thread: Re: ADAM woes
- Next by thread: Re: ADAM woes
- Index(es):
Relevant Pages
|
