Re: Servers dependent on Active Directory

"IainM" <IainM@xxxxxxxxxxxxxxxxx> wrote in message
news:D5FDA317-FD88-4D06-A5C3-A3DA7AF32E3D@xxxxxxxxxxxxxxxx
You're right about controlling delegation within AD, but I inherited the
AD
infrastructure, so I'm kind of stuck with the problem.

I've been watching the thread. I don't see anything wrong with the way your
system is built. It is just like it should be as far as I can see.

An example of a dependency I found was our Internet proxy authentication
appliance has the IP address of a DC hard coded to do LDAP lookups. The DC
went down, so LDAP lookups failed and nobody could access the internet via
the proxy.

Well, it would be statically set,..not hardcoded. But the method is sound.
That is the way they work and it is the way they are supposed to work. It
would be good if the setting could allow 2 LDAP servers to be enetered so if
it could not contact the first it would try the second. But it is common for
products to only have one entry.

You will just have to assume that any device or product that authenticates
users but is not a Microsoft Product capable of being a Domain Member (like
ISA Server) is going to require the use of LDAP. Some big examples of this
are Wireless Access Points (RADIUS or LDAP),..proxy servers (LDAP),...and
SPAM filtering appliances (LDAP).

This is the kind of dependency on AD I want to find out about. I wondered
if
LDAP or DNS lookups were logged somewhere so I would know what devices
were
accessing them for whatever reason.
Are there any utilities that monitor requests for various services?

Sorry, I don't know of any simple tool that does what you ask. You could
use Netmonitor or Ethereal (or similar) and set the filter to only show LDAP
packets and let it run for a while then see what it showed,..but to me that
would be mind-numbing and you still might not figure it all out from that.

In the end you are just going to have to get more familar with the system
that you inheirited. That is just going to take time. I say this in a
generic sense, but "previous admins" are often "bashed" and "beaten up" by
those who come after them and usually wrongly and needlessly. Don't assume
that anything they did must be wrong if you don't understand why they did
it,...they may have had very good reasons for doing things the way they did
and you just don't understand what those reason were just yet.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


.

Relevant Pages

  • Re: Servers dependent on Active Directory
    ... I'm happy with the infrastructure too. ... appliance has the IP address of a DC hard coded to do LDAP lookups. ... and you just don't understand what those reason were just yet. ...
    (microsoft.public.windows.server.active_directory)
  • How do I get a Java program to listen for LDAP queries?
    ... I need to write a java class that can recieve and process LDAP queries ... ...the reason I need to do this is that several of our applications ... since the user info is in DB2 what I would like to try and do is write ...
    (comp.lang.java.programmer)
  • LDAP tcp ports not open!
    ... I been running this ldap server for about a month now. ... Last night it died for some reason. ... I used nmap, those ports open. ...
    (Fedora)
  • Re: Sun LDAP server on Solaris 10 compared to Solaris 8
    ... The ldap libraries have their versions bumped for a reason; ... I was thinking if better aproach would be to install newer ldap server ... Expressed in this posting are my opinions. ... to opinions held by my employer, Sun Microsystems. ...
    (comp.unix.solaris)
  • Re: modify rule in ldap routing (second try)
    ... "`strip' tries the lookup with the +detail and if no matches are found, ... Doubling the number of LDAP lookups for almost all recipients would ... it would have to "permanently" modify ...
    (comp.mail.sendmail)