Re: Servers dependent on Active Directory
- From: IainM <IainM@xxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jun 2008 08:04:00 -0700
I'm happy with the infrastructure too. What has happened is of no surprise to
me, I wanted to document it.
I thought it would be a case of allowing time to get to know the systems,
but I thought I would find out out if there were any ways to speed things.
Thanks for all your advice.
Iain
"Phillip Windell" wrote:
"IainM" <IainM@xxxxxxxxxxxxxxxxx> wrote in message.
news:D5FDA317-FD88-4D06-A5C3-A3DA7AF32E3D@xxxxxxxxxxxxxxxx
You're right about controlling delegation within AD, but I inherited the
AD
infrastructure, so I'm kind of stuck with the problem.
I've been watching the thread. I don't see anything wrong with the way your
system is built. It is just like it should be as far as I can see.
An example of a dependency I found was our Internet proxy authentication
appliance has the IP address of a DC hard coded to do LDAP lookups. The DC
went down, so LDAP lookups failed and nobody could access the internet via
the proxy.
Well, it would be statically set,..not hardcoded. But the method is sound.
That is the way they work and it is the way they are supposed to work. It
would be good if the setting could allow 2 LDAP servers to be enetered so if
it could not contact the first it would try the second. But it is common for
products to only have one entry.
You will just have to assume that any device or product that authenticates
users but is not a Microsoft Product capable of being a Domain Member (like
ISA Server) is going to require the use of LDAP. Some big examples of this
are Wireless Access Points (RADIUS or LDAP),..proxy servers (LDAP),...and
SPAM filtering appliances (LDAP).
This is the kind of dependency on AD I want to find out about. I wondered
if
LDAP or DNS lookups were logged somewhere so I would know what devices
were
accessing them for whatever reason.
Are there any utilities that monitor requests for various services?
Sorry, I don't know of any simple tool that does what you ask. You could
use Netmonitor or Ethereal (or similar) and set the filter to only show LDAP
packets and let it run for a while then see what it showed,..but to me that
would be mind-numbing and you still might not figure it all out from that.
In the end you are just going to have to get more familar with the system
that you inheirited. That is just going to take time. I say this in a
generic sense, but "previous admins" are often "bashed" and "beaten up" by
those who come after them and usually wrongly and needlessly. Don't assume
that anything they did must be wrong if you don't understand why they did
it,...they may have had very good reasons for doing things the way they did
and you just don't understand what those reason were just yet.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
- References:
- Servers dependent on Active Directory
- From: IainM
- Re: Servers dependent on Active Directory
- From: Jorge Silva
- Re: Servers dependent on Active Directory
- From: Phillip Windell
- Servers dependent on Active Directory
- Prev by Date: Re: Servers dependent on Active Directory
- Next by Date: AD Sites and Services Question
- Previous by thread: Re: Servers dependent on Active Directory
- Next by thread: Re: Servers dependent on Active Directory
- Index(es):
Relevant Pages
|
