Posted by BPuhl on August 29, 2009
Anyone else started to play with the new Active Directory Administrative Center in the Windows 7 RSAT tools yet? Here are my first impressions:
- Much easier to deal with multiple domains, especially when you’re looking to get to the FOO OU that’s buried 3 deep into each of 8 domains
- How can I make it load faster?
- I’ve been trained for so long, to type DSA.MSC to get to ADUC, that it never occurred to me that D, S, and A are a roll of the left hand fingers across the keyboard. Now it’s DSAC.MSC, and I’m constantly entertained at how my fingers just refuse to get in that last “C”
- hVery annoyed that it’s actually NOT dsac.msc like I just said, but instead it’s DSAC.EXE – seriously? EXE? More training
Still need to play with it some more to figure it out, but I’m working on a project now where I needed to deal with a bunch of OU’s across multiple domains, so the ability to add starting nodes was uber-helpful – 2 thumbs up!
Posted in Active Directory | Leave a Comment »
Posted by BPuhl on August 29, 2009
For those of you who haven’t heard by now, there have been many threads over the past few days around the setup of Exchange 2010, and how one of the things which it does is to modify AdminSDHolder ACL’s, and the associated security implications.
Far as I can tell, this was kicked off by this blog post, which gives a good description of what’s going on and what the fuss is about: http://dloder.blogspot.com/2009/08/exchange-2010-rc1-and-adminsdholder.html
It didn’t take long for threads to spawn on the public forums, such as http://www.activedir.org/ListArchives/tabid/55/Default.aspx as well as several internal distribution lists.
While I won’t claim that inside Microsoft, the left hand and the right hand always know what each other is doing. We are very security conscious and in general the product groups do go out of their way to try to do things “right”
In the meantime, who does this affect? Well, technically Exchange 2010 is only supported for production by a small number of TAP partners. Of course, MSIT is on that list, so you might be wondering – what do we think about it?
While it’s not an official “policy”, in general, when it comes to managing Microsoft’s internal directory, we’ve got a fairly basic principle:
If you create it, it’s yours, if you don’t – leave it alone.
In this case, AdminSDHolder isn’t something that Exchange created or even ‘owns’, it’s a base AD function. Because we know that also by policy, none of the accounts which are impacted by AdminSDHolder are mailbox enabled (and thus within the scope of Exchange), we went through and removed the ACE’s from AdminSDHolder. Does this mean that Exchange RBAC won’t be able to touch those objects? Yup, but that’s by design of our security model. We require separate (in our case, smartcard required) administrator accounts for all elevated permission users, and those accounts aren’t allowed to have mailboxes.
I won’t claim to know what’s going to happen in the future with Exchange 2010, but this is how we’re approaching it internally (and why).
Posted in Active Directory, Random Tecnical Stuff | Leave a Comment »
Posted by BPuhl on June 9, 2009
Congratulations to all of the MSIT and Product Group members who got us this far (and let’s not forget the users!)
Posted in Active Directory, Random Tecnical Stuff | 4 Comments »
Posted by BPuhl on April 27, 2009
A new whitepaper has been published providing the guidance you need to deploy Active Directory, and specifically RODC’s, in a “Perimeter Network” (the network segment formerly known as DMZ).
I know that a lot of folks have come to me, asking for help/guidance on putting RODC’s into the DMZ rather than putting full DC’s or having a separate forest. This should provide the information you need to keep safe, secure, and most of all…functional.
Some of the topics include:
• Security considerations and configurations for RODCs in the DMZ
• Network configurations for RODCs
• Application compatibility with RODCs in the DMZ
• Step by step instructions and a sample script to help perform domain join using RODCs
http://technet.microsoft.com/en-us/library/dd728034.aspx
Brandon pointed out to me, that the doc is nice, but having a downloadable version would be much nicer. We fired off a quick mail, and there will be a downloadable version of the document in the download center in the near future.
Posted in Active Directory, Identity and Access, Random Tecnical Stuff | Leave a Comment »
Posted by BPuhl on April 9, 2009
10 years ago, Microsoft’s largest internal domain was upgraded to Windows 2000 becoming the first production Active Directory, and it’s still going strong…
Dn: DC=redmond,DC=corp,DC=microsoft,DC=com
whenCreated: 4/9/1999 7:49:12 PM Pacific Daylight Time;
Posted in Active Directory, Random Tecnical Stuff | 9 Comments »
Posted by BPuhl on April 9, 2009
At The Experts Conference in Las Vegas this year, Stuart threw out the challenge to the DS MVP’s to come up with their list of changes they would like to see in Active Directory, but put it to the tune of an Elvis song. After a midnight (mildly inebriated) recording session, and some fancy editing by the Quest Software production staff, here’s the result!
Posted in Active Directory, Identity and Access, Random Tecnical Stuff, Randomness | Leave a Comment »
Posted by BPuhl on March 26, 2009
When you log into a website which you use for personal stuff, for example using your Google or Windows Live ID; or even better, logging into Facebook or Myspace. What do you use for a user name?
Intuitively I’ve known this for a while, but I have recently been having a ton of discussions about EASI logins, or Email As Sign In. This makes sense, when you register at a website, they ask you for your email address, and that’s what you’re “user name” becomes. Simple, easy to remember.
There are of course, a couple of flavors to this. In the case of Facebook for example, you must “verify” your email address. When you sign up, they send you an email, you click on it (proving that you have access to the email address), and then you get in. Of course, not all services require verification, and for those, you can enter any email address you like. Just ask Robert Schuler if he thinks verification is necessary when creating an online identity!
I just got back from TEC 2009, an excellent conference that I have the privilege of speaking at, where I always get into great conversations with a ton of incredibly smart folks. Since I’ve been in this “EASI/Online/Enterprise Identity Convergence” kick lately, and since I was surrounded by a bunch of identity management professionals, i asked whether anyone had experienced issues with using their work email address for EASI logins to personal websites. In general, the answers were either, ‘no, because I’ve worked at the same company for years and consider my work email my “primary” address’ – or – ‘Yeah, and it was the biggest PITA and I hope to never have to do that again’
The one answer that surprised me though, was one person who actually said that she’d worked at a company before, where they had hired a new person. And they had actually provisioned this person a new account 3 weeks before the he was scheduled to start, just so he’d have that new email address and could migrate all of his online service accounts to it. I’m honestly not entirely certain how this was a good idea, but alas we are all IT folks, and have to do what we’re told. Kind of crazy though.
More to come on EASI ID’s, and some of the quirks we’re seeing as more and more enterprise services are moved to the cloud.
Posted in ADFS, Active Directory, Digital Identity, Identity and Access, Random Tecnical Stuff | Leave a Comment »
Posted by BPuhl on March 26, 2009
A couple of months ago, I was talking with one of our MIIS/ILM engineers about all of the thrash that we go through to support Exchange in our multi-forest environment. This quickly degenerated down to some of the ridiculous things that we’ve seen various “domainPreps” and “forestPreps” do over the years, when he comes out with a quote that I thought was just too good not to have on a T-Shirt.
Posted in Active Directory, Random Tecnical Stuff, Randomness | 8 Comments »
