Full Disclosure mailing list archives
RE: [inbox] Re: Anti-MS drivel
From: "joe" <mvp () joeware net>
Date: Sun, 18 Jan 2004 18:20:54 -0500
I would be curious what exactly you and your customers are doing with your Active Directory implementations. I have been running a 250k user global multiple domain AD environement consisting of 9 domains across some 400 domain controllers for 3 years come April without the issues you seem to imply are common place for you. Not one restore from backup ever. Our AD has the crap beat out of it daily and supports Win9x-WinXP/2K3 as well as UNIX/LINUX Kerberos Clients, OS/2, UNIX/LINUX LDAP Clients, Linux, Samba on every known flavor of UNIX/LINUX and even Digital Equipment Systems, PeopleSoft, etc. We process tens if not hundreds of millions of authentications a day across the world. Probably a good 60-70k security groups and several hundred thousand computer objects. I don't know the size of implementations you have been playing with but I would certainly consider my environment Enterprise Level. Any database corruption we have ever gotten has been due to complete disk subsystem failures and the directory stops replicating to protect itself. We fix the disk subsystem failure, reload the machine, repromote, and it is up and happy again. We don't really need the reload most of the time probably but once I blow a disk system I don't trust the machine until it has been scrubbed and reloaded. Obviously if it is a simple RAID disk blown out we don't even think twice about that, just throw in another disk and keep going on our merry way. Is it perfect? No? Have I had problems? Absolutely. I probably have hit more real non-self generated issues than a vast majority of the people who have or ever will use it simply due to the size and the distributed nature of what I run and probably have at least 30+ KB's generated based on what I have found and I don't know how many hot fixes and code flow changes are due to my experiences and riding MS for the changes. There is certainly room for improvement and there always will be. W2K AD was a good first swipe, W2K3 AD is better, I expect the next rev to be better yet. That is how it works. The biggest problem to the masses with AD is that it isn't the quick plug and play environment that the NT4 domain structure was. MS got everyone so trained into the idea that some brain dead individual could take a couple of simple tests, call themselves an MCSE, and be a big bad network admin that it turned around and bit companies firing up AD as they found out MCSE didn't mean someone knew what the hell they were talking about. Unfortunately for just about all of the Windows Admins/Consultants out there one actually has to understand AD a little. Knowing NT4 Domains or Windows 2000 Servers doesn't make anyone an Active Directory Admin or consultant though some will still claim it is so. Most Windows admins and consultants don't have that knowledge and shouldn't be playing with it in production environments without an adult present. Getting it to run on a home PC isn't practical experience. As for a poor revisit, I have a Banyan friend who used to go off on NDS just like you are going off on AD. I have people at work who complain about leaving various X.500 implementations running on Big Iron. I guess what I am saying is that any system will run like shit if misconfigured. Just like any system will be insecure if misconfigured. You want to beat on a MS product that absolutely deserves to be beat on, beat on Exchange 2000/2003. Now there is a product that defies any logic and configuration skills and truly isn't how an Enterprise class product should work. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Curt Purdy Sent: Sunday, January 18, 2004 4:06 PM To: 'yossarian'; '[Full Disclosure]' Subject: RE: [inbox] Re: [Full-disclosure] Anti-MS drivel And a poor revisit at that. I have had ADS crash and burn at two customers in the last year (unfortunately no backup domain controllers - no we did not set them up). Check out MS's knowledge base article on repairing ADS. It is like a 50 page article that basically ends with "Re-install and restore from tape and synch with other controllers". I have NEVER seen that happen with DNS in all the years I've worked with Netware. Also have seen ADS get all confused more than once in multiple domain sites requiring either finding the server with the least corruption and making it authoritative, or restoring from a known good backup. No way to run an enterprise. Again, whenever a problem has shown up in NDS, a simple DSREPAIR has always fixed everything, without fail. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Anti-MS drivel James Patterson Wicks (Jan 17)
- RE: Anti-MS drivel Scott Taylor (Jan 17)
- Re: Anti-MS drivel yossarian (Jan 17)
- RE: [inbox] Re: Anti-MS drivel Curt Purdy (Jan 18)
- RE: [inbox] Re: Anti-MS drivel joe (Jan 18)
- RE: [inbox] Re: Anti-MS drivel joe (Jan 18)
- Re: [inbox] Re: Anti-MS drivel Valdis . Kletnieks (Jan 18)
- Re: Anti-MS drivel yossarian (Jan 17)
- Re: Anti-MS drivel Ron DuFresne (Jan 20)
- Re: Anti-MS drivel Michal Zalewski (Jan 20)
- RE: Old school applications on the Internet (was Anti-MS drivel) Bill Royds (Jan 20)
- Re: Old school applications on the Internet(was Anti-MS drivel) Gregh (Jan 21)
- RE: Old school applications on the Internet(was Anti-MS drivel) Steve Wray (Jan 21)
- Re: Old school applications on the Internet(was Anti-MS drivel) Valdis . Kletnieks (Jan 22)
- RE: Old school applications on the Internet(was Anti-MS drivel) Bill Royds (Jan 23)
- RE: Anti-MS drivel Scott Taylor (Jan 17)
- Re: Old school applications on the Internet (was Anti-MS drivel) Nico Golde (Jan 22)
- Re: Anti-MS drivel yossarian (Jan 20)