August 2007 - Posts
About time for a somewhat technical post:
In some Newsgroup we recently discussed if it's considered Best-Practice to deploy a lot of single-domain forests as opposed to a single multi-domain forest. The major reason herefore was that in the early Windows 2000 days, somebody said that the domain is the security boundary. After they've figured out that you can elevate yourself as domain admins for a inner-forest trusted domain, they revised this statement and said that the only security boundary is the forest, not the domain.
Since this attack is not that likely, I prefer to state this differentelly:
- The forest is the security boundary against malicious attacks (the attack is being done on purpose)
- The domain is the security boundary against (domain) administrative mistakes
So for many things the domain might be enough of a security boundary. If you don't trust admins of a different domain enough that you think they might perform an attack (= elevate their rights in an area where they don't belong) on purpose, either fire them, fire them, don't give them administrative rights, fire them or put them into a separate forest.
Ressource-Forests (yeah - back to the NT days) are sometimes a good idea too, especially if separate companies want to share ressources, however keep in mind that they are a bit harder to manage and it depends on the application how well it integrates. You are also better of to use some solution like the Microsoft Identity Integration Server (or the Identity Integration Feature Pack) which is now part of Identity Lifecycle Manager to synchronize accounts into the ressource forest, however make sure to protect them well enough and to trust the admins of the resource forest from all parties. MIIS/IIFP allows you to sync the passwords of the users in question (by using a password filter on all DCs to notify MIIS, who's changing the passwords in the connected directories) to allow a better integration via single sign on / single credentials [1]. Don't forget to design processes for the changes in the ressource forest which are signed off by all participating companies.
OK - back to the subject - don't take any recommendations to deploy many single-domain forests only or to put everything in the same forest - think about it if it's really necessary and valuable to deploy multiple forests/domains. At one point there was a recommendation: If you are designing your active directory, and you think you need to add a different domain, rethink that decision. Not true in all scenarios, however think about your design.
One reason for multiple domains have been different password policies - and as I posted before this reason is vanishing in Windows Server 2008.
There are multiple opinions on this, so don't hold back on feedback / your thoughts.
P.S.: I do respect statements like the one "to recommend multiple single-domain forests" - they are a bit extreme however deliver the message. For example a friend of mine was at one of the top security sessions at TechEd US (where they showed a real-world-unlikely attack), and afterwards in the bathroom he heard attendees who just phoned back their companies to instruct them patching their Servers. So even after the attack was not to likely to happen in a real company, it delivered the message to keep your systems secure.
[1] Single Sign-On: The user is logging in once to his workstation, and getting access to other ressources automatically without re-authenticating
Single Credentials: I made this up a couple years ago - I think more valuable in the beginning are single credentials (combinations of username/password). Users in enterprises are sick of multiple accounts, because they have to remember different usernames and/or passwords, which is leading to weak passwords. If you are able to synchronize the password for the user more easily than providing him with single sign-on this is still valualbe, since the users don't have to remember multiple passwords. I wouldn't mind entering the same password to access multiple applications, however I do mind remembering different credentials.
DEC-Europe is approaching, and since I was communicating heavily the past days about this conference I decided to sum up my favorite reasons why this is the conference to be:
- It's dedicated to Microsoft Directory Services
- Attendees and Speakers are usually in the same hotel, encourages a lot of after-hour chats
- This is the conference of a very high value for the Microsoft Identity and Access Management Product Group, therefore you have a lot of key-players from the PG being there, and they hear your feedback.
- The content is very technical - I'm very sure that everyone who attends is getting new knowledge, ideas,...
I think I know a lot about Active Directory and DS in general, however every time I'm at DEC I'm boosting my knowledge. - It's all about community. Even since it's hosted by NetPro it's not about the company. They don't want product pitches outside of the clearly marked sponsor-sessions, they don't talk much about their own products, they welcome everyone - even competitive companies. It's all and only about the Directory Services Communities.
- Microsoft Most Valuable Professionals and other industry notables are there and collaborate, answer questions, and just hang around.
I just booked my flights, and I'm very excited to be part of this great conference again. So I hope to see everyone in Brussels in a month.
P.S.: I'll be presenting the following sessions - and Gil, Guido Jorge and me will also do a daily session about Windows Server 2008 Scenarios.
A Directory Services Geek's View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you'll be able to design and implement role-based administration in your infrastructure.
A Directory Services Geek's View on How to (not) update your Schema
Are you:
- supposed to integrate some 3rd Party Schemaextensions in your Forest?
- asked to design your own schema extension?
- trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.
Nicki Wruck, the organizer of the "International Communities for Europe (ICE)"-Conference wrote in his blog about when we met a couple weeks ago at the SysAdmin Apprechiation Day (an event organized by Microsoft TechNet Germany):
Freely translated from http://blog.ice-lingen.de/VielZuSpaumltHellipOderDochNicht.aspx
"There was another highlight: Mr. Directory himself had the pleasure to meet me: Ulf B. Simon-Weidner was there and we found instantly interesting topics to chat about. The most important was: he'll be speaking at ice:2007, what I'm very proud of. Now I've got with Nils Kaczenski, Frank Röder and Ulf B. Simon-Weidner the greatest German-speaking AD-Specialists as speakers at the ice-conference."
Thanks for the fish Nicki - it was a pleasure to meet you and I'm looking forward speaking at your conference!
My Session at ICE: Active Directory Domain Services und DNS in Windows Server 2008
Recently there was a lot of activity on the conference front.
I already wrote about the Directory Experts Conference 2007 in Europe.
Two weeks ago there was the "Sysadmin Apprechiation Day" - and Microsoft TechNet celebrated the admins with a party. I was invited to join. And I met the organizer of the community conference "Intelligent Communities for Europe (ICE)" - and was asked to present there. I'm looking forward to it - I have heard a lot about this conference but haven't been there yet.
Then Netpro announced the "Directory Experts Conference 2008" in Chicago. I'm proud to be asked back as speaker.
There might be more conferences, but since I haven't been officially confirmed yet I'll keep this for a later post. But if you followed my blog you will be able to find the page where some of my sessions are already listed 
.
Hi there,
I'm still way behind in blogging, however I want to keep the timeline and therefore it's time to write about TechEd US in Orlando this year.
I love those conferences. But I guess thats - at least to the view folks reading my blog - "public" knowledge .
I was scheduled into TechEd US again as Ask-the-Expert (or Technical Learning Guide or however they call it now). Basically I was staffing the Windows Server 2008 - Active Directory Domain Services Product booth.
I arrived on Friday evening in Orlando and had dinner with some friends. On Saturday during the day I had to go shopping (a live full of stress doesn't help in packing luggage, I actually worked the whole night before taking of but forgot some of the clothes). In the evening we had a party with fellow MCTs - I enjoyed a great Surf & Turf at a nice restaurant.
On Sunday I had to go to the registration and get a intro in the product booth area. I met some friends and were chatting about some technical issues while finishing some setups on Server Core.
The conference started officially on Monday. At the Windows Server Information Desk they were giving out a book for free - "Introducing Windows Server 2008" from Mitch Tulloch published by MS-Press. Mitch has asked me shortly before finishing the book if I could provide some "Side Notes" (the concept of the book is to provide site-notes "from the experts", and many Microsoft Employees of the product groups were contributing here), so I contributed two side-notes: one about the new DCPromo-Wizard and one about Granualar Password Settings. This was the first time I've seen the book printed, so it was very exciting for me. In the evening the Lead Program Manager of the Active Directory Product Group (whom I knew before) contacted me if I would like to present the demos in his session "Active Directory Domain Services in Windows Server 2008" on Tuesday and Wednesday. So we spent part of the evening to prepare the demos in the last minute and had some food with some other members of the product group afterwards.
Tuesday and Wednesday I was (again) working the whole time at the product booth, "sneeking out" only for our session. I enjoyed the session - and we apparently did pretty well on preparing the demos - one of the attendees even provided feedback that they were looking to canned. Funny with only some minutes of preperation, so I take this as a compliment when they are professional enough to appear canned. A recording of the second session is available at Virtual Teched (and got a rating of 4,5 out of 5 Stars).
Which was also funny - people started to queue through the half of the largest convention hall just to pick up a free copy of the book.
Thursday was working again (IIRC I took of for one session, and then went back to the booth), and Friday I was officially of duty but was still hanging out there.
Over the whole week we've had a lot of interest in Windows Server 2008 Active Directory Domain Services. We explained many featues to customers. We also had a lot of customers coming in with real-world issues, design questions, discussions, ..., ..., everything you can imagine. Couple very interesting scenarios. And we've also had great suggestions which we were either able to demonstrate right now how this might be possible, or took feedback. I've also mailed some suggestions right back into Redmond to some Developers or Program Managers I happend to know, so the feedback was heard.
Friday evening many of the MCTs went to see the Shuttle Launch, however I was way tired. Instead I went with one of the program managers and a developer to relaxed drinks and dinner, and as you can imagine we had a nice evening chatting a lot about suggestions for the next version of the Directory Services techonologies (we covered Certs, Security, Active Directory Domain Services (AD) and Leightweight Domain Services (ADAM), ADFS, ILM and RMS, so the full pallette of AD-Technologies. If they took all the feedback back to Redmond people there are swearing about me know and are busy until 2015 ).
Every day was interesting and busy, every night we had some more interesting discussions in more private groups (or parties), and one thing for sure - after getting back I needed sleep desperatelly.
"Sleep? Nah! It's TechEd Season"