RE: Network diversity Software diversity

[Roeland Meyer <rmeyer () mhsc com>]

Okay, how do you do security, in Win2K, without a domain controller? 
How do you do a Win2K domain without active directory?
How do you install active directory without DNS SRV updates(it won't let
you)?
Which are the ONLY two DNS packages that can do SRV updates correctly (and
one of them is doubtful)?


> -----Original Message-----
> From: Eric Germann [mailto:ekgermann () cctec com]
> Sent: Thursday, January 25, 2001 6:00 PM
> To: Roeland Meyer
> Cc: 'nanog () merit edu'
> Subject: RE: Network diversity Software diversity
>
>
> Uhh, I highly doubt they have a requirement to run DDNS on 
> the front ends.  If all you're doing is serving up html pages 
> without user authentication, Win2K is perfectly happy with 
> its own internal account database.  DDNS is a pre-req for AD, 
> but AD is not a requirment.  In fact, I would probably strip 
> it off to save resources if all I was doing was pumping out 
> pages.  Furthermore, why would you run DDNS to map names to 
> IP addresses for devices that should stay on static 
> addresses?  DDNS is used in Win2K for resource location, such 
> as AD and the various role servers.  None of those have any 
> use outside on the Internet 
>
> (assuming of course they don't let you map a drive to their 
> web servers, which by the way you used to be able to do to 
> their FTP server many eons ago.  I remember the fun of 
> copying their FTP site with XCOPY from a mapped drive to a 
> local drive with a 56K line [probably on both ends at the 
> time] in between).
>
> Reaching further back, I also remember NFS mounting the WUSTL 
> archive to our brand new RS/6K in the comp sci department.  
> Really drove home the idea of mounting NFS hard and the 
> transparency of the link when the tape filled up using our 
> 56K campus line over a weekend.  Really pissed off the sys 
> admin also. :)  Then again, thats when you had to be at least 
> 18 to get on the Internet ...
>
> Eric
>
>
> At 09:30 AM 1/25/01 -0800, Roeland Meyer wrote:
>
> > > From: woods () weird com [mailto:woods () weird com]
> > > Sent: Wednesday, January 24, 2001 9:47 PM
> > >
> > > [ On , January 24, 2001 at 17:19:29 (-0800), Sean Donelan wrote: ]
> > > > Subject: Network diversity Software diversity
> > > >
> > > > Using FreeBSD and BIND on *ALL* your name servers may be just as
> > > > bad a practice as using Windows 2000 and Microsoft DNS on *ALL*
> > > > your name servers.  I still think NSI is taking a tremendous risk
> > > > using identical servers for all their GTLD-servers, even though
> > > > they are geographically distributed.
> > >
> > > Yeah, I was going to mention that, but I thought I'd already been
> > > preaching too much to the converted!  :-)
> >
> > Unless another name server, besides BIND8p7, can do SRV 
> updates properly, I
> > don't think it is possible to build that heterogenous 
> software environment,
> > when Win2K Active Directory is involved. In fact, even BIND8 
> has problems.
> > It's only possible, with WinNT4, because WinNT4 doesn't have 
> [very] many
> > silly requirements and can live with a standard name server.
> >
> > > > You might try using UltraDNS on half your critical 
> nameservers and
> > > > BIND on the other half.  And even using Solaris on some of the
> > > > boxes and AIX or Linux, or NetBSD on the others. This is 
> not because
> > > > I think one or the other has a fatal flaw, but because 
> software is
> > > > a hard beast to manage.  The idea behind diversity isn't you will
> > > > never have an error.  But the errors are unlikely to strike both
> > > > servers at the same time.
> > >
> > > Therein lies the rub -- adding extra complexity to your 
> systems also
> > > makes them more difficult to manage, prone to error, and subject to
> > > interoperational problems.
> > >
> > > Diversity of all forms definitely has its advantages, but 
> it has its
> > > costs too.  The trick is to find a fair balance.  :-)
> >
> > In this case, at this time, that is not possible under 
> Win2K. It's the MSFT
> > way or the highway ... However, if you think about it, this 
> will definitely
> > delay MANY Win2K Data Center migrations.
>
>
> ==============================================================
> ============
>   Eric Germann                                        Inacom 
> Info Systems
>   egermann () inacomlima com                             Lima, OH 45801
>                                                       Ph:  
> 419 331 9050
>   ICQ:  41927048                                      Fax: 
> 603 825 5893
>
> "It is so easy to miss pretty trivial solutions to problems deemed
> complicated.  The goal of a scientist is to find an 
> interesting problem,
> and live off it for a while.  The goal of an engineer is to evade
> interesting problems :)"  -- Vadim Antonov <avg () kotovnik com> on NANOG