Active Directory setup... need critiques... [Archive] - Glock Talk

PDA

View Full Version : Active Directory setup... need critiques...


sushi600
05-19-2005, 09:55
Posted this on another board to look for comments :)

I guess I have a weird "scenario." Work for a 25 member financial company. The company itself has two "arms", a research side and a financial trading side. Mgmt is requesting that IT wise, some chinese walls now have to be established between the analysts and the traders (they never really communicated before regardless). However, I have the following issue: 7 users are on the research side, 5 users are on the trading side, and kicker is that the remaining 13 are support staff that have to do stuff with both arms. Now, when I say "separate", basically each side will have it's own Exchange e-mail server (which will be logged, and put on WORM for compliance purposes). I guess the problem is that for the support people, only one exchange box can be open at once...

Trying to plan out an active directory structure. Logistically, the more separate the two companies are, the better, but cost is a major issue as well. In addition, the support staff have to be able to access both companies effortlessly.

This is what I was planning -- please respond with any comments/critiques, suggestions, or better ideas:

one main domain for logins, that is company neutral. a separate domain with email server for one arm, and the same for the other arm. The main domain will have trust relationships set with both arms, so that people logging in can access the email server.

Originally, was thinking of having two totally separate domains for both arms, but the problem is the people that are mutual to both parts... so that's why I decided to use a neutral login domain for all users (for a total of 3 domains).

Is this a dumb idea?

fastvfr
05-19-2005, 20:41
Not as dumb as the original LAN layout...

It would be simpler to assign permissions to the group members individually and keep the single mailserver, though there are indeed a few valid reasons for using separate mailservers.

Seriously, though, you could just have a multi-tiered user system where each user is given permission only for those servers that they need, whether that be all or just one.

Sounds like your boss has got a 'Chinese Wall' in da brain to me.

grantglock
05-20-2005, 11:33
K.I.S.S.

sushi600
05-20-2005, 14:48
Originally posted by fastvfr
Not as dumb as the original LAN layout...

It would be simpler to assign permissions to the group members individually and keep the single mailserver, though there are indeed a few valid reasons for using separate mailservers.

Seriously, though, you could just have a multi-tiered user system where each user is given permission only for those servers that they need, whether that be all or just one.

Sounds like your boss has got a 'Chinese Wall' in da brain to me.

:) They are very worried about appearances... the more it looks like your doing, the less scrutiny there is by a regulatory body; even though a company may not be doing anything wrong, a simple inquiry would result in tons of money in legal fees...

Current AD setup is setup pretty much the way you mentioned, multi-tiered. But the fact that everything is in one forest (including e-mail servers for both arms) makes them worry we would be giving the wrong impression...

fastvfr
05-20-2005, 21:21
They are very worried about appearances...

Then give their stupid azzes some appearances!!

Tell 'em that EACH INDIVIDUAL is HARD-CODED with their OWN SET OF PERMISSIONS and that there is NO WAY that they can access unnecessary files or servers WITHOUT ADMIN CHANGING THEIR PERMISSIONS.

Not only does that sound good to the beancounters, it works well, too.

And if they are determined to waste money, don't host the various directories and domains on the same server.

Build separate $3000 servers for each 'arm' and then give each 'arm' their own POP server--on individual machines!

Hey, it'll break down more, but that means more overtime, right?! If that's what the customer wants, that is what the customer gets. And think of all the extra hours you'll spend backing up that heap each night/week! Hah!!

Gotta love stupid, ignorant people. So if they insist, tell 'em they're right (they ARE the Customers, after all) and feel free to spend up their extra dough.

Sounds like you might be screwed from the getgo, though, if they will monitor the system build and raise Hell if the system is too cheap or is too expensive.

They are ignorant bean-counters, so you know that the project will fall squarely into one or the other category, leaving your *** hanging out.

Lots of luck, fella. Better you than me.

NetNinja
05-22-2005, 19:19
Two Exchange servers?

Have you priced out a 25 user license?
Have you priced out servers?

FastVFR is correct.

If you want to give yourself an IT administrator headache this is going to be it.

Someone needs to give a class on Security and Permissions. I guess that is going to be you.

Nothing is cheap in the MS world.

sushi600
05-23-2005, 12:05
Yeah, I know :) This project has gotten out of hand... and I appreciate the "fervor" in everyone's replies ;) ;) ;) I'm not so sure I'm wording things the right way either, as I'm still trying to figure out the requirements for compliance with the SEC/etc.

All the problems stem from the fact that there are two arms... basically, what the legal eagles are telling us is that assuming one "arm" burned to the ground, the other arm should not be affected, since they are almost separate entities. What I had up and running in the past is not considered passing muster because there is too much co-mingling of appliances, etc.

I can't really fault mgmt too much on this though, as most of their worries come from the scare tactics of the lawyers (since regulation of small firms like us is fairly new, they have no precedence to go by, and are taking a extremo-paranoid safer than sorry approach).

The bright side is, I finally get sent out for some much needed training.

proguncali
05-24-2005, 11:00
Aside from the fact that you can do one domain and it will be the best solution....

If you think about the forest in AD it goes top down so...

Create the first domain named "company".local(parent) add exchange server. Now all people will get email at my company.com or whatever....

Create second domain "company".finance.local and create users
Create third domain "company".traders.local and create users

uhhhgh....the more I think about it, the more I realize it would take more that this post would allow....or that I have time for...


Just do one domain. If you really need to separate them you can get a layer three switch and only allow divisions to get to specific subnets.

You can get a 48 port Cisco switch for about $3400.

Mutch simpler and way cheaper!

ngray
05-24-2005, 11:13
Consider:

Try to avoid mantaining separate servers for each group. It'd be a shame to reflect the separation physically if you can achieve separation via permissions.

Separate NAS devices are a bit cheaper than servers for file/print. You could even use separate drive letters or DFS to project the separation.

As far as exchange goes, consider 3rd-party rules:
http://www.mapistore.com/

or the Exchange SDK for scripting:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchanchor/htms/msexchsvr_e2k3_sdk.asp

as alternatives to log/delete/warn/redirect messages between users of each forest. Remember, email will have to go between separate email servers anyway if you set up different groups.

The other thing you might do is remove the 'everyone' and 'domain users' groups permissions from EVERYTHING, and instead set up 'Research', 'Trading', and 'Backoffice' groups so that nothing gets accidentally permissioned across groups.

berniew
06-11-2005, 11:41
What do they mean by 'burned to the ground' a disaster recovery requirement or...?

Seriously make sure they spell out all of the requirements, and it might not hurt to get an outside bid (even if they don't intend to go that way) just to show them how expensive it would be...


Originally posted by sushi600
Yeah, I know :) This project has gotten out of hand... and I appreciate the "fervor" in everyone's replies ;) ;) ;) I'm not so sure I'm wording things the right way either, as I'm still trying to figure out the requirements for compliance with the SEC/etc.

All the problems stem from the fact that there are two arms... basically, what the legal eagles are telling us is that assuming one "arm" burned to the ground, the other arm should not be affected, since they are almost separate entities. What I had up and running in the past is not considered passing muster because there is too much co-mingling of appliances, etc.

I can't really fault mgmt too much on this though, as most of their worries come from the scare tactics of the lawyers (since regulation of small firms like us is fairly new, they have no precedence to go by, and are taking a extremo-paranoid safer than sorry approach).

The bright side is, I finally get sent out for some much needed training.

Roland-G23
06-11-2005, 22:10
Use OUs and GPO's, and use NTFS/share permissions to lock everything else down.

Focus on permiter security.

Wish I had the budget your scenario requires, I could fully implement VOIP, and upgrade all the systems in my company, and buy all kinds of stuff I'll never need, but it looks good populating a 42U rack. :)

unixguy
06-11-2005, 22:50
Given the legal dept. requiring that the two sides must be completely independing of each other, I don't think you have any way of doing it "on the cheap". There certainly may be a way to set up to be most efficient, but i think that at the least you're going to have to have individual email and file/print servers for each arm. (Based on the "if either group burns to the ground" statement. Whether that means that that arm is sold as a business unit, or is housed in a different building, or whatever-- that's a pretty strong requirement.)

If they want to work with you to develop a requirements document that also tries to minimize cost, then you might be able to push back and get a more reasonable requirement.

It's also worth noting that Microsoft is not the only game in town when it comes to identity/security management. You may want to talk to someone about Novell eDirectory.

Roland-- I disagree on the "Focus on perimeter security" advice. Although it's important, defense in depth is hugely critical. It sounds to me like the legal dept. is concerned about regulatory risks, so the changes they're asking for might be required in order to even stay in the game (of business). If the company is publicly owned/traded, then they've got some major requirements to record all kinds of things (communications): email, instant messaging, etc. I believe that email and IM are only required to be recorded for the traders, which would suggest that it might be cheaper to split the traders into their own servers.

BTW, Roland-- you're in my neck of the woods!

sushi600
06-12-2005, 10:57
Thanks for the responses all.

unixguy/berniew: a requirements doc/outside quote will no longer be necessary... seems that our application has been processed and completed by the SEC, so now the deadline is "last week" ;) Never thought it would be done with that fast.

So, basically going with the foolproof (hopefully) plan of going multiforest. The problem is that I only have enough hardware/software for one forest with a DC/Exchange server combined and one forest with a DC + DC/Exchange server.

Again, thanks for all your responses.