Eisen
-
Posts
4 -
Joined
-
Last visited
Posts posted by Eisen
-
-
So I work in an enterprise environment with around 800 users. These users are members of domain.com and they all access the web through the smoothwall webproxy.
The smoothwall pulls its authentication via usual LDAP from the Active Directory domain.com tree and within this tree I have security groups in place that the smoothwall proxy recognises and assigns a level of internet access to each group. So web access is assigned depending on what security group a user is a member off and it all works great.
Great. Smashing. Super.
Until of course you bring another domain into the mix. Now the whole company network architecture is getting an overhall and with this was the removal of NDS. Over the last few week I’ve been rebuilding AD and the best way to do this is to add another child domain and use this as the clean slate. For security reasons this is how it should be anyway. We’ll call this cake.domain.com.
The smoothwall webproxy can only pull information from one LDAP context, in our case domain.com. I can specify a second ADC however this is for redundancy only. Nightmare.
I’ve tried changing the domain.com security group to a universal group and then adding a new global group from cake.domain.com to the primary domain. However as the proxy will pull its user list using a normal ldapsearch it will pull everything back in plain text and will not look to see what members are in the cake.domain.com group.
So what’s the way to get this working? In the short run add each user from cake.domain.com to the webaccess security group in domain.com. Now will that become a pain when I start to migrate users across in batches? Hell yeah.
In the long run, get another webproxy for the second domain. Pain in the arse to do as I can guarantee when I for clearance to get one for one my IT Director will just say ISA repeatedly till I leave the room.
Sigh..
-
Hi,
I'm the only admin here and I need some advice please!
I have two sites on our WAN and both sites currently have a DHCP server issuing clients addresses at their respective sites. DHCP and DNS are running on Windows Server 2003.
I need to decommission the Windows Server at one site and then configure the router using ip-helper to route DHCP requests over the WAN to the other DHCP server.
I understand the concept but I have a question regarding the DHCP scope of the server now issuing addresses for both sites.....
So at the moment it only has one scope for it's local clients.... But do I need to define an additional scope on this server with the same network addresses as the local ones or must they be in the original scope of the other LAN?
So....
LAN 1
DHCP scope : 10.240.240.0/24
LAN2
DHCP scope: 10.216.114.0/23
becomes...
LAN 1
DHCP scope : 10.240.240.0/24
DHCP scope: 10.216.114.0/23
LAN2
ip-helper
or
LAN 1
DHCP scope : 10.240.240.0/24
LAN2
ip-helper
Does this makes sense? I hope I'm explaining this right.
Please help!!!
Carbo
Well yeah you could do this aye. But it certainly wouldn't be best practice. I wouldn't want my dhcp going across my wide area network. Case example: When happens if your service provider has some outage on your WAN link?
So unless the machines at site B have been left on overnight and still have there dhcp lease assigned to them they are not going to get an ip and whatever other configuration information from dhcp.. i.e. That sites now unable to work at all.
In an ideal situation you want one dhcp server at each LAN on your internetwork. In your case you'll want a dhcp forwarder set up. Type that into the great techno god that is google and you shall have your answer.
-
Hey Hey, thought I would finally get around to posting. So hello to you all, long time watcher of Hak5 and glad to see you guys on season 6 now.
I wish you all the best for the coming season and for the future ones to come. I'm going to post a few of my projects on the site in time and most likely some questions and hopefully answer a few IT questions from some of the users.
So Good Job. Keep those episodes coming.
Favourite game: Counterstrike:Source
Favourite OS: Fedora 11 with ext3 / Windows 7
Favourite console: Amega CD32 - Still works!
Nationality: Scottish
Accent: Scottish
Sex: Male
Age:25
Race: Caucasian
Height: 5' 11"
Status: With Girlfriend
Build: Normal..
Favourite band: 2 many DJ's
Favourite book: A song of Ice and Fire
Favourite director: Harold Ramis
Favourite TV Show: The Wire
Favourite Comedian: Billy Connolly
Other hobbies: Partying, IT, socilising, IT, Drinking.. etc..
Occupation: IT System Administrator
Episode 6x03
in Hak5
Posted
Well I thought it was ok and the reason for this being – your having to churn them out very fast and it will certainly have a detrimental effect on the depth of the content. If I had a week to churn something out, hell it would have about 5% of the content you had on this episode.
A segment I was not so hot on was the kindle. Don’t get me wrong I thought it was a well constructed and informative segment but… here’s the kicker….I don’t have one, and I’ll bet a significant portion of your audience doesn’t either. In turn that whole segment would have been appreciated by a niche group of Amazon shoppers and not a whole lot else.
Matt, If your going through with this whole infrastructure build from the ground up, you will need more than 10 minutes an episode. I’m in the situation that I’m doing this in my work just now in a not so dissimilar environment than yours. How you’re going to get through all the material required on what can only be described as a mammoth technical segment is beyond me. However much respect for going for it, it will certainly keep the community tuned in!
I don’t want to sound overtly negative, simply constructive. Darren you love linux, why not a segment on setting up vhosts on apache or showing how to get to the hidden redhat cli on vmware esxi?