Re: Active Directory Questions
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/13/05
- Next message: David Thielen: "Security hole? - domain vs local user."
- Previous message: Joe Richards [MVP]: "Re: Active Directory Questions"
- In reply to: Joe Richards [MVP]: "Re: Active Directory Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Jan 2005 21:22:08 -0600
Regarding the encryption question, you will need certificates.
The obvious choice is MS's own CA and deployment stuff which I know
absolutely nothing about. However, Outlook is pretty open to using whatever
certificates you have, so you can also choose whatever CA and deployment
process you want.
The crypto newsgroup seems to be a great place to ask MS CA questions.
I've recently done a fairly big (100K user) certificate deployment using a
third party vendor CA and some "interesting" deployment technology that has
worked surprisingly well.
One of the cool things (to me) about certificates is that once you have
them, you can do other cool stuff besides email such as HTTPS
authentication, custom crypto on the workstation, etc.
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%230TL5gQ%23EHA.3892@TK2MSFTNGP10.phx.gbl...
> 1. Nope. Look at something like GPMC on the MS site.
>
> 2. Yes. That is the Windows Time Service. Just make sure that the machines
> that could be root domain PDCs are syncing with a trusted source and then
> make sure the rest of the machines aren't hard coded to sync with anything
> and then they will use the forest infrastructure. You can check to see
> what a client/server will use with the command net time /querysntp You
> can clear it with the setsntp command.
>
> 3. Yes, no replication traffic is "in the clear". If it across AD Sites it
> will also be compressed. The method to check is the method you always use
> to check, you sniff the wire and look at the traffic.
>
> 4. I am unsure on this one. I use PGP for encryption which doesn't use the
> Windows encryption stuff but does plug into Outlook.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> jh_in_texas wrote:
>> I have a few AD questions I would appreciate some assistance with
>> (including where in the Microsoft documentation I could locate these - I
>> can't find them):
>>
>> 1) When a group policy object is deployed in AD, is there any kind of
>> version control built into AD that would allow a rollback? If not, how
>> do most people handle this?
>>
>> 2) Does AD itself synch the system clocks among its member client and
>> server machines? If not, how do most people do this?
>>
>> 3) Is encryption of network traffic among domain controllers (synching
>> traffic) encrypted by AD by default? We have DCs on both sides of our
>> firewall that talk to each other. How can I confirm this is happening?
>>
>> 4) If I want to encrypt my email attachments before sending them, can I
>> do this with Outlook. If so, do I have to set up a PKI structure to
>> support this? If not, how would it work with PKI.
>>
>> Thank you very much for answering as many of these as you can !!
>>
- Next message: David Thielen: "Security hole? - domain vs local user."
- Previous message: Joe Richards [MVP]: "Re: Active Directory Questions"
- In reply to: Joe Richards [MVP]: "Re: Active Directory Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
