DNS NOTIMP response
Mike
analyzing the DNS.LOG to check for correct setup, issues.
I saw one request/response that is NOTIMP result.
It appears it can from the DNS server itself.
Any clue about this?
![Ace Fekay [Microsoft Certified Trainer]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXqqVhI7EaT7_gXkhFKCFQ8nhaZIbo-OzClrbzK6ofJwb4uPA=s40-c)
Ace Fekay [Microsoft Certified Trainer]
Mike <unk...@unknown.tv>, posted the following:
I'm not familiar with the NOTIMP error. Is that error based on a local
language? Can you post any eventid errors (event ID #s please), and/or what
uitility did you run that you got that message?
Thank you,
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Mike
> In news:%23ehOpda...@TK2MSFTNGP04.phx.gbl,
> Mike <unk...@unknown.tv>, posted the following:
>> With my new 2003 DNS Server setup (well, new to me <g>), I have been
>> analyzing the DNS.LOG to check for correct setup, issues.
>>
>> I saw one request/response that is NOTIMP result.
>>
>> It appears it can from the DNS server itself.
>>
>> Any clue about this?
>
> I'm not familiar with the NOTIMP error. Is that error based on a local
> language? Can you post any eventid errors (event ID #s please), and/or
> what uitility did you run that you got that message?
I am seeing tn the DNS.LOG produced by the DNS server.
20090320 13:33:48 F00 PACKET UDP Snd 208.XXX.XXX.XXX 0df7 R U
[04a8 NOTIMP] (10)xxxxxxxxxx(3)com(0)
In the above example enpty, that appears would be a response to my own
service IP 208.xxx.xxx.xxx. So I am scatching my head on that one.
But I am also seeing a few others from another ip:
20090320 13:44:35 F00 PACKET UDP Snd 124.124.54.15 0b10 R U
[04a8 NOTIMP] (9)xxxxxxxx(3)com(0)
Let me enable the "[X] Details" option I see the actual QUERY details.
Googling suggest it is "NOT IMPLEMENTED" and appears to be related to
NOTIFY queries which is not enabled in my setup. I also saw a note
that it may be related to IPv6 queries.
--
Mike
> Mike <unk...@unknown.tv>, posted the following:
>> With my new 2003 DNS Server setup (well, new to me <g>), I have been
>> analyzing the DNS.LOG to check for correct setup, issues.
>>
>> I saw one request/response that is NOTIMP result.
>>
>> It appears it can from the DNS server itself.
>>
>> Any clue about this?
>
> I'm not familiar with the NOTIMP error. Is that error based on a local
> language? Can you post any eventid errors (event ID #s please), and/or
> what uitility did you run that you got that message?
>
> Thank you,
>
http://technet.microsoft.com/en-us/library/dd197470.aspx
has the summary of the response codes.
0x4 (NOTIMP) DNS server does not support the specified
Operation code.
Now to see why it is happening... :-) Probably harmless, but I see it
coming from the same local IP.
--
Mike
> Mike <unk...@unknown.tv>, posted the following:
>> With my new 2003 DNS Server setup (well, new to me <g>), I have been
>> analyzing the DNS.LOG to check for correct setup, issues.
>>
>> I saw one request/response that is NOTIMP result.
>>
>> It appears it can from the DNS server itself.
>>
>> Any clue about this?
>
> I'm not familiar with the NOTIMP error. Is that error based on a local
> language? Can you post any eventid errors (event ID #s please), and/or
> what uitility did you run that you got that message?
The answer is described in RFC 1996 regarding zone changes.
3. NOTIFY Message
3.1. When a master has updated one or more RRs in which slave
servers may be interested, the master may send the changed RR's
name, class, type, and optionally, new RDATA(s), to each known
slave server using a best efforts protocol based on the NOTIFY
opcode.
...
3.12. If a NOTIFY request is received by a slave who does not
implement the NOTIFY opcode, it will respond with a NOTIMP
(unimplemented feature error) message. A master server who
receives such a NOTIMP should consider the NOTIFY transaction
complete for that slave.
But why it is happening is something to find out, when may be related
to what it says in 3.11:
3.11. The only defined NOTIFY event at this time is that the SOA RR
has changed. Upon completion of a NOTIFY transaction for
QTYPE=SOA, the slave should behave as though the zone given
in the QNAME had reached its REFRESH interval (see [RFC1035]),
i.e., it should query its masters for the SOA of the zone given
in the NOTIFY QNAME, and check the answer to see if the SOA
SERIAL has been incremented since the last time the zone was
fetched. If so, a zone transfer (either AXFR or IXFR) should
be initiated.
I say that because if there was one part that took the longest in
making sure it was correct when I copied the zone files over, was
deciding whether to keep the same name server for SOA. The original was:
where ns was the subdomain (.10) as set in my registrar. The new
machine with the new DNS server was .210 so A) should I create NS2 or
B) just change the ns subdomain from .10 and .210 and get everything
switch over.
Then I also had the DNS Name Server warning, plus I also see the DNS
server increasing the SERIAL without me making a change which is
making me a little paranoid but I had all dynamic updates off. But I
don't think that is an issue.
It could be that the NS subdomain change to .210 did not propagate
fully and this NOTIFY is related to it. It might just all go away
tomorrow. :-)
Anyway, just thinking out loud. I'm not DNS ADMIN expert, just a
software programmer. :-)
--
Ace Fekay [Microsoft Certified Trainer]
"Mike" <unk...@unknown.tv> wrote in message
news:eI5lMbbq...@TK2MSFTNGP04.phx.gbl...
When I originally did a quick search for it, I saw the not supported
results, too, but also saw many other results not in English, so I thought
to ask first exactly what was going on when you saw it.
I guess at this time I can assume the zone is not AD integrated, and you are
hosting public records on this DNS server? If you saw the serial increase,
it may be something simple as changing the IP to .210, as you've stated,
which will trigger a notify. And yes, I would change the name until done.
You can change it back after completed.
I don't think this is much to worry about. Some say when you start digging
into things like this, especially during a transition as what you are doing,
you may be looking at an elephant through a microscope and things get a
little fuzzy. Get through the new server transfer/update and see what
happens after tomorrow before worrying about it any further.
Sounds good?
Ace
Mike
The following a good example of a "bad guy" attempting to
UPDATE/NOTIFY a sub-domain into our domain and the MS DNS server
rejected this attempt with a NOTIMP response.
The request:
20090320 19:44:52 F00 PACKET UDP Rcv 124.124.54.15 f3a2 U
[0028 NOERROR] (9)mydomain(3)com(0)
UDP question info at 007FE460
Socket = 444
Remote addr 124.124.54.15, port 53098
Time Query=51164, Queued=0, Expire=0
Buf length = 0x0500 (1280)
Msg length = 0x0058 (88)
Message:
XID 0xf3a2
Flags 0x2800
QR 0 (QUESTION)
OPCODE 5 (UPDATE)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
ZCOUNT 1
PRECOUNT 1
UPCOUNT 2
ARCOUNT 0
ZONE SECTION:
Offset = 0x000c, RR count = 0
Name "(9)mydomain(3)com(0)"
ZTYPE SOA (6)
ZCLASS 1
PREREQUISITE SECTION:
Offset = 0x001f, RR count = 0
Name "(3)win(9)mydomain(3)com(0)"
TYPE CNAME (5)
CLASS 254
TTL 0
DLEN 0
DATA (none)
UPDATE SECTION:
Offset = 0x003c, RR count = 0
Name "[C01F](3)win(9)mydomain(3)com(0)"
TYPE A (1)
CLASS 255
TTL 0
DLEN 0
DATA (none)
Offset = 0x0048, RR count = 1
Name "[C01F](3)win(9)mydomain(3)com(0)"
TYPE A (1)
CLASS 1
TTL 1200
DLEN 4
DATA 172.16.2.254
ADDITIONAL SECTION:
empty
The response:
20090320 19:44:52 F00 PACKET UDP Snd 124.124.54.15 f3a2 R U
[04a8 NOTIMP] (9)mydomain(3)com(0)
UDP response info at 007FE460
Socket = 444
Remote addr 124.124.54.15, port 53098
Time Query=51164, Queued=0, Expire=0
Buf length = 0x0500 (1280)
Msg length = 0x0058 (88)
Message:
XID 0xf3a2
Flags 0xa804
QR 1 (RESPONSE)
OPCODE 5 (UPDATE)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 4 (NOTIMP)
ZCOUNT 1
PRECOUNT 1
UPCOUNT 2
ARCOUNT 0
ZONE SECTION:
Offset = 0x000c, RR count = 0
Name "(9)mydomain(3)com(0)"
ZTYPE SOA (6)
ZCLASS 1
PREREQUISITE SECTION:
Offset = 0x001f, RR count = 0
Name "(3)win(9)mydomain(3)com(0)"
TYPE CNAME (5)
CLASS 254
TTL 0
DLEN 0
DATA (none)
UPDATE SECTION:
Offset = 0x003c, RR count = 0
Name "[C01F](3)win(9)mydomain(3)com(0)"
TYPE A (1)
CLASS 255
TTL 0
DLEN 0
DATA (none)
Offset = 0x0048, RR count = 1
Name "[C01F](3)win(9)mydomain(3)com(0)"
TYPE A (1)
CLASS 1
TTL 1200
DLEN 4
DATA 172.16.2.254
ADDITIONAL SECTION:
empty
In short, some BAD GUY was try to add a WIN. sub-domain into
mydomain.com zone. This would be a phish like exploit to fool users
who knows us as www.mydomain.com and mistakenly use win.mydomain.com
So this is good that its not allowed (NOTIMP).
My server though is trying it update itself as well and I found out why.
In this case, the packet shows the DNS server was trying to add the
PTR (or A) record:
which was the DNS Domain name that I defined under computer name with
the DNS suffix yesterday to get rid of the startup warning.
I am wondering if the solution is:
1) Since this MACH2 machines does not have netbios over tcp/ip, the
server is attempt to use DNS to resolve this DNS domain name via
the reverse ip zone, or
2) Like in the original mach1 domain server setup where it had
netbios over tcp/ip enabled, if in fact, I should enable it on this
mach2 machine as well.
What say you?
--
Ace Fekay [Microsoft Certified Trainer] wrote:
Mike
yes I agree. At worst, just some overhead. For me, once this work is
done, its left alone for another 10 years or until the next emergency.
I made sure I have all the 2003 DNS server patches. :-)
But as originally noted, the main reason for the switch was the DoS
attacks on the old NT 4.0 DNS server. So at the moment, I have a
greater sense of security alertness. This time around, with a near
clone migration of the setup, duplicating the settings, I was paying
more attention looking thoroughly thru the logs to make sure all
things are understood and didn't go unexplained. Thats the only way I
can have peace of mind - having a grasp of whats going on.
--
Ace Fekay [Microsoft Certified Trainer]
Me says that it's interesting how the attacker was trying to inject that. I
saw that as I scrolled slowly through the command log and the first thing I
thought was you had the zone WINS integrated, but then thought the record
would be "wins" and not "win." I just wonder now, since you brought this up,
whether an attacker can actually inject a false WINS request to update a
record under the 'wins' zone if the zone was trulyWINS integrated? It would
of course require Kerberos authentication if the zone is AD integrated, but
in a standalone, such as an internet facing, public record holding DNS, that
would be a different story. Of coure the patch last July made it a little
more difficult to 'predict' or plan a specific empheral port from being used
as a spoof for a fake response. Another good reason to update. What about
Win 2008? That will be supported with updates for a lot longer than Win
2003, if this machine will be hanging around for a decade.
As for the hostname, a DNS server will always self register to identify
itself in the zone under the nameservers tab. That is default behavior.
Matter of fact, that is one of the issues when a DC is multihomed that is
also running DNS. But this isn;t a multihomed dicussion. Well, since I
mentioned it, it is not recommended to multihome a DNS sever anyway, because
of the multi records that get regisrered. Now if the internet public record
for this nameserver is called 'ns1' or whatever, why not just name it such?
When I was hosting public records in the early 2000's, I named my machines
based on the public name. Caused a little less confusion, as well as it
registering its own NS record. But that's up to you.
And yes, disable almost everything, including NetBIOS, F&P as well. Allow
only bare minimum.
There you go...
Ace
Mike
>
> Me says that it's interesting how the attacker was trying to inject
> that.
Amazing. Since our last exchange with Details logging enabled in the
dns.log, there are a number of these bad guy attacks to add a subdomain:
attacker ip sub-domain sub-domain IP
124.124.54.15 win. 172.16.2.254
59.98.128.68 sendil. 192.168.1.117
66.140.201.225 gc._msdcs. 192.168.1.51
59.98.128.109 aks. 192.168.1.132
and they tried adding to different zone, like attempts to ldap like this:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my-domain.com
I am guessing this is an exploit to attack any residual setups out
there that have a "first time" zone example for AD first time installers?
> What about Win 2008?
If anything Ace, we have Windows 2008 and plans to get Windows 7, but
for now the plan is for development testing and customer support.
Whether they will be used for DNS and/or making the AD move, thats
hard to say (and justify) at the moment.
My products include requirement various DNS client needs (like SMTP),
so development is on-going to add support IPV6 and also new SRV based
protocols.
> That will be supported with updates for a lot longer
> than Win 2003, if this machine will be hanging around for a decade.
True. I was just emphasizing the old proverbial saying
"Don't change if its not broken."
:-) We really do have small internal DNS server needs and locking down
the security issue was the first priority.
If anything, now that I have a better DNS server installed with more
options, I am going to pencil in time to look at switching the DNS
server to a non-primary. Keep it totally internal with a outbound
only recursion allowance. I saw the option in 2003 DNS server to
disable recursive but I wasn't sure if thats for just external
internet queries.
So its currently remains only. Its not a big deal really because the
uplinks are caches so they are not going to go any further from there
anyway or rather, I'm sure my T1 ISP has that under control.
It was recommended to me by a friend to consider using OpenDNS as the
uplinks (forwarders), that it will do a great job at security and also
give you, blocking, analysis and reporting (when you create an account
to access the stats, otherwise signup is optional).
Sounds nice, but I don't wish to further perpetuate the lost of
privacy and the exposure of the accumulated DNS traffic thru our
system to theirs.
> And yes, disable almost everything, including NetBIOS, F&P as well.
> Allow only bare minimum.
>
> There you go...
Thanks Ace, and I should say, you are truly an ACE! :-)
---
Ace Fekay [Microsoft Certified Trainer]
>>> What say you?
>>
>> Me says that it's interesting how the attacker was trying to inject
>> that.
>
> Amazing. Since our last exchange with Details logging enabled in the
> dns.log, there are a number of these bad guy attacks to add a
> subdomain:
> attacker ip sub-domain sub-domain IP
>
> 124.124.54.15 win. 172.16.2.254
> 59.98.128.68 sendil. 192.168.1.117
> 66.140.201.225 gc._msdcs. 192.168.1.51
> 59.98.128.109 aks. 192.168.1.132
>
> and they tried adding to different zone, like attempts to ldap like
> this:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my-domain.com
They don't give up. They're constant as the Northern Star. Wasn't that what
Kahn described himself as to Kirk? :-)
>
> I am guessing this is an exploit to attack any residual setups out
> there that have a "first time" zone example for AD first time
> installers?
Possibly, for unpatched servers fresh out of the box. They're found just as
yours was, port scanning for 53. They're just like the FTP scanning for open
FTP servers to push their warez, but the DNS guys are into their pride to
use newly found exploits against unprotected, non-patched DNS servers, and
not warez.
>
>> What about Win 2008?
>
> If anything Ace, we have Windows 2008 and plans to get Windows 7, but
> for now the plan is for development testing and customer support.
> Whether they will be used for DNS and/or making the AD move, thats
> hard to say (and justify) at the moment.
At least for an AD move to go with the latest. :-)
>
> My products include requirement various DNS client needs (like SMTP),
> so development is on-going to add support IPV6 and also new SRV based
> protocols.
Well then, another reason for 2008. Hey, I'm not trying to sell it, just
pointing out the advatages if you and your focus is on the cutting edge, you
may as well go with the cutting edge products across the board. Why own a
300C SRT8, but fill it with regular? ( I guess you can tell I'm an SRT fan!)
>
>> That will be supported with updates for a lot longer
>> than Win 2003, if this machine will be hanging around for a decade.
>
> True. I was just emphasizing the old proverbial saying
>
> "Don't change if its not broken."
>
> :-) We really do have small internal DNS server needs and locking down
> the security issue was the first priority.
>
> If anything, now that I have a better DNS server installed with more
> options, I am going to pencil in time to look at switching the DNS
> server to a non-primary. Keep it totally internal with a outbound
> only recursion allowance. I saw the option in 2003 DNS server to
> disable recursive but I wasn't sure if thats for just external
> internet queries.
The Disable recursion under the Advanced Tab (not the Forwarders tab),
forces the DNS to only respond to zones it hosts and will not 'recurse'
other queries, and simply drops them. As for any queries, for after all,
whether internet or internal, it's a query. Concerning dynamic registration,
it will still accept registration requests, well that is as long as it is
set to allow updates.
>
> So its currently remains only. Its not a big deal really because the
> uplinks are caches so they are not going to go any further from there
> anyway or rather, I'm sure my T1 ISP has that under control.
>
> It was recommended to me by a friend to consider using OpenDNS as the
> uplinks (forwarders), that it will do a great job at security and also
> give you, blocking, analysis and reporting (when you create an account
> to access the stats, otherwise signup is optional).
A friend of mine uses OpenDNS for the same design. He loves it. There are
others out there, such as TreeWalk by Obi Won (MVP - haven't heard from him
in awhile). Me, I would probably use that, or simply leave a caching only
Microsoft DNS with the Roots removed, Disable Recursion under the Forwarders
tab, but forwards to my internal servers hosting public zones that has
Disable Recursion set under the Advanced Tab.
>
> Sounds nice, but I don't wish to further perpetuate the lost of
> privacy and the exposure of the accumulated DNS traffic thru our
> system to theirs.
I can quite understand being a good internet neighbor!
>
>> And yes, disable almost everything, including NetBIOS, F&P as well.
>> Allow only bare minimum.
>>
>> There you go...
>
> Thanks Ace, and I should say, you are truly an ACE! :-)
>
> ---
Nah, I just slept at a Holiday Inn last night! :-)
Ace
Mike
>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my-domain.com
>
> They don't give up. They're constant as the Northern Star. Wasn't that
> what Kahn described himself as to Kirk? :-)
Yup. The 1999/2000 infamous CodeRed exploit set in motion the idea
that anything is possible in a huge Microsoft world of sites and
persistent guarantee for legacy operations. Hackers do not follow the
ideas behinds pragmatic conservative designs. Pareto's principle
probably best applies here. :-)
Said another way - Microsoft will never had 1 version of servers with
everyone using at the same time.
>>
>>> What about Win 2008?
>>
>> If anything Ace, we have Windows 2008 and plans to get Windows 7, but
>> for now the plan is for development testing and customer support.
>> Whether they will be used for DNS and/or making the AD move, thats
>> hard to say (and justify) at the moment.
>
> At least for an AD move to go with the latest. :-)
For AD, I need a reason. What are the benefits? What is gained?
I should note that it was only until recent (about 2 years ago), that
I learned AD was just Microsoft version for LDAP. I did not know back
in 2000 when it was first introduced. Strategic marketing move to
hide the idea they have used Public Domain ideas. That didn't go too
well during those early days, not when you want corporations to make
that move to further lock them in.
In addition, the term "Active" Directory was probably not a bright
idea from a marketing standpoint. Given the fact ActiveX has a bad
reputation as a major security issue, its not hard to see a marketing
confusion that Active Directory is a set of ActiveX component
(probably COM+ components) that will raise some eye browses. They
should of called it:
WDAP - Windows Directory Access Protocol
WDAS - Windows Directory Access System
But then again, I wasn't at that meeting. :-)
>> My products include requirement various DNS client needs (like SMTP),
>> so development is on-going to add support IPV6 and also new SRV based
>> protocols.
>
> Well then, another reason for 2008. Hey, I'm not trying to sell it,
using a poor Gene Wilder metaphor, Oh please, do SELL, SELL, SELL! :-)
> just pointing out the advatages if you and your focus is on the cutting edge,
> you may as well go with the cutting edge products across the board. Why
> own a 300C SRT8, but fill it with regular? ( I guess you can tell I'm an
> SRT fan!)
Nice Car! You have one? <g>
You have a good point. I'm just a very conservative person. Hell, we
made a huge investment back in 98 to revamp 100% to NT 4.0 back office
network with a HUGE $20K+ Dell Power server that is still running. The
fact it has latest this long has paid off huge. The sales and
developer workstations have current user based OSs. But overall,
there were other reasons for not upgrading the servers - first, as
stated, the urgency wasn't there and second, during this decade, there
was a growing pressure and questions if we wanted to further invest in
Microsoft solutions. So as much as the market and competitors was
causing headaches for MS, this also trickled down and reflected on
many of their long time customers as well. Where do you put your
revamp money into?
> Nah, I just slept at a Holiday Inn last night! :-)
At least you slept! <g>
Ace Fekay [Microsoft Certified Trainer]
>
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my-domain.com
>>
>> They don't give up. They're constant as the Northern Star. Wasn't
>> that what Kahn described himself as to Kirk? :-)
>
> Yup. The 1999/2000 infamous CodeRed exploit set in motion the idea
> that anything is possible in a huge Microsoft world of sites and
> persistent guarantee for legacy operations. Hackers do not follow the
> ideas behinds pragmatic conservative designs. Pareto's principle
> probably best applies here. :-)
Interesing observation - as for hackers and attackers there's nothing
pragmatic about them, although there is a loose sense of organization among
them, nothing solid. So we can say roughly 80% of the hits are coming from
20% of a base core of hacker (groups?).
> Said another way - Microsoft will never had 1 version of servers with
> everyone using at the same time.
Good point there.
>>>> What about Win 2008?
>>>
>>> If anything Ace, we have Windows 2008 and plans to get Windows 7,
>>> but for now the plan is for development testing and customer
>>> support. Whether they will be used for DNS and/or making the AD
>>> move, thats hard to say (and justify) at the moment.
>>
>> At least for an AD move to go with the latest. :-)
>
> For AD, I need a reason. What are the benefits? What is gained?
Newer operating system? Longer term support? New security features
available?
Or do you mean setting up a new AD infrastructure? If so, more of a
centralized directory service core. If not needed, or not using it now and
don't think you will, than you can probably safely go on as you're going. I
don;t know if you are planning for Exchange anytime soon, but that requires
AD for its directory database.
> I should note that it was only until recent (about 2 years ago), that
> I learned AD was just Microsoft version for LDAP. I did not know back
> in 2000 when it was first introduced. Strategic marketing move to
> hide the idea they have used Public Domain ideas. That didn't go too
> well during those early days, not when you want corporations to make
> that move to further lock them in.
AD's LDAP standardized compliance has grown more inline with RFCs, not as it
was in the original release, which was a major complaint in the beginning of
AD's time. Microsoft decided to use DNS' SRV records to implement a way to
find all AD resources and services, not like other LDAP releases. There is
of course, ADAM that is a toned down version of AD's LDAP services that does
not use DNS, such as Cold Fusion, Netscape, etc. The lining up of public
domain idea is a loose interpretation, and frankly many of us do not use the
public domain name for the internal namespace, but rather either a child of
it, or the same first level name with a different TLD to keep more
consistent with the public namespace but have no direct relationship, such
as domain.com vs the internal domain.net, etc. That is actually my
preference rather than a child domain of the public namespace, wihch causes
confusion and make the FQDN longer, etc. So all in all, the DNS
implementation was to take advantage of SRV locator features, as well as the
base structure to follow RFC compliance LDAP. Kerberos authentication
eliminated the need for NTLM authentication, which was crackable, as well as
give the ability to coexist with other Kerberos realms and services (Unix,
Linux, Apple's OSx with their BSD implementation, etc).
> In addition, the term "Active" Directory was probably not a bright
> idea from a marketing standpoint. Given the fact ActiveX has a bad
> reputation as a major security issue, its not hard to see a marketing
> confusion that Active Directory is a set of ActiveX component
> (probably COM+ components) that will raise some eye browses. They
> should of called it:
>
> WDAP - Windows Directory Access Protocol
> WDAS - Windows Directory Access System
>
> But then again, I wasn't at that meeting. :-)
Neither was I, but they had their reasons. I read the whole naming story
behind it years ago, but haven forgotten it, I can't comment. Basically I
can say originally it was NTDS (NT Dir services), and started in the early
to mid 90's. One of the offshoot of the planning and design was Ex55's use
of LDAP (port 389) as well as IIS 4.0's ability to intertwine with LDAP
services. Then of course later came out the RTM for AD.
>
>>> My products include requirement various DNS client needs (like
>>> SMTP), so development is on-going to add support IPV6 and also new
>>> SRV based protocols.
>>
>> Well then, another reason for 2008. Hey, I'm not trying to sell it,
>
> using a poor Gene Wilder metaphor, Oh please, do SELL, SELL, SELL! :-)
LOL, then darn, I'll act like a car salesman (sold cars in the late 80's and
early 90's for 4 years), or be like that Billy May's guy in his
infomercials... if you act now, I will add a whole Dell 2950 with 2008 and
Ex 2007 INSTALLED! But you have to act now.... LOL
>
>> just pointing out the advatages if you and your focus is on the
>> cutting edge, you may as well go with the cutting edge products
>> across the board. Why own a 300C SRT8, but fill it with regular? ( I
>> guess you can tell
>> I'm an SRT fan!)
>
> Nice Car! You have one? <g>
I had a Ram SRT10 on lease that just ended this month. Talk about the
horespower - a truck that will do under 5 sec 0-60. My next step is a 300C
SRT8 with either the new 6.4L 525HP or whatever Chrysler has planned to
release in 2010, and I may add i-charger (www.i-charger.com) for high torque
low end boost, in conjuntion with twin low-boost Getrag turbos for high RPM
boost, of course with all rebuilt with forged components to handle 7500 RPM+
squirrel cage spinning dynamics! Ulitmate goal is to achieve a sleeping,
street legal 1000+ HP family car with no additional marking to attract
smokey that purrs quietly as you drive by but opens up like screaming
comanches charging over the hill in the old spaghetti westerns...
>
> You have a good point. I'm just a very conservative person. Hell, we
> made a huge investment back in 98 to revamp 100% to NT 4.0 back office
> network with a HUGE $20K+ Dell Power server that is still running. The
> fact it has latest this long has paid off huge.
Not trying to take direct sales away from Dell, but have you looked at eBay
for high end servers? They're about a third or less of actual original
costs. I have bought many new and from eBay, depending on my customer
budgets, and they both work fine. Some of them still have their multi-year
24/7 gold still left on them and all you have to do is transfer the warranty
and ownership through a Dell link.
> The sales and
> developer workstations have current user based OSs. But overall,
> there were other reasons for not upgrading the servers - first, as
> stated, the urgency wasn't there and second, during this decade, there
> was a growing pressure and questions if we wanted to further invest in
> Microsoft solutions.
What kind of pressure or questions?
> So as much as the market and competitors was
> causing headaches for MS, this also trickled down and reflected on
> many of their long time customers as well. Where do you put your
> revamp money into?
New technology and software. Many new features, ease of recovery, etc. Too
many to list. I prefer Microsoft technology over others. It is easy to use
and easy to learn (some of my Linux, Apple and BSD friends are away try to
push their arguments on me but when they need something that isn't available
on their stuff, they come to me for help. Go figure. But don't get me wrong,
I am open minded and will work with any implementation. But the versatitily
with non-Microsoft products is quite less than with Microsoft products.
After all, the majority of IT products in the public ARE Microsoft products.
Ineroperability, ease of use, and most of all familiarity with the GUI.
>
>> Nah, I just slept at a Holiday Inn last night! :-)
>
> At least you slept! <g>
I try, but not always.:-)
Ace