dodging a microsoft bullet

Lately I have been building and maintaining more and more Windows 2000 and 2003 servers than I would ever like to. I think it ended up being basically a necessary evil that needed to be used to tie the many different system architectures, systems, and company divisions together.

having something even remotely close to a single sign on type of authentication system would be great. Every time an new employee starts at my work, there is at least 3 to 5 separate accounts that need to be created.

1. The phone system

2. a windows login

3. a unix login

4. a login to our CMS

5. a login to the horrible “email system”

Most of the unix (Solaris/Linux mostly) systems that we have use at least NIS, but everything else is completely separate. Getting a working phone number and a working windows logins both come from completely different departments…actually different buildings.

I can see how annoying this must be for a new employee. You sit at your desk trying to adjust to your new job and you can’t receive email, maybe have no phone, possibly no computer. I think at this point they should just get a 3 subject notebook, a couple folders, 2 post-it pads, and a pen the day they start, because that will get them a lot further.

So, when a couple weeks ago my office had a massive phone outage due to some “issues” with a telecommunications company that begins with a V. We ended up having literally 43 non-working phones. That is easily more than half the company that could no longer use the phone. The phone system isn’t controlled, maintained, or basically touched by me or anyone else in my department. It is handled by a separate division of the company that for the most part doesn’t want to be bothered with our stupid phone problems.

Nothing was getting fixed, technicians are poking at everything attached to the phone system, and my time (along with others) gets wasted more and more. So we decided it was time to start cutting the few life lines we have with the other division in the company. They have an archaic poorly maintained phone system that we can’t diagnose anything on, and sales people don’t like you very much when they can’t use their phone. Or even better, when they will be in the middle of a call with a possible client, and the phone will just drop the connection. There are many reasons, the list goes on and on.
So it seemed like this would be a great chance to just ditch the old phone system and install a new shiny VoIP phone system. We figured out that we could maintain all our offices phones internally on the VoIP system, and then any incoming/outgoing calls from outside the office would go directly to the old phone systems switch.

So then after thinking things out, this would be a great opportunity to finally start using LDAP for all our user accounts. This quickly changed over to making an Active Directory. Enter Microsoft.

If we installed an Active Directory, now we can get off of the other divisions old slow windows NT domain. We could be able to now create all the windows accounts ourself, meaning employees could actually login to their computer when they come in for work. Sounds great doesn’t it? but now that means that the Active Directory is in charge of everything. Is that a bad thing? I don’t really know, but I (and most people I work with) have never been big fans of using windows…even more so as a server. Which is why we have 3. 1 primary and 2 backups. I suppose the odds of all 3 blue screening at the same is slim.

So where does the bullet dodging come in? Active directory likes to be able to dynamically change DNS entries. I wasn’t familiar with how to do that in BIND, and while clicking all the next buttons involved in installing Win 2003 and the Active Directory, it has a pretty little radio button that says “hey there…if you want, I could install microsoft dns! you’ll be all set!” It was a pretty radio button and it almost lured me in, but thankfully I looked on google and found out that it’s actually one stupid line that needs to be added to the BIND config.

So I just made a new zone file for windows to play around in without taking over everything like it was SkyNet.

Knowing that I at least am not now using Microsoft DNS means that is one less cold shower I need to take this weekend. The stench of windows is everywhere, and if the testing of this other product goes well, we’ll have a pretty little PAM module installed on all our Linux and Solaris boxes that will make everything authenticate off of the active directory. Group and system policies included.

On the bad side, I just sold my soul to the devil. On the good side, having there be 1 account for virtually all the internally maintained systems the company uses would be nice.

At least nothing on or around my desk, or even have to log into begins with a lowercase i.

thats when I just have to throw in the towel.

Leave a Comment