Best Practice for Populating Available AD Groups

solved

In App-V 5.0 the Management and Publishing Servers are hosted in IIS, so use the same approach for HA as you would any web application.
If NLB is all that's available to you, then use that; otherwise I would recommend a proper load balancing solution such as Citrix NetScaler or KEMP LoadManager.
Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
answer your question). This can be beneficial to other community members reading the thread.
This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
Twitter:
@stealthpuppy | Blog:
stealthpuppy.com |
The Definitive Guide to Delivering Microsoft Office with App-V

Similar Messages

Best practice for highly available management / publishing servers

I am testing a highly available appv 5.0 environment, which will deploy appv packages to a Xenapp farm. I have two SQL 2012 servers configured as an availability group for the backend, and two publishing / management servers for the front end.
What is the best practice to configure the publishing / management servers for high availability? Should I configure them as an NLB cluster, which I have tested and does seem to work, or should I just use the GPO to configure the clients to use both
publishing servers, which I have also tested and appears to work?
Thanks,
Patrick Sullivan

In App-V 5.0 the Management and Publishing Servers are hosted in IIS, so use the same approach for HA as you would any web application.
If NLB is all that's available to you, then use that; otherwise I would recommend a proper load balancing solution such as Citrix NetScaler or KEMP LoadManager.
Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
answer your question). This can be beneficial to other community members reading the thread.
This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
Twitter:
@stealthpuppy | Blog:
stealthpuppy.com |
The Definitive Guide to Delivering Microsoft Office with App-V

Best practice for installing which software group

I am new to Solaris. I have Sun X2100 with 2 x 80G harddisks (run as email server, run tomcat, jboss and postgresql) , which software group is recommended for production install? Is there any guide (best practice)?

There is one best practice document available from Oracle RACSIG site and "Oracle Real Applicaiton Cluster Administration and Deployment Guide" available on OTN is also good source of informaiton about 10g RAC.
Oracle has made sincere efforts in 10g documentations expecially in server technology.
Thanks & Regards

Best practice for High availability design, HSRP

Hi,
I am planning to create High Availability for LAN to WAN connectivity.
But I want to know your opinion about the best way how to do this. I googled for a solution/best way how to do this, but I didn't found in my opinion right answer.
The situation:
I have 2 3945E Routers and 2 3560 switches. The design that I am planning to implement is below.
The main goal is to have redundant connection, whatever one of the devices will fail. For example, if the R1 will fail, R2 should become active, if the SW1 will fail, the SW2 will take care about reachability and vice versa. The router 1 should be preferred always, if the link to ISP isn't down, because of greater bandwidth. So why am I drown 2 connections to 2 separate switches. If the SW1 will fail, I will still have a connection to WAN using R1 router.
The Router interface should be configured with sub interfaces (preferred over secondary IP address of interface), because more than 10 subnets will be assigned to the LAN segment. The routers have 4 Gi ports.
HSRP must be enabled on LAN side, because PC's on LAN must have redundant def. getaway.
So, the question is - what is the best and preferred way to do this?
In my opinion, I should use BVI and combine R1 routers 2 interfaces in to logical one and do the same for the R2.
Next, turn the router in to L3 switch using IRB and then configure HSRP.
What would be your preferred way to do this?

Hi Audrius,
I would suggest you to go with HSRP. GLBP you will use where you want load balance.
I think the connectivity between your Routers (3945) and switches (3560) is gigabit connection which is high speed. So keep one physical link from your switches to each router and do HSRP on those router physical interfaces.
In this way you will have high availability like if R1 fails then R2 will take over.
Regarding the config see the below which I have for one of my Customer DC.
ACTIVE:
track 1 interface GigabitEthernet0/0 line-protocol
track 2 interface GigabitEthernet0/0 line-protocol
interface GigabitEthernet0/1
ip address 10.10.10.12 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
standby use-bia scope interface
standby 0 ip 10.10.10.10
standby 0 priority 110
standby 0 preempt
standby 0 authentication peter2mo
standby 0 track 1 decrement 30
standby 0 track 2 decrement 30
STANDBY:
track 1 interface GigabitEthernet0/0 line-protocol
interface GigabitEthernet0/1
ip address 10.10.10.11 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
standby use-bia scope interface
standby 0 ip 10.10.10.10
standby 0 priority 90
standby 0 authentication peter2mo
standby 0 track 1 decrement 30
Please rate the helpfull posts.
Regards,
Naidu.

Best practice for backing bean population? (also, ActionListener RANT)

Hello,
I am about 3/4 of the way through development of a small to medium size JSF application. Sometimes I really like JSF, but much of the time I am left puzzled or frustrated for hours trying to find workarounds to JSF's bugs/glitches and design flaws.
For example, early on, I was impressed with how easily it was to invoke a method from a page using an actionlistener. Now that I'm actually building things with JSF, the actionlistener funtionality still seems cool, but incredibly half baked. I find myself using request parameters LIKE CRAZY to work around the fact that JSF doesnt support passing parameters directly to backing bean methods. This feels awkward and wrong considering the fact that JSF is intended to abstract the HTTP underpinnings. To add insult to injury, I often have to iterate through ALL of the request parameters looking for one that has an id with an ending matching my desired property name (since JSF appends it's own crap to the beginning). I don't like doing things in a hacky way. This seems very hacky, and I feel dirty doing it.
So, my first question is, what is the best practice for populating backing beans??? How do others accomplish this. I can think of several other approaches, but none feel less hacky.
Second, are there plans in the next spec (please say there are) to allow parameters to be passed to backing bean methods? If not, WHY THE HECK NOT?
Even though JSF expert group people have been conspicuously absent from this forum of late, I'd really appreciate responses from you as well.
Thank you for your thoughts.

Hi BrownBear,
I've been using JSF for about 6 months now and I'd be glade to help as much as I can.
Concerning parameters, I'm not sure what your issue is but I use the f:param tag to pass them. If you could post an example of what you are trying to do, I could see exactly what your issue is. Maybe the f:param can't help you.
As for best practice for populating backing beans, I personaly try to let JSF do as much as possible. For example, if I have a backing bean with five properties, I make sure that they all are on the JSP page the bean serves. If one of the property is just there as an Id like, lets say, a Person ID (DB row key), then I put it on my JSP page as a hidden input field. I do the same with the properties that only for display, if I want them to be back in my bean when request comesback.
Hope this help some how. Please, feel free to ask specific questions related to your specific problem and I monitor this post and trnasfer to you the ;little JSF experience I have.
I'm pretty happy with JSF as it is but it sure needs improvements. :) What the heck, it's version 1.01 after all, and the next release should be a great one with the integration of JSTL.
Cheers

SAP Best Practices for CRM 5.0 is available

Hello,
I would like to announce the availability of SAP Best Practices for CRM 5.0.
SAP Best Practices for CRM allows a fast, safe and predictable implementation of pre-configured CRM business scenarios.
It can be used to accelerate customer implementation projects as well as setting up demo or evaluation systems.
For details about SAP Best Practices in general please see:
<a href="http://www.service.sap.com/bestpractices">http://www.service.sap.com/bestpractices</a>
For the concrete content of Best Practices for CRM 5.0 please see:
<a href="http://help.sap.com/bp_crmv150/CRM_DE/index.htm">http://help.sap.com/bp_crmv150/CRM_DE/index.htm</a>
Best regards,
Joerg

Hi Devendra!
For the Best Practices you can have all the useful installation and informations guides here.
<a href="http://help.sap.com/">Best Practices for SAP</a>
Choose here the Bast Practices tab on the line-menu.
You have to eb careful while installing the BP -> you have to use all the time the right BP release according to your SAP release.
I hope this helps you!
Best regards,
Zsolt

Basic Strategy / Best Practices for System Monitoring with Solution Manager

I am very new to SAP and the Basis group at my company. I will be working on a project to identify the best practices of System and Service level monitoring using Solution Manager. I have read a good amount about SAP Solution Manager and the concept of monitoring but need to begin mapping out a monitoring strategy.
We currently utilize the RZ20 transaction and basic CCMS monitors such as watching for update errors, availability, short dumps, etc.. What else should be monitored in order to proactively find possible issues. Are there any best practices you all have found when implimenting Monitoring for new solutions added to the SAP landscape.... what are common things we would want to monitor over say ERP, CRM, SRM, etc?
Thanks in advance for any comments or suggestions!

Hi Mike,
Did you try the following link ?
If not, it may be useful to some extent:
http://service.sap.com/bestpractices
---> Cross-Industry Packages ---> Best Practices for Solution Management
You have quite a few documents there - those on BPM may also cover Solution Monitoring aspects.
Best regards,
Srini
Edited by: Srinivasan Radhakrishnan on Jul 7, 2008 7:02 PM

Best Practice for FlexConnect Wireless roaming in MediaNet environment?

Hello!
Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree).
In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running. Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps.
So...best practice for LAN users causes real problems for wireless users.
I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
Thanks,
Deb

Thanks for your replies, Stephen and JSnyder.
The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites.
These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider). The 7510s are new, and are replacing older contollers at the HQ location.
The internal employee wireless users use resources both local to their site, as well as centralized resources. There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only. (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.)
(1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice. Too much bandwidth would be used. So, that implies the need to use Flex / HREAP mode instead.
(2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet. However, this breaks seamless roaming for users....
So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of.
The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site. Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in. I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work. Do you happen to know if this might be a workable solution to the overall big-picture problem?
Thanks again for taking the time and trouble to reply!
Deb

Best Practice for SRST deployment at a remote site

What is the best practice for a SRST deployment at a remote site? Should a separate router such as a 3800 series be deployed for telephony in addition to another router to be deployed for Data? Is there a need for 2 different devices?

Hi Brian,
This is typically done all on one ISR Router at the remote site :)There are two flavors of SRST. Here is the feature comparison;
SRST Fallback
This feature enables routers to provide call-handling support for Cisco Unified IP phones if they lose connection to remote primary, secondary, or tertiary Cisco Unified Communications Manager installations or if the WAN connection is down. When Cisco Unified SRST functionality is provided by Cisco Unified CME, provisioning of phones is automatic and most Cisco Unified CME features are available to the phones during periods of fallback, including hunt-groups, call park and access to Cisco Unity voice messaging services using SCCP protocol. The benefit is that Cisco Unified Communications Manager users will gain access to more features during fallback ****without any additional licensing costs.
Comparison of Cisco Unified SRST and
Cisco Unified CME in SRST Fallback Mode
Cisco Unified CME in SRST Fallback Mode
â¢ First supported with Cisco Unified CME 4.0: Cisco IOS Software 12.4(9)T
â¢ IP phones re-home to Cisco Unified CME if Cisco Unified Communications Manager fails. CME in SRST allows IP phones to access some advanced Cisco Unified CME telephony features not supported in traditional SRST
â¢ Support for up to 240 phones
â¢ No support for Cisco VG248 48-Port Analog Phone Gateway registration during fallback
â¢ Lack of support for alias command
â¢ Support for Cisco UnityÂ® unified messaging at remote sites (Distributed Exchange or Domino)
â¢ Support for features such as Pickup Groups, Hunt Groups, Basic Automatic Call Distributor (BACD), Call Park, softkey templates, and paging
â¢ Support for Cisco IP Communicator 2.0 with Cisco Unified Video Advantage 2.0 on same computer
â¢ No support for secure voice in SRST mode
â¢ More complex configuration required
â¢ Support for digital signal processor (DSP)-based hardware conferencing
â¢ E-911 support with per-phone emergency response location (ERL) assignment for IP phones (Cisco Unified CME 4.1 only)
Cisco Unified SRST
â¢ Supported since Cisco Unified SRST 2.0 with Cisco IOS Software 12.2(8)T5
â¢ IP phones re-home to SRST router if Cisco Unified Communications Manager fails. SRST allows IP phones to have basic telephony features
â¢ Support for up to 720 phones
â¢ Support for Cisco VG248 registration during fallback
â¢ Support for alias command
â¢ Lack of support for features such as Pickup Groups, Hunt Groups, Call Park, and BACD
â¢ No support for Cisco IP Communicator 2.0 with Cisco Unified Video Advantage 2.0
â¢ Support for secure voice during SRST fallback
â¢ Simple, one-time configuration for SRST fallback service
â¢ No per-phone emergency response location (ERL) assignment for SCCP Phones (E911 is a new feature supported in SRST 4.1)
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps2169/prod_qas0900aecd8028d113.html
These SRST hardware based restrictions are very similar to the number of supported phones with CME. Here is the actual breakdown;
Cisco 880 SRST Series Integrated Services Router
Up to 4 phones
Cisco 1861 Integrated Services Router
Up to 8 phones
Cisco 2801 Integrated Services Router
Up to 25 phones
Cisco 2811 Integrated Services Router
Up to 35 phones
Cisco 2821 Integrated Services Router
Up to 50 phones
Cisco 2851 Integrated Services Router
Up to 100 phones
Cisco 3825 Integrated Services Router
Up to 350 phones
Cisco CatalystÂ® 6500 Series Communications Media Module (CMM)
Up to 480 phones
Cisco 3845 Integrated Services Router
Up to 730 phones
*The number of phones supported by SRST have been changed to multiples of 5 starting with Cisco IOS Software Release 12.4(15)T3.
From this excellent doc;
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps2169/data_sheet_c78-485221.html
Hope this helps!
Rob

Best practices for gathering statistics in 10g

I would like to get some opinions on what is considered best practice for gathering statistics in 10g. I know that 10g has auto statistics gathering, but that doesn't seem to be very effective as I see some table stats are way out of date.
I have recommended that we have at least a weekly job that generates stats for our schema using DBMS_STATS (DBMS_STATS.gather_schema_stats). Is this the right approach to generate object stats for a schema and keep it up to date? Are index stats included in that using CASCADE?
Is it also necessary to gather system stats? I welcome any thoughts anyone might have. Thanks.

Hi,
Is this the right approach to generate object stats for a schema and keep it up to date? The choices of executions plans made by the CBO are only as good as the statistics available to it. The old-fashioned analyze table and dbms_utility methods for generating CBO statistics are obsolete and somewhat dangerous to SQL performance. As we may know, the CBO uses object statistics to choose the best execution plan for all SQL statements.
I spoke with Andrew Holsworth of Oracle Corp SQL Tuning group, and he says that Oracle recommends taking a single, deep sample and keep it, only re-analyzing when there is a chance that would make a difference in execution plans (not the default 20% re-analyze threshold).
I have my detailed notes here:
http://www.dba-oracle.com/art_otn_cbo.htm
As to system stats, oh yes!
By measuring the relative costs of sequential vs. scattered I/O, the CBO can make better decisons. Here are the data items collected by dbms_stats.gather_system_stats:
No Workload (NW) stats:
CPUSPEEDNW - CPU speed
IOSEEKTIM - The I/O seek time in milliseconds
IOTFRSPEED - I/O transfer speed in milliseconds
I have my notes here:
http://www.dba-oracle.com/t_dbms_stats_gather_system_stats.htm
Hope this helps. . . .
Don Burleson
Oracle Press author
Author of “Oracle Tuning: The Definitive Reference”
http://www.dba-oracle.com/bp/s_oracle_tuning_book.htm

Seeking advice on Best Practices for XML Storage Options - XMLTYPE

Sparc64
11.2.0.2
During OOW12 I tried to attend every xml session I could. There was one where a Mr. Drake was explaining something about not using clob
as an attribute to storing the xml and that "it will break your application."
We're moving forward with storing the industry standard invoice in an xmltype column, but Im not concerned that our table definition is not what was advised:
--i've dummied this down to protect company assets
CREATE TABLE "INVOICE_DOC"
   (     "INVOICE_ID" NUMBER NOT NULL ENABLE,
     "DOC" "SYS"."XMLTYPE" NOT NULL ENABLE,
     "VERSION" VARCHAR2(256) NOT NULL ENABLE,
     "STATUS" VARCHAR2(256),
     "STATE" VARCHAR2(256),
     "USER_ID" VARCHAR2(256),
     "APP_ID" VARCHAR2(256),
     "INSERT_TS" TIMESTAMP (6) WITH LOCAL TIME ZONE,
     "UPDATE_TS" TIMESTAMP (6) WITH LOCAL TIME ZONE,
      CONSTRAINT "FK_####_DOC_INV_ID" FOREIGN KEY ("INVOICE_ID")
             REFERENCES "INVOICE_LO" ("INVOICE_ID") ENABLE
   ) SEGMENT CREATION IMMEDIATE
INITRANS 20
TABLESPACE "####_####_DATA"
       XMLTYPE COLUMN "DOC" STORE AS BASICFILE CLOB (
TABLESPACE "####_####_DATA" XMLTYPE COLUMN "DOC" STORE AS BASICFILE CLOB (
TABLESPACE "####_####_DATA" ENABLE STORAGE IN ROW CHUNK 16384 RETENTION
NOCACHE LOGGING
STORAGE(INITIAL 81920 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT))
XMLSCHEMA "http://mycompanynamehere.com/xdb/Invoice###.xsd" ELEMENT "Invoice" ID #####"
{code}
What is a best practice for this type of table? Yes, we intend on registering the schema against an xsd.
Any help/advice would be appreciated.
-abe

Hi,
I suggest you read this paper : Oracle XML DB : Choosing the Best XMLType Storage Option for Your Use Case
It is available on the XML DB home page along with other documents you may be interested in.
To sum up, the storage method you need depends on the requirement, i.e. how XML data is accessed.
There was one where a Mr. Drake was explaining something about not using clob as an attribute to storing the xml and that "it will break your application."I think the message Mark Drake wanted to convey is that CLOB storage is now deprecated and shouldn't be used anymore (though still supported for backward compatibility).
The default XMLType storage starting with version 11.2.0.2 is now Binary XML, a posted-parsed binary format that optimizes both storage size and data access (via XQuery), so you should at least use it instead of the BASICFILE CLOB.
Schema-based Binary XML is also available, it adds another layer of "awareness" for Oracle to manage instance documents.
To use this feature, the XML schema must be registered with "options => dbms_xmlschema.REGISTER_BINARYXML".
The other common approach for schema-based XML is Object-Relational storage.
BTW... you may want to post here next time, in the dedicated forum : {forum:id=34}
Mark Drake is one of the regular user, along with Marco Gralike you've probably seen too at OOW.
Edited by: odie_63 on 18 oct. 2012 21:55

Best practices for updating agents

We're getting ready to do our first system-wide update of agents to fix a critical bug. Our summer vacation is just ending, and teachers and students will be coming back very soon and turning on our Windows 7 computers for the first time in many weeks, although they won't all be turned on the same day. When they are turned on they will be attempting to get various updates, in particular Windows updates, but also Flash Player and Adobe Reader. I need to update the agents as quickly as possible, but I'm concerned about the possibility of the agent update conflicting with another update, especially Windows updates. Isn't it possible that Windows Update could restart a computer while the agent update is happening (or the other way around), leaving the machine in an unstable or unusable state? What are the best practices for dealing with this? I considered the possibility of deploying the agent to a dynamic workstation group whose members all have a certain file or files that indicate that they have already received the latest Windows updates. However, I can't see how to create a dynamic group based on such criteria.
So far I have only updated a few devices at a time using "Deploy System Updates to Selected Devices in the Management Zone". When those updates are done I cancel that deployment because that's the only option I can find that does anything. If you can offer general advice for a better strategy of updating agents I'd appreciate that. Specifically, how would you push an agent update to several hundred computers that will be turned on sometime over the next two weeks?
Thanks very much.

Originally Posted by jcw_av
We're getting ready to do our first system-wide update of agents to fix a critical bug. Our summer vacation is just ending, and teachers and students will be coming back very soon and turning on our Windows 7 computers for the first time in many weeks, although they won't all be turned on the same day. When they are turned on they will be attempting to get various updates, in particular Windows updates, but also Flash Player and Adobe Reader. I need to update the agents as quickly as possible, but I'm concerned about the possibility of the agent update conflicting with another update, especially Windows updates. Isn't it possible that Windows Update could restart a computer while the agent update is happening (or the other way around), leaving the machine in an unstable or unusable state? What are the best practices for dealing with this? I considered the possibility of deploying the agent to a dynamic workstation group whose members all have a certain file or files that indicate that they have already received the latest Windows updates. However, I can't see how to create a dynamic group based on such criteria.
So far I have only updated a few devices at a time using "Deploy System Updates to Selected Devices in the Management Zone". When those updates are done I cancel that deployment because that's the only option I can find that does anything. If you can offer general advice for a better strategy of updating agents I'd appreciate that. Specifically, how would you push an agent update to several hundred computers that will be turned on sometime over the next two weeks?
Thanks very much.
To be honest, you have to work around your other deploys, etc. The ZCM agent isn't "aware" of other deploys going on. For example, ZPM doesn't care that you're doing Bundles at the same time (you'll get errors in the logs about the fact that only one MSI can run at a time, for example). ZPM usually recovers and picks up where it left off.
Bundles on the other hand, with System Update, are not so forgiving. Especially if you have the agents prior to 11.2.4 MU1 (cache corruption errors).
We usually:
a) Halt all software rollouts/patching as best we can
b) Our software deploys (bundles) are on event: user login Typically the system update is on Device Refresh, OR scheduled time, and are device associated.
IF possible, I'd suggest that you use WOL, system update and voila.
Or, if no WOL available, then tell your users to leave their pc turned on (doesn't have to be logged in), on X night, and setup your system updates for that night, with the auto-reboot enabled. That worked well
But otherwise the 3 components of ZCM (Bundles, ZPM, System Update) don't know/care about each other, AFAIK.
--Kevin

Best Practices for AD and Windows Environment

Hello Everyone,
I need to create a document having the best practices for AD containing best practices for DNS, DHCP, AD Structure, Group Policy, Trust Etc.
I just need the best practices irrespective of what is implemented in our company.
I just need to create a document for analysis as of now. I searched over the internet but could not find much. I would request you all to pour in your suggestions from where i can find those.
If anyone could send me or point me the link. I am pretty new to the technology, so need your help.
Thanks in Advance

I have an article where I shared the best practices to use to avoid known AD/DNS issues: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23
However, you need first to identify your requirements and based on these requirements, you can identify what should be implemented on your environment and how to manage it. The basics here is that you need to have at least two DC/DNS/GC servers per AD domain
for the High Availability. You need also to take a system state backup of at least one DC/DNS/GC server in your domain. As for DHCP, you can use 50/50 or 80/20 DHCP rule depending on your setup.
You can also refer to that: https://technet.microsoft.com/en-us/library/cc754678%28v=ws.10%29.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Best Practices for Implementing Cryptographic VPN

With Marcin Latosiewicz
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about implementing cryptographic VPN and how to prepare it for the future with expert Marcin Latosiewicz.
Marcin will share his best practices for implementing cryptographic VPN as well as advise those customers who are looking to build a new or update their existing setups how to maximize their potential. Additionally, Marcin will provide insight into which technologies could be applicable for new deployments and exciting new technologies that will be available in the next few months.
Marcin Latosiewicz is a customer support engineer at the Cisco® Technical Assistance Center in Belgium, with more than 6 years of experience with Cisco Security products and technologies including IPsec, VPN, internetworking appliances, network and system security, Internet services, and Cisco networking equipment. Prior to joining Cisco, he operated, administered, and ran UNIX and Microsoft networks for 14 years. Latosiewicz holds bachelors and masters degrees in engineering from Warsaw University of Technology. He also holds CCIE® certification in Security (No. 25784) and CCDP® certification.
Remember to use the rating system to let Marcin know if you've received an adequate response.
Because of the volume expected during this event, Marcin might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, VPN, shortly after the event. This event lasts through September 20, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

Jouni,
Good question. And answer is complex, there is in depth and there is in depth.
Most people would be satisfied by reading a summary of all the different components - encryption, hashing, signing, PKI, how IPsec and SSL/TLS work. This group also counts most of security CCIEs.
To this extent CCIE Security Study Guide (by Henry Benjamin) was a good read, if a bit outdated today.
Most people who are in depth will look first into specification.
RFC 4301 (IPsec architecture)
RFC 2246 (TLS 1.0)
Are a good start and contain references to other documents worth reading.
This is where the good folks will base their knowledge of off.
The really in depth people will look into the math behind it and will conquer topics like
Elliptic Curve Crypto ( http://en.wikipedia.org/wiki/Elliptic_curve_cryptography ) and difference between CCM, GCM and CCB, to which you have really good materials published by universities.
There are relatively a few who know this.
To start with I can suggest:
- http://www.cl.cam.ac.uk/~rja14/book.html (Ross' Anderson book is free, informative and suprisngly entertaining, this is a definitely a must-read for security/VPN).
- Have a look at books recommended by Richard Bejtlich or Bruce Scheiner - while they might not be VPN specific it's a good security read most of the time.
I'll have a look at the books at home see which one can be interesting to read, and edit this post.
M.

Best Practice for Securing Web Services in the BPEL Workflow

What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
Farbod

It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram

Best Practice for Populating Available AD Groups

Similar Messages

Maybe you are looking for