I do active directory and dns at my job. This week there was a change that involved making changes to some machines that handle those type of things. I made accommodations so that no users would be affected and communicated what was being done when so there would be no surprises. The day after the changes were made to the machines, there was severly degraded performance on the network. Lots of users could not get their email, sometimes, but not all of the time. Some exchange team cocky moron decided that it must be the change I made and so he decided to add a dns server to make up for the one that had changed. And how did he want to get the information in that DNS? He changed one of my active directory integrated domains and changed it over to standard primary. Left it like that. So he could do a zone transfer.
AAAAAAGGHGGHHHHHHHH!!!
He may have had the access to do so, but he did not have the authority.
Even if he had the authority, which he did not, there are procedures in place to go through when changes are made. These can be expidited in an emergency, but not ignored.
He could have done a zone transfer anyway. It was set up to allow them. To anyone. Yes, this is a security risk, but not a big one, and I inherited this set up and changing that is too involved to do right now.
He is not the owner of AD I am. If he needed it changed, even in a company with no official policy, changing it without the owner’s permission or knowlege is rude.
FUCKING MORON!!! YOU FUCKING DELETED THAT DOMAIN ON MY ENTIRE FUCKING NETWORK.
There had been network issues, true. This fucking moron did for one. He blamed me. So they knew I was the one that handled dns. He could have told me what he wanted, but no. ASSHOLE.
Post hoc ergo propter hoc IS A FALLACY. The reason the network was having trouble was nothing to do with my changes. It was heavy traffic due to malware. That asshole badmouthed me and blamed me using the proof that things were missing from the DNS as proof it was my fault. They were missing because he deleted them!!!
He bragged about what he did in a meeting about the problem. I jumped. I said that would cause the missing zone and HE INSISTED THAT HE DID THIS ALL THE TIME AND IT WAS NO BIG DEAL! LIAR
When I had left for the meeting, I saw one DNS with a missing zone. When I got back, the zone was missing from most of the rest of the network. A partition in the network caused by another moron spared one site, but the others were in a bad way.
The mess that is left is not a pretty site. A partitioned network growing more and more out of synch, missing entries, isolated servers, changes made by morons willynilly. There is an idea nilly his willy.
With any luck my contract will be extended. There is enough to keep me busy for a long while.
My boss seemed pleased with me. He said he had no doubt that the impact was as I described and thanked me for not giving in to panic and changing things when I saw my domain missing. He knows how strong the urge to DO SOMETHING is when you see a problem that big. That is what the cocky moron did afterall.
The nice thing is that the overtime this generated is at time and a half. Also his misbegotten rogue dns threw errors so I was woken up by my cell with a call from ops. I listened to the error and got one of his team called in, who called another one in his team in as well, maybe even him. Mind you the error probably did not have user impact but if ops thought it was important enough to wake me, I figured I had a duty to get those responsible for the affected systems involved. How do you bill 3 calls, not more than 5 minutes each but spaced an hour apart?
This was a horrible week. When I made the accomodations for the changes, lots of those notified seemed alarmed that I was making a change during business hours and seemed to think it would result in trouble. I was confident because ai tested and tested. no user imact. I was right too. But when the malware started degrading the network, some blamed me and told end users and so I spent the first half of the week hand holding and documenting how my change affected the user, you know what the answer was in the end? no. user. impact. Except to when stuff I was accomodating happened, some people had problems BECAUSE IDIOTS WHO HAD CHANGED THEIR SETTINGS. Some idiots felt that the DNS servers given out by the DHCP server did not quite fulfill their needs, so they set them as they pleased. NOT MY FAULT. People who think they can find fulfillment in life by changing the settings that their corporate DHCP server gave them deserve downtime. The problem was easily discovered and solved by first tier support. The exchange team decided that this was the first sign of doom and them made it so.
God how I hate it when people see a problem then decide the sky must be falling! I’ve implemented changes in AD/DNS, just as you have, with no user impact. But when something goes wrong with an unrelated system, surely it’s MY fault! No buddy, it’s not!
It’s like regular trouble-shooting goes out the window. Someone makes a change. At around the same time, something goes wrong with something else. The person dealing with that problem, instead of troubleshooting from the ground up, immediately assumes it’s all from the change (hey, let’s face it, sometimes it is) and BREAKS THINGS! Worse, they leave them broken! :eek:
Assmunchers.
Right now, I’ve discovered users that have been thrown into the Domain Admins group by a fucktard who used to work with me. Why did he add them? Because the users needed to log on locally to a DC. sigh That’s what Log on locally rights are for! Mr Fucktard gave these end users full rights to the domain/AD/every-bloody-thing! AAAAIIIIEEEEEEE!
I think you should LART this guy once you fix your DNS issues. LART him good and proper!
