Investigation hell
Feb 2nd, 2019 by Jesper Kråkhede
Welcome to 2019, the year when we are supposed to know what we are doing. I´m currently experiencing an interesting situation with a customer. They have outsourced their AD to a service provider and right now I´m helping them to investigate a rather simple problem: What servers are using unsigned LDAP. There are a bunch of reports readily available in Active Directory and there is a lot more information to get by running a few tools. This is no big deal and normally this would have been done in about 8 h and then reporting back they day after.
Right now we are stuck on our third day trying to answer very detailed questions from the service provider what the exact impact will be on the servers. We are almost down to the level of measuring processor usage of the tools. My customer is used to this but I have started to question why we even are doing this. After some digging in the contracts I have found out that the service provider has a strict SLA and everything that isn´t running under a change request that takes the server totally out of their responsibility, including all servers that are affected by this server, will be challenged indefinitely. So any change you want to do on Active Directory means that all servers connected to Active Directory will be included in the change request putting most of the server park in maintenance mode and that is not covered by the standard contract creating an extreme cost for my customer.
Today we just gave up for now and have asked the legal department for advice.