Run a demo
This is the presenter’s runbook. The lab ships a small demo kit so a live demo is repeatable: build the whole world in one command, snapshot it, trash it on camera, and reset in seconds.
Before you present
Section titled “Before you present”make demo # build the entire world from scratch (idempotent)make snapshot # capture this known-good state to ./snapshotsmake demo runs every layer in order (users, OUs, groups, clinics, the full
specialty + department model, sites, facilities, the three clinician casts,
contacts, distribution lists, password policies, GPOs, and the helpdesk
delegation), then regenerates the docs data. make snapshot tars the DC’s state
volumes so you can return to exactly this point.
The tour (the greatest hits)
Section titled “The tour (the greatest hits)”Run them all at once with make demo-tour, or step through with the talking
points below.
1. The HIPAA boundary is group math
Section titled “1. The HIPAA boundary is group math”make test-clinic-accessjohn.carter (Cardiology) writes \\dc1\phi and \\dc1\cardiology but is denied
\\dc1\billing. madonna (Billing) writes \\dc1\billing, reads \\dc1\all-staff,
and is denied \\dc1\phi. Nobody is named on the phi share, access flows
Cardiology -> Clinicians -> [phi] by nesting. See HIPAA nesting.
2. Share gating by division
Section titled “2. Share gating by division”make test-group-accessA Studio member writes \\dc1\studio; a Field-Ops member is denied at the tree
connect. Two gates that must agree: the valid users connection gate and the
setgid on-disk write gate.
3. OU-scoped helpdesk delegation
Section titled “3. OU-scoped helpdesk delegation”make test-delegationhelpdesk.tech (an unprivileged user in Helpdesk-Pocatello) resets a Pocatello
user’s password successfully, but gets LDAP_INSUFFICIENT_ACCESS_RIGHTS on a
Blackfoot user. The capability lives in an inherited ACE on OU=Pocatello, not in
group membership. See the network/OU model.
4. The RODC refers writes upstream
Section titled “4. The RODC refers writes upstream”make rodc-testA read is served from the RODC’s replica; a write returns LDAP_REFERRAL pointing
at the writable dc1. See Add a read-only domain controller.
5. A printer fails, then recovers
Section titled “5. A printer fails, then recovers”make test-fault-pathA queue is driven to rejecting, a job is refused, then the fault is cleared and
the same queue prints again. See Inject printer faults.
Scenario toggles (something live to fix)
Section titled “Scenario toggles (something live to fix)”Pre-bake a problem, then resolve it on camera:
make scenario S=locked-account # jennifer.melfi (Pocatello) is locked outmake scenario S=expired-password # greg.pratt must change password at next logonmake scenario S=disabled-account # dave.malucci is disabledmake scenario S=printer-fault # a queue starts rejecting
make scenario-clear S=locked-account # ...or just `make reset`The locked-account scenario pairs with the delegation story: the
Helpdesk-Pocatello group can unlock jennifer.melfi (a Pocatello user) but
could not unlock someone in another site.
After the demo
Section titled “After the demo”make reset # back to the snapshot in seconds# ormake nuke && make demo # full teardown + rebuild for a pristine domain