| Author | Messages | |
listmail
Posts:824
 | | 05/23/2006 4:34 AM |
| I saw the Wizard and got a heart and a can of
oil.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
MulnickSent: Thursday, May 18, 2006 9:02 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or
NOT
Since when do you have a heart? :)
It's not that AD needs to do more things, it's that it needs to be
rock-solid and the servers that AD runs on need to be able to do more than just
single function (AD). If some things get based on a rock-solid directory, that's
OK and even natural, but there is a distinction worth mentioning.
-ajm
On 5/18/06, joe
wrote:
>
I actually think we're in
agreement here :)
Phew...
good thing, I was getting tired of typing. :o)
AD
can definitely do more than NOS stuff, but in my heart, that is its primary
purpose. For instance, I will let Exchange into one of my forests, but the
minute it starts making it so people can't authenticate I get out the whip.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, May 18, 2006 4:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] DNS on a DC or NOT
Hey
joe,
I actually
think we're in agreement here :)
In a large
org with an existing BIND impl - run with it. If it's mature, well understood
and well managed, then why not use it. Unfortunately, when AD hit the streets,
there were many DNS impl which did not meet its DNS reqs.
As you
say, solutions such as QIP offer a better delegation model and also offer
better integration between the various network services (DHCP, address
management, DNS etc).
The idea
that AD should be used as a NOS and nothing else is a huge topic. The jury is
still out for me - I'd like to think a product such as AD could do more for me
that just user auth, but then if I adopt a 'best of breed' approach, I'd use
other solutions for aspects besides auth. Perhaps MS will push AD into new
realms or is that where ADAM is positioned??
Another 2
penneth,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 17 May 2006 17:11To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] DNS on a DC or NOT
I would
say that, in general, ADI zones probably work well for most people. When it
works and things are sunny everything is great, however when the shape is more
pear like it just adds unnecessary issues into the puzzle. It is very much
like most MSFT tech, when things work great, everyone is happy, when it is
broken, most people are at a complete loss of what to even start to look at
because of the levels of complexityΎ].
The times
I have mostly encountered problems a number of things had cropped up and I was
there to sort things out and having DNS and AD twisted together like a ball of
rubber bands made life extremely painful. I also dislike all of that crap in
AD. I look at AD for one primary overriding thing, everything else is second.
It is my NOS directory. It is there for people to log on in the morning. Hence
I want userids and passwords, everything else is addons.
When I hit
this recent "POSSIBLE BUG"Ώ] I have found, let me reiterate
POSSIBLE as I got about 18 offline emails already about it, DNS was all
crapped outΐ] because of the AD Replication and the last thing I needed was
both AD replication and DNS dorked up at once, however, you don't get much of
a choice if everything is integrated. For instance, a replication issue can go
a little while without resolution, you just have some inconveniences. If DNS
is absolutely NOT responding, your level of pain and the level of the issue
has escalated drammatically, especially if that is your ONLY DNS.
In scaled
environments (read really really large and decentralized for DNS) I have found
that pushing DNS off to non-MSFT tool sets is my preference. Again preference,
sort of like I prefer to spell color as color instead of as colour but prefer
humour to humor. It isn't that I think it is absolutely wrong like saying
aluminum like aluminium. ;o) I feel that delegated management of DNS is much
better handled in BIND or QIP. I have even seen in a small MSFT only
environment (extranet forest for large multinational) a case where MSFT
integrated DNS was not working properly. I didn't get much into the problem
but when I got sick of hearing how much trouble they kept running into I just
told them to follow the corporate standard and move to QIP. They had a couple
of MSFT guys directly involved and they were coming to bother me about it and
I was like, I don't care, you aren't following the corporate standard, I am
not going to go try and figure out your one off. Whatever problem they found,
MSFT, or more accurately, the MSFT folks involved weren't top shelf
enough to work through it. And again... the thing about services that start
with D.
The
security of the DNS entries doesn't bother me as I have never personally
encountered a case where someone was trying to hijack DC records. Possibly if
I ran into even a single case of that, it might be something I would be
concerned about.
Anyway, it
is personal pref. First pref, not to use MSFT DNS. Second pref if not getting
the first is to not run integrated. Again however, if in a completely
MSFT shop (which I have never worked in), MSFT DNS makes the most sense, you
don't introduce complexity to not run MSFT DNS, that would be insane.
You want
an integrated DNS... Maybe MSFT should be putting ADAM on DNS Member Servers.
I could get behind running it integrated that way though I still want to be
able to say "I don't give a shit what else is happening, give out addresses if
you can start at all" and it needs to not be something I have to go looking
for on the web to enable. Oh and I should always be able to run the management
tools as well, there should not be any reason why the management tools will
not connect to a specific server. Maybe also you get away from some of the
silly security issues with ADI related to using security principals that don't
have domain affinity and could give some capabilty of real DNS granular
delegation like some products have.
joe
Ύ] I pray
that if ADFS gets truly big, it never breaks.
Ώ] What
this possible bug may be related to is not something most people would
probably be doing, I was testing out some new functionality of admod (Cross
Domain moves) and did something that may not normally be on a test
matrix and my replication stopped dead but repadmin wasn't reporting the
stopped replication correctly. It could have been a number of things, I am
rebuilding a pristine environment to see if I can duplicate the problem.
Barring that I will go back to the non-pristine environment and see if I can
break it again. The key word here is possible, if I had known for sure it was
a for sure bug I would have said so. Emailing me directly is not going to get
any more info out of me on this than what I have already given. :)
ΐ] Defined as started and
running but not responding to anything.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of neil.ruston@xxxxxxxxxxxxxSent: Wednesday, May 17,
2006 10:23 AM To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] DNS on a DC or NOT
Interesting stuff joe ......
Many of us
have used ADI zones for many (well 7+) years now with little or no issue, in
various orgs sizes and types.
I'd like
to hear more about this issue, since IMO, ADI zones offer huge advantages to a
typical org over BIND text files. [I won't expand upon these advantages here,
since they are well documented.]
Have you
encountered an isolated issue or a true show stopper which we should all sit
up and take note of?? :)
With
regard to running DNS on a DC - if an existing DNS implementation exists that
can support AD, then use it. Otherwise, I see DNS as a VERY minor overhead,
compared with the other services that a DC provides and would not hesitate to
install DNS on a (or indeed every) DC.
my 2
penneth.
Thanks,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 17 May 2006 14:55To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] DNS on a DC or NOT
If your
DNS is integrated, find a big piece of wood to knock on... Or keep it around
to bang your head on later.
I'll run
DNS on DCs if I have to. I will run it integrated if threatened badly
enough.
I recently
ran into a nasty DNS problem in an integrated DNS where DNS would start but
wouldn't actually respond to anything. It appears to be related to a possible
AD Replication bug I found though. I have to research a little more and see if
it was one off or I can duplicate at will. Once I removed the items causing
the issue replication worked again and DNS came back to life.
But enough
about DNS, I don't speak about services that start with D. You have to draw
the line somewhere. DFS, DNS, DHCP, Damn SQL Server... You get the drift. ;)
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: Wednesday, May 17, 2006 9:05 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] DNS on a DC or NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I've not had an issue/conflict once.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I
was reading Carlos's blog about not running DNS on the PDC emulator. It all
makes perfect sense to not have DNS running on it. In my relatively small
setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I
have 2 DC's at my main site with one at each remote site. All DC's are GC and
DNS. I always thought that in order for DNS to work as AD integrated you're
DNS servers had to be DC's. If that is NOT true my face is red for
believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged
and confidential information intended only for the use of the individual or
entity named above. If the reader of this message is not the intended
recipient, or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any release, dissemination,
distribution, or copying of this communication is strictly prohibited. If you
have received this communication in error please notify the author immediately
by replying to this message and deleting the original message. Thank you.
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views or
opinions that are solely those of
the author and do not necessarily represent
those of NIplc; (3) is intended
for informational purposes only and is not
a recommendation, solicitation or
offer to buy or sell securities or related
financial instruments. NIplc
does not provide investment services to
private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies.
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views or
opinions that are solely those of
the author and do not necessarily represent
those of NIplc; (3) is intended
for informational purposes only and is not
a recommendation, solicitation or
offer to buy or sell securities or related
financial instruments. NIplc
does not provide investment services to
private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies. | | | |
|
|