| Author | Messages | |
LeslieTyson
Posts:0
 | | 10/05/2005 11:57 AM |
| In our case (empty root, 4 child domains, 3500 users), it
was primarily politics. We brought in two consultants (one from
a VAR, one from Microsoft), and the decision was that the best way to go, based
on politics, geographical location of the offices, and division of
administration, was the empty root and 4 child domains. Password policies
was a small factor, but not a driving force...
That said, I personally would love to see the ability to
have multiple password policies within a single domain.
Tyson.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Wednesday, October 05, 2005 1:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory of 5000 users, why do you have
3 domains? If it is for separate password policies, then perhaps a better wish
list item would be the ability to have multiple password policies in one domain.
Phil
On 10/5/05, Rich
Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I
think the biggest reason people want to be able to run multipledomains on
one server is the same reason practically no one (except for SBS) installs
just one DC, and the same reason we always install aminimum of 2 for a
domain. We have a forest root and 2 child domainsmodel, and it
takes us 6 servers to run that - for basically 2directories and fewer than
5000 users. That seems like a waste of hardware in some
situations - especially if you have multiple orgs thatyou
run. The parallel might be for a web hosting company to have 2
fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains
is you don't want toonly have 1 online copy of the
directory. MS didn't seem too convinced there was a good reason
to have an online second server - they citedbackups as a good solution to
the issue. In a big org the cost of anadditional server to
provide redundancy is negligible, but is having anonline copy (second DC)
really the BEST way to do this? And it doesn'thelp SBS users,
since they can (correct me if I'm wrong) only have 1 DC.I realize it may
be the best way we have with W2K3, but how could theissue of redundancy be
addressed with AD differently than having 2 DCsminimum per
domain? Anyone have any ideas?Rich-----Original
Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't
just be a nobrainer if they had separate instances ofAD, there are
just tons of other things involved that make it extremelydifficult. It was
something that was brought up in the summit though,notsure how much I
can say around it other than no, it won't be there. MS feels the focus
of this is dramatically reduced now as well due tothefact that VS is
available and can run DCs. Also the Server Core DCshelpshere as well
as the DCs will have a smaller footprint. If folks are NOT inagreement
with that assessment, definitely speak up, it is too late forLonghorn but
possibly the opportunity exists to convince them
forBlackComb.joe-----Original
Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs
is minimal. This feature sounds like an offshoot of your list below.If
you can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple
of years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit /
Brickwalk510 595 5083**********************>
-----Original Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is
the client OS. I don't believe they have named Longhorn> Server yet.I
am voting for something like Windows Server 5.4.0 or> something like
that. I realize that the marketing group would have > something to say
about it but I figure the best thing from them is if> they pronounced
their thoughts from the bottom of Lake Washington.> People don't
install servers because they have cool names.>> The biggest
non-NDA pieces that I have heard announced in conferences> or seen on
the web already is the Read Only DC to limit security> exposure for WAN
deployments, restartable AD that can be> stopped/started as necessary,
DA/Admin separation so that you can have> an Admin on a DC that
"can't" achieve Domain-wide DA level rights, and> DCs running on
Server Foundation or now its called Server Core which > is a
GUI-challenged Windows Server.>> I can also say that there are a
myriad of GUI updates for the Admin> tools though I can't state
specifics. BJ Whalen who was involved with> the GPMC project has been
brought in to work on admin experience and > anyone who has worked with
GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has
really been> listening to the community on what they want and need. I
know that > this list is watched for ideas and such and has been the
source of> DCRs internally. So if you have ideas, spout them here, they
will most> certainly be heard. They may not make Longhorn as it is
getting a bit > late to add major changes but your ideas could make it
into a later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46
PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish
list as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks>
Steven>List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments.This information is strictly confidential and may be subject
to attorney-clientprivilege. This message is intended only for the use of
the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding,printing, copying, distribution, or using
such information is strictlyprohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply
e-mail and immediately destroy this message.Unauthorized interception of
this e-mail is a violation of federal criminal law.Applebee's
International, Inc. reserves the right to monitor and review the content
of all messages sent to and from this e-mail address. Messages sent toor
from this e-mail address may be stored on the Applebee's International,
Inc.e-mail system.List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001335
Posts:0
| | 10/06/2005 1:12 AM |
| You're hardly alone in this. It took a little while
before the touted security of the empty root model was blown open by my esteemed
colleagues at HP (then Compaq). Lots and lots of organizations have
adopted empty-root and other multiple-domain architectures, only to regret it
later.
Still, Virtual Server (or VMware) would address the
hardware requirement to a large extent since you could run two
physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.
Ed Crowley MCSE+Internet MVPFreelance E-Mail
PhilosopherProtecting the world from PSTs and Bricked
Backups!„¢
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich
MilburnSent: Wednesday, October 05, 2005 2:29 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it™s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they™re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory “ a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's
International, Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819---------------------------------------------------------------------------"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday, October
05, 2005 2:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory of 5000
users, why do you have 3 domains? If it is for separate password policies, then
perhaps a better wish list item would be the ability to have multiple password
policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to be able to run
multipledomains on one server is the same reason practically no one (except
for SBS) installs just one DC, and the same reason we always install
aminimum of 2 for a domain. We have a forest root and 2 child
domainsmodel, and it takes us 6 servers to run that - for basically
2directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
thatyou run. The parallel might be for a web hosting company to
have 2 fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains is
you don't want toonly have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they citedbackups as a good solution to the issue. In a
big org the cost of anadditional server to provide redundancy is negligible,
but is having anonline copy (second DC) really the BEST way to do
this? And it doesn'thelp SBS users, since they can (correct me if
I'm wrong) only have 1 DC.I realize it may be the best way we have with
W2K3, but how could theissue of redundancy be addressed with AD differently
than having 2 DCsminimum per domain? Anyone have any
ideas?Rich-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just
be a nobrainer if they had separate instances ofAD, there are just tons
of other things involved that make it extremelydifficult. It was something
that was brought up in the summit though,notsure how much I can say
around it other than no, it won't be there. MS feels the focus of this
is dramatically reduced now as well due tothefact that VS is available
and can run DCs. Also the Server Core DCshelpshere as well as the DCs
will have a smaller footprint. If folks are NOT inagreement with that
assessment, definitely speak up, it is too late forLonghorn but possibly the
opportunity exists to convince them
forBlackComb.joe-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs is
minimal. This feature sounds like an offshoot of your list below.If you
can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple of
years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595
5083**********************> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is the client OS. I don't believe they have named
Longhorn> Server yet.I am voting for something like Windows Server 5.4.0
or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers
because they have cool names.>> The biggest non-NDA pieces that I
have heard announced in conferences> or seen on the web already is the
Read Only DC to limit security> exposure for WAN deployments, restartable
AD that can be> stopped/started as necessary, DA/Admin separation so that
you can have> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server.>> I
can also say that there are a myriad of GUI updates for the Admin> tools
though I can't state specifics. BJ Whalen who was involved with> the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has really
been> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of> DCRs internally. So if you have ideas, spout them here, they will
most> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks> Steven>List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.This
information is strictly confidential and may be subject to
attorney-clientprivilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding,printing, copying, distribution, or using such
information is strictlyprohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message.Unauthorized interception of this e-mail is
a violation of federal criminal law.Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent toor from this e-mail address may be
stored on the Applebee's International, Inc.e-mail system.List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject to
attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system. | | | |
| aricbernard
Posts:2
| | 10/06/2005 1:45 AM |
| Actually, it may “ rumor has it that
there may be some licensing changes coming for the virtualized Windows world¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
5:55 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
You're hardly alone in this. It took
a little while before the touted security of the empty root model was blown
open by my esteemed colleagues at HP (then Compaq). Lots and lots of
organizations have adopted empty-root and other multiple-domain architectures,
only to regret it later.
Still, Virtual Server (or VMware) would
address the hardware requirement to a large extent since you could
run two physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.
Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!„¢
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
2:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need
load balancing for this size “ but we need 2 servers for each domain if
we want to avoid the risk of having the only DC for a domain go down. My
point was that the directory is a database, but it™s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they™re working on that, as I think Joe mentioned and is
non-NDA). Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory “
a different database model than say SQL. Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database? Maybe not. I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory
Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active
Directory wish list
My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain.
Phil
On 10/5/05, Rich
Milburn
wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too
convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe
they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake
Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level
rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED
/
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system. | | | |
| milburnr
Posts:0
| | 10/06/2005 2:54 AM |
| There seem to be several schools of thought on the password policy issue...
- the execs and exec admins who should have the 4th most complex passwords (next to HR, accounting, and IT maybe) but lack the computer literacy to understand why and so unfortunately want no passwords or their dog's name as a password, and they have the political influence to be heard
- the security people who want 5 way complex passwords (including ASCII characters) and understand the threats but not the user issues
- developers who don't want the [continued] blame for leaving an open password policy, and who [might] now reasonably [from a technical and security perspective] ask "why would you want to allow some people to have a weak password policy if others require a strong one on the same network??"
- AD admins who have to figure out how to make everyone happy but may get blamed if the network is compromised.
- and others of course.
Personally I tend to side with the developers on this, but then it probably should not be mandated by the program, only set as an initial default to protect the ignorant. IMHO.
Rich
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Wednesday, October 05, 2005 7:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
The way I can see different password policies for one domain being
implemented is if you have a product/tool in front of your directory
intercepting the passwords and enforcing different rules as the passwords go
through. The underlying directory (AD) will have to have no policy, or have
at least a very relaxed policy. This would be a sort of password servicing
provisioning system.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
In our case (empty root, 4 child domains, 3500 users), it was primarily
politics. We brought in two consultants (one from a VAR, one from
Microsoft), and the decision was that the best way to go, based on politics,
geographical location of the offices, and division of administration, was the
empty root and 4 child domains. Password policies was a small factor, but
not a driving force...
That said, I personally would love to see the ability to have multiple
password policies within a single domain.
Tyson.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 1:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active Directory wish list
My question would be: for a small directory of 5000 users, why do you have 3
domains? If it is for separate password policies, then perhaps a better wish
list item would be the ability to have multiple password policies in one
domain.
Phil
On 10/5/05, Rich Milburn wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except
for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs
that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they
still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too
convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having
an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1
DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2
DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it,
this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it
extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are
NOT
in
agreement with that assessment, definitely speak up, it is too late
for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie
Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on
the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD
load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in
conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can
have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights,
and
> DCs running on Server Foundation or now its called Server Core
which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved
with
> the GPMC project has been brought in to work on admin experience
and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will
most
> certainly be heard. They may not make Longhorn as it is getting a
bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steven
Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far
as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments.
This information is strictly confidential and may be subject to
attorney-client
privilege. This message is intended only for the use of the named
addressee. If
you are not the intended recipient of this message, unauthorized
forwarding,
printing, copying, distribution, or using such information is
strictly
prohibited and may be unlawful. If you have received this in error,
you should
kindly notify the sender by reply e-mail and immediately destroy this
message.
Unauthorized interception of this e-mail is a violation of federal
criminal law.
Applebee's International, Inc. reserves the right to monitor and
review the
content of all messages sent to and from this e-mail address.
Messages sent to
or from this e-mail address may be stored on the Applebee's
International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| tvanderkooi
Posts:15
| | 10/06/2005 3:57 AM |
| I think the biggest problem is cultural. And we as developers and administrators make the situation worse by giving in to pressure from business leaders.
The average user when you tell them that they now have to have a password that is at least 15 characters long including special characters and upper case letters absolutely freaks, and yet that same user will then go and spend all day typing "novels" in Word, Excel, Outlook, etc. When users see me type my password which is in the 35 character range they just can't believe it, and yet I can type it as fast as most of them type their 8 character passwords, and I never forget it because it actually means something. You sit down and explain what you are doing to establish that long passphrase to them and it is as if the light suddenly switches on and it's no longer a big deal.
IT in my opinion just does a really bad job of communicating the reasons for and ramifications of having more secure measures in place, and more so, the ease of implementing these changes.
As always, it's just my opinion.
Tim
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Thursday, October 06, 2005 9:35 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
There seem to be several schools of thought on the password policy issue...
- the execs and exec admins who should have the 4th most complex passwords (next to HR, accounting, and IT maybe) but lack the computer literacy to understand why and so unfortunately want no passwords or their dog's name as a password, and they have the political influence to be heard
- the security people who want 5 way complex passwords (including ASCII characters) and understand the threats but not the user issues
- developers who don't want the [continued] blame for leaving an open password policy, and who [might] now reasonably [from a technical and security perspective] ask "why would you want to allow some people to have a weak password policy if others require a strong one on the same network??"
- AD admins who have to figure out how to make everyone happy but may get blamed if the network is compromised.
- and others of course.
Personally I tend to side with the developers on this, but then it probably should not be mandated by the program, only set as an initial default to protect the ignorant. IMHO.
Rich
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Wednesday, October 05, 2005 7:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
The way I can see different password policies for one domain being implemented is if you have a product/tool in front of your directory intercepting the passwords and enforcing different rules as the passwords go through. The underlying directory (AD) will have to have no policy, or have at least a very relaxed policy. This would be a sort of password servicing provisioning system.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
In our case (empty root, 4 child domains, 3500 users), it was primarily politics. We brought in two consultants (one from a VAR, one from Microsoft), and the decision was that the best way to go, based on politics, geographical location of the offices, and division of administration, was the empty root and 4 child domains. Password policies was a small factor, but not a driving force...
That said, I personally would love to see the ability to have multiple password policies within a single domain.
Tyson.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 1:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active Directory wish list
My question would be: for a small directory of 5000 users, why do you have 3 domains? If it is for separate password policies, then perhaps a better wish list item would be the ability to have multiple password policies in one domain.
Phil
On 10/5/05, Rich Milburn wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want to
only have 1 online copy of the directory. MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address.
Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000332
Posts:0
| | 10/06/2005 4:05 AM |
| Then we should be looking at user authentication by other means than just passwords. But that isn't a utopia either.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: 06 October 2005 15:35
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
There seem to be several schools of thought on the password policy issue...
- the execs and exec admins who should have the 4th most complex passwords (next to HR, accounting, and IT maybe) but lack the computer literacy to understand why and so unfortunately want no passwords or their dog's name as a password, and they have the political influence to be heard
- the security people who want 5 way complex passwords (including ASCII characters) and understand the threats but not the user issues
- developers who don't want the [continued] blame for leaving an open password policy, and who [might] now reasonably [from a technical and security perspective] ask "why would you want to allow some people to have a weak password policy if others require a strong one on the same network??"
- AD admins who have to figure out how to make everyone happy but may get blamed if the network is compromised.
- and others of course.
Personally I tend to side with the developers on this, but then it probably should not be mandated by the program, only set as an initial default to protect the ignorant. IMHO.
Rich
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Wednesday, October 05, 2005 7:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
The way I can see different password policies for one domain being implemented is if you have a product/tool in front of your directory intercepting the passwords and enforcing different rules as the passwords go through. The underlying directory (AD) will have to have no policy, or have at least a very relaxed policy. This would be a sort of password servicing provisioning system.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
In our case (empty root, 4 child domains, 3500 users), it was primarily politics. We brought in two consultants (one from a VAR, one from Microsoft), and the decision was that the best way to go, based on politics, geographical location of the offices, and division of administration, was the empty root and 4 child domains. Password policies was a small factor, but not a driving force...
That said, I personally would love to see the ability to have multiple password policies within a single domain.
Tyson.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 1:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active Directory wish list
My question would be: for a small directory of 5000 users, why do you have 3 domains? If it is for separate password policies, then perhaps a better wish list item would be the ability to have multiple password policies in one domain.
Phil
On 10/5/05, Rich Milburn wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want to
only have 1 online copy of the directory. MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address.
Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001335
Posts:0
| | 10/06/2005 5:21 AM |
| I don't make recommendations based
on vaporware or rumors...
Ed Crowley MCSE+Internet MVPFreelance E-Mail
PhilosopherProtecting the world from PSTs and Bricked
Backups!„¢
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernard,
AricSent: Wednesday, October 05, 2005 6:31 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
Actually, it may “
rumor has it that there may be some licensing changes coming for the virtualized
Windows world¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Ed Crowley
[MVP]Sent: Wednesday, October
05, 2005 5:55 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
You're hardly alone in
this. It took a little while before the touted security of the empty root
model was blown open by my esteemed colleagues at HP (then Compaq). Lots
and lots of organizations have adopted empty-root and other multiple-domain
architectures, only to regret it later.
Still, Virtual Server
(or VMware) would address the hardware requirement to a large
extent since you could run two physical machines instead of six, but
it doesn't really do anything for Charlie's desire to buy fewer
server licenses.
Ed Crowley
MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from
PSTs and Bricked Backups!„¢
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rich
MilburnSent: Wednesday,
October 05, 2005 2:29 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it™s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they™re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory “ a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's
International, Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819---------------------------------------------------------------------------"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday, October
05, 2005 2:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory of 5000
users, why do you have 3 domains? If it is for separate password policies, then
perhaps a better wish list item would be the ability to have multiple password
policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to be able to run
multipledomains on one server is the same reason practically no one (except
for SBS) installs just one DC, and the same reason we always install
aminimum of 2 for a domain. We have a forest root and 2 child
domainsmodel, and it takes us 6 servers to run that - for basically
2directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
thatyou run. The parallel might be for a web hosting company to
have 2 fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains is
you don't want toonly have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they citedbackups as a good solution to the issue. In a
big org the cost of anadditional server to provide redundancy is negligible,
but is having anonline copy (second DC) really the BEST way to do
this? And it doesn'thelp SBS users, since they can (correct me if
I'm wrong) only have 1 DC.I realize it may be the best way we have with
W2K3, but how could theissue of redundancy be addressed with AD differently
than having 2 DCsminimum per domain? Anyone have any
ideas?Rich-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just
be a nobrainer if they had separate instances ofAD, there are just tons
of other things involved that make it extremelydifficult. It was something
that was brought up in the summit though,notsure how much I can say
around it other than no, it won't be there. MS feels the focus of this
is dramatically reduced now as well due tothefact that VS is available
and can run DCs. Also the Server Core DCshelpshere as well as the DCs
will have a smaller footprint. If folks are NOT inagreement with that
assessment, definitely speak up, it is too late forLonghorn but possibly the
opportunity exists to convince them
forBlackComb.joe-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs is
minimal. This feature sounds like an offshoot of your list below.If you
can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple of
years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595
5083**********************> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is the client OS. I don't believe they have named
Longhorn> Server yet.I am voting for something like Windows Server 5.4.0
or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers
because they have cool names.>> The biggest non-NDA pieces that I
have heard announced in conferences> or seen on the web already is the
Read Only DC to limit security> exposure for WAN deployments, restartable
AD that can be> stopped/started as necessary, DA/Admin separation so that
you can have> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server.>> I
can also say that there are a myriad of GUI updates for the Admin> tools
though I can't state specifics. BJ Whalen who was involved with> the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has really
been> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of> DCRs internally. So if you have ideas, spout them here, they will
most> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks> Steven>List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.This
information is strictly confidential and may be subject to
attorney-clientprivilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding,printing, copying, distribution, or using such
information is strictlyprohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message.Unauthorized interception of this e-mail is
a violation of federal criminal law.Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent toor from this e-mail address may be
stored on the Applebee's International, Inc.e-mail system.List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY
NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| aricbernard
Posts:2
| | 10/06/2005 5:43 AM |
| Well good, especially since I didn™t
actually see you make a recommendation or discuss any vaporware... J
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
10:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I don't make recommendations
based on vaporware or rumors...
Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!„¢
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernard, Aric
Sent: Wednesday, October 05, 2005
6:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
Actually, it may “ rumor has it that
there may be some licensing changes coming for the virtualized Windows
world¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
5:55 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
You're hardly alone in this. It took
a little while before the touted security of the empty root model was blown
open by my esteemed colleagues at HP (then Compaq). Lots and lots of
organizations have adopted empty-root and other multiple-domain architectures,
only to regret it later.
Still, Virtual Server (or VMware) would
address the hardware requirement to a large extent since you could
run two physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.
Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!„¢
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
2:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running (physical
or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we
want to avoid the risk of having the only DC for a domain go down. My
point was that the directory is a database, but it™s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they™re working on that, as I think Joe mentioned and is
non-NDA). Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory “
a different database model than say SQL. Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database? Maybe not. I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active
Directory wish list
My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain.
Phil
On 10/5/05, Rich
Milburn
wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe
they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake
Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level
rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED
/
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system. | | | |
| milburnr
Posts:0
| | 10/06/2005 5:54 AM |
| I have not been in many biometric/smart card discussions, but the ones I have been in have never addressed one particular issue:
"Ok, so logons are now secured very nicely. So how secure is the background mechanism that ties my fingerprint to my account?? Can Joe sniff it off the network with net monitor?" (I'd put money on Joe.R being able to, anyway :)
I believe that is at least one reason for some of the disclaimers around certain products like I think it's a MS keyboard with fingerprint reader, about being for home use only or for securing Internet passwords only, etc.
Rich
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rob MOIR
Sent: Thursday, October 06, 2005 10:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Then we should be looking at user authentication by other means than just passwords. But that isn't a utopia either.
|
|
|