| Author | Messages | |
listmail
Posts:454
 | | 10/07/2005 4:53 AM |
| It is suprising no one has responded to this with the
"pat" answer... this is describing MIIS and the workflow piece they
have built into it and the idea being that AD is simply a store. MIIS
supplies the business logic such as triggers and dynamic updates, etc. I don't
necessarily agree with it, but it is what Stuart Kwan (of the Ottawa Kwan Clan)
has been saying at DEC for the last few years. I personally would like to see
more logic and triggers, etc in AD as well as more extensible functionality like
the password filters, etc that are fully supported. I dislike the idea that I
may need to spin up an entirely different product as well as SQL Server to
manage my AD environment. If MIIS started using ESE I would be that much closer
to accepting it because then I don't have a database product that I have to
install and pay special attention to (not to mention buy at some ridiculous
price), it is a back end black box piece. I just was chatting with an MCS guy
who had to work on a MS Product last week that back ended into SQL and they
went to move it and it was a disaster. Possibly MS could make it so that SQL
backend could be as smooth to use as ESE is in the backend of AD (how much work
have you really had to do on your ESE Database? How many tools are available to
do so? That will give an indication of how much the tools are needed.)
but I haven't seen it yet. I recall when MS came to one of my customers to work
on piloting MOM with the SQL backend and what a disaster that was, and in
talking to the MCS guys, it wasn't a one off. More logic has to be in the
application in order to use ESE over SQL, but maybe that is what some of these
apps need, more logic.
As for the advanced scripters part... my 10 or less
year prediction... if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability. Companies are going to continue slimming down and the technologies
are going to handle more and more of the "simple things" automatically meaning
if you don't have the advanced scripting/architecting/troubleshooting skills,
the chances are not good to remain working on the stuff. You will slowly get
overwhelmed as more stuff gets loaded on to the point that you are no longer
effective without advanced scripting skills and someone who is will remain
when the company decides to save more money and a good chunk of the staff gets
cut. I see the Server Foundation aka Server Core OS pushing this even harder
when companies deploy more and more headless machines with no GUI to speak of. I
have already been seeing this where groups that used to have large numbers of
admins are whittled down to maybe a third of what they had with only the people
with serious automation skills remaining behind. Which is actually a favor for
those that don't have those skills as they would be completely overwhelmed in
short order. I visualize us moving to two extremes for corporate IT Admins, the
people watching colored lights where there is a requirement for an actual person
to be looking at a screen versus depending on automated paging systems, etc
(there are customers that require this) and the high end advanced admins. Small
business shops are where I see most of the other admins going to (if they
stay in admin work) and possibly Susan can speak to where she thinks
scripting and such is going in that world as she has her finger on the pulse of
SBS. SBS can't be run, at this time, on Server Core, it has too much junk in the
trunk so it will continue looking like the servers of today until MS works out
how to make them run on Core and then I visualize one Susan running SBS for many
companies from the comfort of her home with better and better scripts and tools
or some company that specializes in running small businesses like that if they
don't already exist.
Look at this way, companies and admins are all complaining
about how much time they have to spend on stupid things like patching and
clicking on this or that or whatever it is they feel is a waste of time. MS is
listening, MS is reacting, MS is fixing. Us as admins complain because we don't
want to worry about stupid things. Companies complain because they want to
reduce their systems management costs. The more the systems handle themselves,
the less they need admins doing it. Not saying we will ever get to a point where
admins aren't needed, but the number of them will surely reduce drammatically
and only the very useful or the very very cheap will tend to hang around.
Having very strong scripting skills makes someone very useful.
Centralization and work force reduction will continue to be the norm and
in fact will probably accelerate.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Friday, October 07, 2005 8:46 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I would like a better
way of making bulk changes to AD. There seems to be caveats with every scripting
method. Also some more advanced management like maybe a way to create new users
and automatically e-mail their superior based on an attribute in the user
account with the new account information. Maybe there are ways to do these
things via advanced scripting, but I would like an easier way for those of us
admins who are not advanced scripters.
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rich
MilburnSent: Wednesday,
October 05, 2005 5:29 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I™m not
saying we need a better solution
here, and there are factors due
to the internal/external nature of our business that PSS (I think) recommended
the design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it™s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they™re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory “ a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's
International, Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819---------------------------------------------------------------------------"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday, October
05, 2005 2:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory
of 5000 users, why do you have 3 domains? If it is for separate password
policies, then perhaps a better wish list item would be the ability to have
multiple password policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to
be able to run multipledomains on one server is the same reason practically
no one (except for SBS) installs just one DC, and the same reason we always
install aminimum of 2 for a domain. We have a forest root and 2
child domainsmodel, and it takes us 6 servers to run that - for basically
2directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
thatyou run. The parallel might be for a web hosting company to
have 2 fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains is
you don't want toonly have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they citedbackups as a good solution to the issue. In a
big org the cost of anadditional server to provide redundancy is negligible,
but is having anonline copy (second DC) really the BEST way to do
this? And it doesn'thelp SBS users, since they can (correct me if
I'm wrong) only have 1 DC.I realize it may be the best way we have with
W2K3, but how could theissue of redundancy be addressed with AD differently
than having 2 DCsminimum per domain? Anyone have any
ideas?Rich-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just
be a nobrainer if they had separate instances ofAD, there are just tons
of other things involved that make it extremelydifficult. It was something
that was brought up in the summit though,notsure how much I can say
around it other than no, it won't be there. MS feels the focus of this
is dramatically reduced now as well due tothefact that VS is available
and can run DCs. Also the Server Core DCshelpshere as well as the DCs
will have a smaller footprint. If folks are NOT inagreement with that
assessment, definitely speak up, it is too late forLonghorn but possibly the
opportunity exists to convince them
forBlackComb.joe-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs is
minimal. This feature sounds like an offshoot of your list below.If you
can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple of
years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595
5083**********************> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is the client OS. I don't believe they have named
Longhorn> Server yet.I am voting for something like Windows Server 5.4.0
or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers
because they have cool names.>> The biggest non-NDA pieces that I
have heard announced in conferences> or seen on the web already is the
Read Only DC to limit security> exposure for WAN deployments, restartable
AD that can be> stopped/started as necessary, DA/Admin separation so that
you can have> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server.>> I
can also say that there are a myriad of GUI updates for the Admin> tools
though I can't state specifics. BJ Whalen who was involved with> the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has really
been> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of> DCRs internally. So if you have ideas, spout them here, they will
most> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks> Steven>List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.This
information is strictly confidential and may be subject to
attorney-clientprivilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding,printing, copying, distribution, or using such
information is strictlyprohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message.Unauthorized interception of this e-mail is
a violation of federal criminal law.Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent toor from this e-mail address may be
stored on the Applebee's International, Inc.e-mail system.List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY
NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| darren.marelia@xxxx.yyy
| | 10/07/2005 5:51 AM |
| Random comments:
"I personally would like to see more logic and
triggers, etc in AD as well..."
[Darren] So what you'd really like is SQL Server, which
has all that :-)
"Possibly MS could make it so that SQL backend could be as smooth
to use as ESE is in the backend of AD (how much work have you really had to do
on your ESE Database? How many tools are available to do so? That will give an
indication of how much the tools are needed.)
"
[Darren] I
think that results from the difference between a purpose-built, runtime
database engine that does one thing really well and an
all-purpose, do-anything-you-want, relational database. Once you open up
the possibilities of putting business logic into the db, then
self-maintaining, self-tuning, never--need-to-do-maintenance goes out the
door.
"...if you want to stay in an IT position, I highly recommend becoming
an advanced scripter if not an admin with full blown programming
capability."
[Darren] I
agree with this in general. I actually think that IT systems are going to become
increasingly complex (if that's possible), but at a higher layer than today. I
think that over time, all of the mundane, basic OS-level stuff will just take
care of itself and that the complexity will arise higher up. If you think about
where things are going--virtualized servers that provision on the fly,
service-oriented applications that are "loosely coupled", operating systems and
apps that are much better instrumented, federated identities with users
running apps across org. boundaries--all of this points to a very complex web of
stuff that will require a much higher level of skills to manage. I'm not sure
this translates to "you need to be a scripter" but for me it does translate to
"you need to understand more than OS config. twiddling" and I agree
wholeheartedly that being grounded in app. development capabilities is a huge
advantage for an admin today and, probably in the
future.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Friday, October 07, 2005 9:07 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
It is suprising no one has responded to this with the
"pat" answer... this is describing MIIS and the workflow piece they
have built into it and the idea being that AD is simply a store. MIIS
supplies the business logic such as triggers and dynamic updates, etc. I don't
necessarily agree with it, but it is what Stuart Kwan (of the Ottawa Kwan Clan)
has been saying at DEC for the last few years. I personally would like to see
more logic and triggers, etc in AD as well as more extensible functionality like
the password filters, etc that are fully supported. I dislike the idea that I
may need to spin up an entirely different product as well as SQL Server to
manage my AD environment. If MIIS started using ESE I would be that much closer
to accepting it because then I don't have a database product that I have to
install and pay special attention to (not to mention buy at some ridiculous
price), it is a back end black box piece. I just was chatting with an MCS guy
who had to work on a MS Product last week that back ended into SQL and they
went to move it and it was a disaster. Possibly MS could make it so that SQL
backend could be as smooth to use as ESE is in the backend of AD (how much work
have you really had to do on your ESE Database? How many tools are available to
do so? That will give an indication of how much the tools are needed.)
but I haven't seen it yet. I recall when MS came to one of my customers to work
on piloting MOM with the SQL backend and what a disaster that was, and in
talking to the MCS guys, it wasn't a one off. More logic has to be in the
application in order to use ESE over SQL, but maybe that is what some of these
apps need, more logic.
As for the advanced scripters part... my 10 or less
year prediction... if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability. Companies are going to continue slimming down and the technologies
are going to handle more and more of the "simple things" automatically meaning
if you don't have the advanced scripting/architecting/troubleshooting skills,
the chances are not good to remain working on the stuff. You will slowly get
overwhelmed as more stuff gets loaded on to the point that you are no longer
effective without advanced scripting skills and someone who is will remain
when the company decides to save more money and a good chunk of the staff gets
cut. I see the Server Foundation aka Server Core OS pushing this even harder
when companies deploy more and more headless machines with no GUI to speak of. I
have already been seeing this where groups that used to have large numbers of
admins are whittled down to maybe a third of what they had with only the people
with serious automation skills remaining behind. Which is actually a favor for
those that don't have those skills as they would be completely overwhelmed in
short order. I visualize us moving to two extremes for corporate IT Admins, the
people watching colored lights where there is a requirement for an actual person
to be looking at a screen versus depending on automated paging systems, etc
(there are customers that require this) and the high end advanced admins. Small
business shops are where I see most of the other admins going to (if they
stay in admin work) and possibly Susan can speak to where she thinks
scripting and such is going in that world as she has her finger on the pulse of
SBS. SBS can't be run, at this time, on Server Core, it has too much junk in the
trunk so it will continue looking like the servers of today until MS works out
how to make them run on Core and then I visualize one Susan running SBS for many
companies from the comfort of her home with better and better scripts and tools
or some company that specializes in running small businesses like that if they
don't already exist.
Look at this way, companies and admins are all complaining
about how much time they have to spend on stupid things like patching and
clicking on this or that or whatever it is they feel is a waste of time. MS is
listening, MS is reacting, MS is fixing. Us as admins complain because we don't
want to worry about stupid things. Companies complain because they want to
reduce their systems management costs. The more the systems handle themselves,
the less they need admins doing it. Not saying we will ever get to a point where
admins aren't needed, but the number of them will surely reduce drammatically
and only the very useful or the very very cheap will tend to hang around.
Having very strong scripting skills makes someone very useful.
Centralization and work force reduction will continue to be the norm and
in fact will probably accelerate.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Friday, October 07, 2005 8:46 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I would like a better
way of making bulk changes to AD. There seems to be caveats with every scripting
method. Also some more advanced management like maybe a way to create new users
and automatically e-mail their superior based on an attribute in the user
account with the new account information. Maybe there are ways to do these
things via advanced scripting, but I would like an easier way for those of us
admins who are not advanced scripters.
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rich
MilburnSent: Wednesday,
October 05, 2005 5:29 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I™m not
saying we need a better solution
here, and there are factors due
to the internal/external nature of our business that PSS (I think) recommended
the design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it™s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they™re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory “ a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's
International, Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819---------------------------------------------------------------------------"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday, October
05, 2005 2:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory
of 5000 users, why do you have 3 domains? If it is for separate password
policies, then perhaps a better wish list item would be the ability to have
multiple password policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to
be able to run multipledomains on one server is the same reason practically
no one (except for SBS) installs just one DC, and the same reason we always
install aminimum of 2 for a domain. We have a forest root and 2
child domainsmodel, and it takes us 6 servers to run that - for basically
2directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
thatyou run. The parallel might be for a web hosting company to
have 2 fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains is
you don't want toonly have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they citedbackups as a good solution to the issue. In a
big org the cost of anadditional server to provide redundancy is negligible,
but is having anonline copy (second DC) really the BEST way to do
this? And it doesn'thelp SBS users, since they can (correct me if
I'm wrong) only have 1 DC.I realize it may be the best way we have with
W2K3, but how could theissue of redundancy be addressed with AD differently
than having 2 DCsminimum per domain? Anyone have any
ideas?Rich-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just
be a nobrainer if they had separate instances ofAD, there are just tons
of other things involved that make it extremelydifficult. It was something
that was brought up in the summit though,notsure how much I can say
around it other than no, it won't be there. MS feels the focus of this
is dramatically reduced now as well due tothefact that VS is available
and can run DCs. Also the Server Core DCshelpshere as well as the DCs
will have a smaller footprint. If folks are NOT inagreement with that
assessment, definitely speak up, it is too late forLonghorn but possibly the
opportunity exists to convince them
forBlackComb.joe-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs is
minimal. This feature sounds like an offshoot of your list below.If you
can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple of
years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595
5083**********************> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is the client OS. I don't believe they have named
Longhorn> Server yet.I am voting for something like Windows Server 5.4.0
or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers
because they have cool names.>> The biggest non-NDA pieces that I
have heard announced in conferences> or seen on the web already is the
Read Only DC to limit security> exposure for WAN deployments, restartable
AD that can be> stopped/started as necessary, DA/Admin separation so that
you can have> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server.>> I
can also say that there are a myriad of GUI updates for the Admin> tools
though I can't state specifics. BJ Whalen who was involved with> the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has really
been> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of> DCRs internally. So if you have ideas, spout them here, they will
most> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks> Steven>List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.This
information is strictly confidential and may be subject to
attorney-clientprivilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding,printing, copying, distribution, or using such
information is strictlyprohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message.Unauthorized interception of this e-mail is
a violation of federal criminal law.Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent toor from this e-mail address may be
stored on the Applebee's International, Inc.e-mail system.List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY
NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| milburnr
Posts:0
| | 10/07/2005 7:28 AM |
| I can speak from experience that going
from trying to avoid scripting and always answering no, I certainly am
NOT a programmer to learning _vbscript_ and now looking at full-blown VB
(thank you MSDN for VS2005! J), it opens a whole new world of things I had no idea you could do,
and I was amazed at the help there is out there for it. If someone is reading
this thread and thinking, hmm, maybe I should look into that scripting
thing, here™s a good link to do that (only one of many, but it™s
a start):
http://www.microsoft.com/technet/scriptcenter/learnit.mspx
MsgBox(Hello World!)
Rich
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, October 07, 2005
11:07 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
It is suprising no one has responded
to this with the "pat" answer... this is describing MIIS and the
workflow piece they have built into it and the idea being that
AD is simply a store. MIIS supplies the business logic such as triggers and
dynamic updates, etc. I don't necessarily agree with it, but it is what Stuart
Kwan (of the Ottawa Kwan Clan) has been saying at DEC for the last few years. I
personally would like to see more logic and triggers, etc in AD as well as more
extensible functionality like the password filters, etc that are fully
supported. I dislike the idea that I may need to spin up an entirely different
product as well as SQL Server to manage my AD environment. If MIIS started
using ESE I would be that much closer to accepting it because then I don't have
a database product that I have to install and pay special attention to (not to
mention buy at some ridiculous price), it is a back end black box piece. I just
was chatting with an MCS guy who had to work on a MS Product last week
that back ended into SQL and they went to move it and it was a disaster.
Possibly MS could make it so that SQL backend could be as smooth to use as ESE
is in the backend of AD (how much work have you really had to do on your ESE
Database? How many tools are available to do so? That will give an indication
of how much the tools are needed.) but I haven't seen it yet. I
recall when MS came to one of my customers to work on piloting MOM with the SQL
backend and what a disaster that was, and in talking to the MCS guys, it wasn't
a one off. More logic has to be in the application in order to use ESE over
SQL, but maybe that is what some of these apps need, more logic.
As for the advanced scripters
part... my 10 or less year prediction... if you want to stay in an IT
position, I highly recommend becoming an advanced scripter if not an admin with
full blown programming capability. Companies are going to continue slimming
down and the technologies are going to handle more and more of the "simple
things" automatically meaning if you don't have the advanced
scripting/architecting/troubleshooting skills, the chances are not good to
remain working on the stuff. You will slowly get overwhelmed as more stuff gets
loaded on to the point that you are no longer effective without advanced
scripting skills and someone who is will remain when the company decides
to save more money and a good chunk of the staff gets cut. I see the Server
Foundation aka Server Core OS pushing this even harder when companies deploy
more and more headless machines with no GUI to speak of. I have already been
seeing this where groups that used to have large numbers of admins are whittled
down to maybe a third of what they had with only the people with serious
automation skills remaining behind. Which is actually a favor for those that
don't have those skills as they would be completely overwhelmed in short order.
I visualize us moving to two extremes for corporate IT Admins, the people
watching colored lights where there is a requirement for an actual person to be
looking at a screen versus depending on automated paging systems, etc (there
are customers that require this) and the high end advanced admins. Small
business shops are where I see most of the other admins going to (if they
stay in admin work) and possibly Susan can speak to where she thinks
scripting and such is going in that world as she has her finger on the pulse of
SBS. SBS can't be run, at this time, on Server Core, it has too much junk in
the trunk so it will continue looking like the servers of today until MS works
out how to make them run on Core and then I visualize one Susan running SBS for
many companies from the comfort of her home with better and better scripts and
tools or some company that specializes in running small businesses like that if
they don't already exist.
Look at this way, companies and admins are
all complaining about how much time they have to spend on stupid things like
patching and clicking on this or that or whatever it is they feel is a waste of
time. MS is listening, MS is reacting, MS is fixing. Us as admins complain
because we don't want to worry about stupid things. Companies complain because
they want to reduce their systems management costs. The more the systems handle
themselves, the less they need admins doing it. Not saying we will ever get to
a point where admins aren't needed, but the number of them will surely reduce
drammatically and only the very useful or the very very cheap will tend to
hang around. Having very strong scripting skills makes someone very useful.
Centralization and work force reduction will continue to be the norm and in
fact will probably accelerate.
joe
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, Dan
Sent: Friday, October 07, 2005
8:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I would like a better way of making bulk
changes to AD. There seems to be caveats with every scripting method. Also some
more advanced management like maybe a way to create new users and automatically
e-mail their superior based on an attribute in the user account with the new
account information. Maybe there are ways to do these things via advanced
scripting, but I would like an easier way for those of us admins who are not
advanced scripters.
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
5:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need
load balancing for this size “ but we need 2 servers for each domain if
we want to avoid the risk of having the only DC for a domain go down. My
point was that the directory is a database, but it™s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they™re working on that, as I think Joe mentioned and is
non-NDA). Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory “
a different database model than say SQL. Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database? Maybe not. I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active
Directory wish list
My question would be: for a small directory of 5000
users, why do you have 3 domains? If it is for separate password policies, then
perhaps a better wish list item would be the ability to have multiple password
policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to be able to
run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too
convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe
they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake
Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level
rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED
/
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.
NOTICE: The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited. If you
have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you.
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| AD000001335
Posts:0
| | 10/07/2005 9:42 AM |
| Ever since Exchange 2000 the saying has been that if you
want to be an Exchange administrator you need to be a programmer. It
really hasn't been much different with AD.
Ed Crowley MCSE+Internet MVPFreelance E-Mail
PhilosopherProtecting the world from PSTs and Bricked
Backups!„¢
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Friday, October 07, 2005 9:07 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
It is suprising no one has responded to this with the
"pat" answer... this is describing MIIS and the workflow piece they
have built into it and the idea being that AD is simply a store. MIIS
supplies the business logic such as triggers and dynamic updates, etc. I don't
necessarily agree with it, but it is what Stuart Kwan (of the Ottawa Kwan Clan)
has been saying at DEC for the last few years. I personally would like to see
more logic and triggers, etc in AD as well as more extensible functionality like
the password filters, etc that are fully supported. I dislike the idea that I
may need to spin up an entirely different product as well as SQL Server to
manage my AD environment. If MIIS started using ESE I would be that much closer
to accepting it because then I don't have a database product that I have to
install and pay special attention to (not to mention buy at some ridiculous
price), it is a back end black box piece. I just was chatting with an MCS guy
who had to work on a MS Product last week that back ended into SQL and they
went to move it and it was a disaster. Possibly MS could make it so that SQL
backend could be as smooth to use as ESE is in the backend of AD (how much work
have you really had to do on your ESE Database? How many tools are available to
do so? That will give an indication of how much the tools are needed.)
but I haven't seen it yet. I recall when MS came to one of my customers to work
on piloting MOM with the SQL backend and what a disaster that was, and in
talking to the MCS guys, it wasn't a one off. More logic has to be in the
application in order to use ESE over SQL, but maybe that is what some of these
apps need, more logic.
As for the advanced scripters part... my 10 or less
year prediction... if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability. Companies are going to continue slimming down and the technologies
are going to handle more and more of the "simple things" automatically meaning
if you don't have the advanced scripting/architecting/troubleshooting skills,
the chances are not good to remain working on the stuff. You will slowly get
overwhelmed as more stuff gets loaded on to the point that you are no longer
effective without advanced scripting skills and someone who is will remain
when the company decides to save more money and a good chunk of the staff gets
cut. I see the Server Foundation aka Server Core OS pushing this even harder
when companies deploy more and more headless machines with no GUI to speak of. I
have already been seeing this where groups that used to have large numbers of
admins are whittled down to maybe a third of what they had with only the people
with serious automation skills remaining behind. Which is actually a favor for
those that don't have those skills as they would be completely overwhelmed in
short order. I visualize us moving to two extremes for corporate IT Admins, the
people watching colored lights where there is a requirement for an actual person
to be looking at a screen versus depending on automated paging systems, etc
(there are customers that require this) and the high end advanced admins. Small
business shops are where I see most of the other admins going to (if they
stay in admin work) and possibly Susan can speak to where she thinks
scripting and such is going in that world as she has her finger on the pulse of
SBS. SBS can't be run, at this time, on Server Core, it has too much junk in the
trunk so it will continue looking like the servers of today until MS works out
how to make them run on Core and then I visualize one Susan running SBS for many
companies from the comfort of her home with better and better scripts and tools
or some company that specializes in running small businesses like that if they
don't already exist.
Look at this way, companies and admins are all complaining
about how much time they have to spend on stupid things like patching and
clicking on this or that or whatever it is they feel is a waste of time. MS is
listening, MS is reacting, MS is fixing. Us as admins complain because we don't
want to worry about stupid things. Companies complain because they want to
reduce their systems management costs. The more the systems handle themselves,
the less they need admins doing it. Not saying we will ever get to a point where
admins aren't needed, but the number of them will surely reduce drammatically
and only the very useful or the very very cheap will tend to hang around.
Having very strong scripting skills makes someone very useful.
Centralization and work force reduction will continue to be the norm and
in fact will probably accelerate.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Friday, October 07, 2005 8:46 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I would like a better
way of making bulk changes to AD. There seems to be caveats with every scripting
method. Also some more advanced management like maybe a way to create new users
and automatically e-mail their superior based on an attribute in the user
account with the new account information. Maybe there are ways to do these
things via advanced scripting, but I would like an easier way for those of us
admins who are not advanced scripters.
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rich
MilburnSent: Wednesday,
October 05, 2005 5:29 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
wish list
I™m not
saying we need a better solution
here, and there are factors due
to the internal/external nature of our business that PSS (I think) recommended
the design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need load
balancing for this size “ but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it™s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they™re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory “ a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's
International, Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819---------------------------------------------------------------------------"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday, October
05, 2005 2:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory
of 5000 users, why do you have 3 domains? If it is for separate password
policies, then perhaps a better wish list item would be the ability to have
multiple password policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to
be able to run multipledomains on one server is the same reason practically
no one (except for SBS) installs just one DC, and the same reason we always
install aminimum of 2 for a domain. We have a forest root and 2
child domainsmodel, and it takes us 6 servers to run that - for basically
2directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
thatyou run. The parallel might be for a web hosting company to
have 2 fullweb servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a fullserver license for each VM. The thing with domains is
you don't want toonly have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they citedbackups as a good solution to the issue. In a
big org the cost of anadditional server to provide redundancy is negligible,
but is having anonline copy (second DC) really the BEST way to do
this? And it doesn'thelp SBS users, since they can (correct me if
I'm wrong) only have 1 DC.I realize it may be the best way we have with
W2K3, but how could theissue of redundancy be addressed with AD differently
than having 2 DCsminimum per domain? Anyone have any
ideas?Rich-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just
be a nobrainer if they had separate instances ofAD, there are just tons
of other things involved that make it extremelydifficult. It was something
that was brought up in the summit though,notsure how much I can say
around it other than no, it won't be there. MS feels the focus of this
is dramatically reduced now as well due tothefact that VS is available
and can run DCs. Also the Server Core DCshelpshere as well as the DCs
will have a smaller footprint. If folks are NOT inagreement with that
assessment, definitely speak up, it is too late forLonghorn but possibly the
opportunity exists to convince them
forBlackComb.joe-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Active Directory wish listI'd also like to see the
ability to run DCs for multiple domains on the sameserver. SMBs with
limited resources balk at having to buy additionalserverhardware for
redundancy on multiple domains, especially when the AD loadonthe DCs is
minimal. This feature sounds like an offshoot of your list below.If you
can run AD as a service, it might not be that hard to
allowmultipledomains similar to multiple websites/DBs on one
server...I remember discussing this with Stuart Kwan at DEC a couple of
years ago. Ihope it makes it into the
mix...**********************Charlie KaiserW2K3
MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595
5083**********************> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Active Directory wish list >> Vista is the client OS. I don't believe they have named
Longhorn> Server yet.I am voting for something like Windows Server 5.4.0
or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers
because they have cool names.>> The biggest non-NDA pieces that I
have heard announced in conferences> or seen on the web already is the
Read Only DC to limit security> exposure for WAN deployments, restartable
AD that can be> stopped/started as necessary, DA/Admin separation so that
you can have> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server.>> I
can also say that there are a myriad of GUI updates for the Admin> tools
though I can't state specifics. BJ Whalen who was involved with> the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he> really helped
out.>> All in all, there is some very cool stuff and MS has really
been> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of> DCRs internally. So if you have ideas, spout them here, they will
most> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later>
rev.>>> joe>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Steven Wood> Sent: Monday, October 03, 2005 3:46 PM>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Active Directory wish list>>>
Hi,>> With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements> due?>> Thanks> Steven>List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.This
information is strictly confidential and may be subject to
attorney-clientprivilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding,printing, copying, distribution, or using such
information is strictlyprohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message.Unauthorized interception of this e-mail is
a violation of federal criminal law.Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent toor from this e-mail address may be
stored on the Applebee's International, Inc.e-mail system.List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY
NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| deji
Posts:140
| | 10/07/2005 9:44 AM |
| Picture an inverted cone (or funnel). As you start from the bottom of your
career, it helps to broaden your knowledge. This is at the point where you
try as many options as possible in order to better position your
marketability. This is where you learn as many OSes as you can so that you
can better make a determination of which one you want to specialize on. A lot
of HR people are interested in the "quantity" of your knowledge at this
level, so it helps to be able to intelligently discuss a broad range of OSes
and network-related tasks, at least at the "10,000 feet" level.
With time and experience, you will find your niche and comfort level and you
will be able to weed out the intangibles and focus your learning efforts on a
subset of the tasks you've been doing previously. This is where you narrow
your scope and go deep on a few number of tasks. At this point, you will
still depend on your previous experience as fall-back options, and you will
still keep them around in case you want to reverse your directions.
The next level is when you make a break from your past, steel your heart and
say "this is my chosen path". This is a very difficult level because it
requires a lot of dedication, fortitude, diligence, discipline and sacrifice.
At the initial stage, things will not go your way. Because there is a
pervasive "quantity-not-quality-the-most-at-the-least-cost" mentality within
the HR community, most of the opportunities you will come across will be
neither suitable for you nor compatible with your career goal. This is where
the fortitude comes into play. You don't want to be discouraged, although a
lot of "opportunities" will fall through and you will feel the strong pull to
go back to your previous level, conform and be a "jack-of-all-trades".
When you have made up your mind to specialize, you will do yourself a ton of
good if you go all out for it. You will have to cut down on a number of other
things and go crazy on knowing as much of your specialty as possible.
Relating this to AD, you will not necessarily need to be able to decode the
source code or analyze core dump, but your knowledge will need to transcend
the "click-through-all-is-well" mentality. You will need to understand what
happens when you click that button, and how else can you do that same thing
without clicking that button. Because most of the "click-here" tasks are
fronts for the actual tasks, you will need to get behind the curtain and peek
at the masquerade and be able to say "ha-ha! know I know who you are".
You will not be able to keep up with your previous Cisco, Linux, Mac, SQL,
Oracle, etc, etc, skills at this point. But that is all good. You will be
able to look a hiring manager in the face and say "I do Windows, and I do it
well. If you are looking for a generalist, I'm not your candidate. But if you
want someone who can help you get a handle on your investments in Windows
Infrastructure, you better invest in me".
Sorry to get all Joe-ish on you :) I go now.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Fri 10/7/2005 12:18 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active Directory wish list
when you say,"you need to understand more than os config twidlling", what
does that mean?
what would you call just knowing "..os config twiddling" in a AD admin
context?
Do you mean deeper knowldge of what goes on under the hood in terms of AD
replication or the schema etc?
DO you think as an admin, you need to know more than just AD or exchange but
should also know how to configure/setup/troubleshoot a cisco router or set up
sendmail on Solaris or open ldap on RedHat linux?
Or will knowing AD(if that is your job) really well AND being a good perl or
VBscripter enough for your future?
will an admin be expected to know C/C++ or will one scripting lang be enough?
will he/she be expected to know how to write a full fledged app?
How about, how much knowldge of the bussiness logic of the company/industry
one works for should one know to be a good employable admin?
anything at all?
Just curious what you guys think.
sorry for sending this thread way OT.
Thanks
On 10/7/05, Darren Mar-Elia wrote:
Random comments:
"I personally would like to see more logic and triggers, etc in AD as
well..."
[Darren] So what you'd really like is SQL Server, which has all that
:-)
"Possibly MS could make it so that SQL backend could be as smooth to
use as ESE is in the backend of AD (how much work have you really had to do
on your ESE Database? How many tools are available to do so? That will give
an indication of how much the tools are needed.) "
[Darren] I think that results from the difference between a
purpose-built, runtime database engine that does one thing really well and an
all-purpose, do-anything-you-want, relational database. Once you open up the
possibilities of putting business logic into the db, then self-maintaining,
self-tuning, never--need-to-do-maintenance goes out the door.
"...if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability."
[Darren] I agree with this in general. I actually think that IT
systems are going to become increasingly complex (if that's possible), but at
a higher layer than today. I think that over time, all of the mundane, basic
OS-level stuff will just take care of itself and that the complexity will
arise higher up. If you think about where things are going--virtualized
servers that provision on the fly, service-oriented applications that are
"loosely coupled", operating systems and apps that are much better
instrumented, federated identities with users running apps across org.
boundaries--all of this points to a very complex web of stuff that will
require a much higher level of skills to manage. I'm not sure this translates
to "you need to be a scripter" but for me it does translate to "you need to
understand more than OS config. twiddling" and I agree wholeheartedly that
being grounded in app. development capabilities is a huge advantage for an
admin today and, probably in the future.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, October 07, 2005 9:07 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
It is suprising no one has responded to this with the "pat" answer...
this is describing MIIS and the workflow piece they have built into it and
the idea being that AD is simply a store. MIIS supplies the business logic
such as triggers and dynamic updates, etc. I don't necessarily agree with it,
but it is what Stuart Kwan (of the Ottawa Kwan Clan) has been saying at DEC
for the last few years. I personally would like to see more logic and
triggers, etc in AD as well as more extensible functionality like the
password filters, etc that are fully supported. I dislike the idea that I may
need to spin up an entirely different product as well as SQL Server to manage
my AD environment. If MIIS started using ESE I would be that much closer to
accepting it because then I don't have a database product that I have to
install and pay special attention to (not to mention buy at some ridiculous
price), it is a back end black box piece. I just was chatting with an MCS guy
who had to work on a MS Product last week that back ended into SQL and they
went to move it and it was a disaster. Possibly MS could make it so that SQL
backend could be as smooth to use as ESE is in the backend of AD (how much
work have you really had to do on your ESE Database? How many tools are
available to do so? That will give an indication of how much the tools are
needed.) but I haven't seen it yet. I recall when MS came to one of my
customers to work on piloting MOM with the SQL backend and what a disaster
that was, and in talking to the MCS guys, it wasn't a one off. More logic has
to be in the application in order to use ESE over SQL, but maybe that is what
some of these apps need, more logic.
As for the advanced scripters part... my 10 or less year
prediction... if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability. Companies are going to continue slimming down and the
technologies are going to handle more and more of the "simple things"
automatically meaning if you don't have the advanced
scripting/architecting/troubleshooting skills, the chances are not good to
remain working on the stuff. You will slowly get overwhelmed as more stuff
gets loaded on to the point that you are no longer effective without advanced
scripting skills and someone who is will remain when the company decides to
save more money and a good chunk of the staff gets cut. I see the Server
Foundation aka Server Core OS pushing this even harder when companies deploy
more and more headless machines with no GUI to speak of. I have already been
seeing this where groups that used to have large numbers of admins are
whittled down to maybe a third of what they had with only the people with
serious automation skills remaining behind. Which is actually a favor for
those that don't have those skills as they would be completely overwhelmed in
short order. I visualize us moving to two extremes for corporate IT Admins,
the people watching colored lights where there is a requirement for an actual
person to be looking at a screen versus depending on automated paging
systems, etc (there are customers that require this) and the high end
advanced admins. Small business shops are where I see most of the other
admins going to (if they stay in admin work) and possibly Susan can speak to
where she thinks scripting and such is going in that world as she has her
finger on the pulse of SBS. SBS can't be run, at this time, on Server Core,
it has too much junk in the trunk so it will continue looking like the
servers of today until MS works out how to make them run on Core and then I
visualize one Susan running SBS for many companies from the comfort of her
home with better and better scripts and tools or some company that
specializes in running small businesses like that if they don't already
exist.
Look at this way, companies and admins are all complaining about how
much time they have to spend on stupid things like patching and clicking on
this or that or whatever it is they feel is a waste of time. MS is listening,
MS is reacting, MS is fixing. Us as admins complain because we don't want to
worry about stupid things. Companies complain because they want to reduce
their systems management costs. The more the systems handle themselves, the
less they need admins doing it. Not saying we will ever get to a point where
admins aren't needed, but the number of them will surely reduce drammatically
and only the very useful or the very very cheap will tend to hang around.
Having very strong scripting skills makes someone very useful. Centralization
and work force reduction will continue to be the norm and in fact will
probably accelerate.
joe
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of DeStefano, Dan
Sent: Friday, October 07, 2005 8:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I would like a better way of making bulk changes to AD. There seems
to be caveats with every scripting method. Also some more advanced management
like maybe a way to create new users and automatically e-mail their superior
based on an attribute in the user account with the new account information.
Maybe there are ways to do these things via advanced scripting, but I would
like an easier way for those of us admins who are not advanced scripters.
Dan
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005 5:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'm not saying we need a better solution here, and there are factors
due to the internal/external nature of our business that PSS (I think)
recommended the design we have. When we built it, the empty root was widely
considered to be the best design. My point was that to support this, we need
at least 6 W2K3 servers running (physical or not is mostly beside the point).
We don't really need load balancing for this size - but we need 2 servers for
each domain if we want to avoid the risk of having the only DC for a domain
go down. My point was that the directory is a database, but it's tied to the
server OS in such a way that even stopping the directory on one box is a feat
for MS to do (they're working on that, as I think Joe mentioned and is
non-NDA). Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory - a
different database model than say SQL. Should the AD database be more
modular to separate it out from the OS so that it could be treated as one
might treat a SQL database? Maybe not. I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. :-)
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 2:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active Directory wish list
My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a
better wish list item would be the ability to have multiple password policies
in one domain.
Phil
On 10/5/05, Rich Milburn > wrote:
I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except
for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs
that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they
still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too
convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having
an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1
DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2
DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't in Longhorn. As the dev guys put it,
this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it
extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are
NOT
in
agreement with that assessment, definitely speak up, it is too late
for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie
Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory wish list
I'd also like to see the ability to run DCs for multiple domains on
the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD
load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...
I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>
> The biggest non-NDA pieces that I have heard announced in
conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can
have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights,
and
> DCs running on Server Foundation or now its called Server Core
which
> is a GUI-challenged Windows Server.
>
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved
with
> the GPMC project has been brought in to work on admin experience
and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
>
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will
most
> certainly be heard. They may not make Longhorn as it is getting a
bit
> late to add major changes but your ideas could make it into a later
> rev.
>
>
> joe
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steven
Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
>
> With Windows Vista on it's way what's on people's wish list as far
as
> Active Directory is concerned? Also are there any big enhancements
> due?
>
> Thanks
> Steven
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments.
This information is strictly confidential and may be subject to
attorney-client
privilege. This message is intended only for the use of the named
addressee. If
you are not the intended recipient of this message, unauthorized
forwarding,
printing, copying, distribution, or using such information is
strictly
prohibited and may be unlawful. If you have received this in error,
you should
kindly notify the sender by reply e-mail and immediately destroy this
message.
Unauthorized interception of this e-mail is a violation of federal
criminal law.
Applebee's International, Inc. reserves the right to monitor and
review the
content of all messages sent to and from this e-mail address.
Messages sent to
or from this e-mail address may be stored on the Applebee's
International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
________________________________
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this
message or any attachments. This information is strictly confidential and may
be subject to attorney-client privilege. This message is intended only for
the use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International, Inc.
reserves the right to monitor and review the content of all messages sent to
and from this e-mail address. Messages sent to or from this e-mail address
may be stored on the Applebee's International, Inc. e-mail system.
________________________________
NOTICE: The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited. If you
have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001282
Posts:0
| | 10/07/2005 12:49 PM |
| I would like a better way of making bulk
changes to AD. There seems to be caveats with every scripting method. Also some
more advanced management like maybe a way to create new users and automatically
e-mail their superior based on an attribute in the user account with the new
account information. Maybe there are ways to do these things via advanced
scripting, but I would like an easier way for those of us admins who are not
advanced scripters.
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
5:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active
Directory wish list
I™m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don™t really need
load balancing for this size “ but we need 2 servers for each domain if
we want to avoid the risk of having the only DC for a domain go down. My
point was that the directory is a database, but it™s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they™re working on that, as I think Joe mentioned and is non-NDA).
Securing a copy of the directory and making it available means doing that for
the entire server unit right now, not just the directory “ a different
database model than say SQL. Should the AD database be more modular to
separate it out from the OS so that it could be treated as one might treat a
SQL database? Maybe not. I was just asking the question in hopes of
sparking some new ideas of ways to mitigate the risk a single DC domain incurs
today. J
---------------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Active
Directory wish list
My question would be: for a small directory of 5000
users, why do you have 3 domains? If it is for separate password policies, then
perhaps a better wish list item would be the ability to have multiple password
policies in one domain.
Phil
On 10/5/05, Rich Milburn rich.milburn@xxxxxxxxxxxxx>
wrote:
I think the biggest reason people want to be able to
run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain. We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users. That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run. The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still
have a second. VS is an answer, yes, although you still need a full
server license for each VM. The thing with domains is you don't want
to
only have 1 online copy of the directory. MS didn't seem too
convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue. In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this? And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain? Anyone have any ideas?
Rich
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[ |
|
|