You're hardly alone in this. It took a little while
before the touted security of the empty root model was blown open by my esteemed
colleagues at HP (then Compaq). Lots and lots of organizations have
adopted empty-root and other multiple-domain architectures, only to regret it
later.
Still, Virtual Server (or VMware) would address the
hardware requirement to a large extent since you could run two
physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.
Ed Crowley MCSE+Internet MVP Freelance E-Mail
Philosopher Protecting the world from PSTs and Bricked
Backups!™
I’m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don’t really need load
balancing for this size – but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it’s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they’re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory – a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
--------------------------------------------------------------------------- Rich
Milburn MCSE, Microsoft MVP -
Directory Services Sr
Network Analyst, Field Platform Development Applebee's
International, Inc. 4551
W. 107th
St Overland
Park,
KS 66207 913-967-2819 --------------------------------------------------------------------------- "I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Phil
Renouf Sent: Wednesday, October
05, 2005 2:37 PM To:
ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory of 5000
users, why do you have 3 domains? If it is for separate password policies, then
perhaps a better wish list item would be the ability to have multiple password
policies in one domain.
On 10/5/05, Rich Milburn <[EMAIL PROTECTED]>
wrote:
I think the biggest reason people want to be able to run
multiple domains on one server is the same reason practically no one (except
for SBS) installs just one DC, and the same reason we always install
a minimum of 2 for a domain. We have a forest root and 2 child
domains model, and it takes us 6 servers to run that - for basically
2 directories and fewer than 5000 users. That seems like a waste
of hardware in some situations - especially if you have multiple orgs
that you run. The parallel might be for a web hosting company to
have 2 full web servers for each domain they host - in case 1 goes down, they
still have a second. VS is an answer, yes, although you still
need a full server license for each VM. The thing with domains is
you don't want to only have 1 online copy of the directory. MS
didn't seem too convinced there was a good reason to have an online second
server - they cited backups as a good solution to the issue. In a
big org the cost of an additional server to provide redundancy is negligible,
but is having an online copy (second DC) really the BEST way to do
this? And it doesn't help SBS users, since they can (correct me if
I'm wrong) only have 1 DC. I realize it may be the best way we have with
W2K3, but how could the issue of redundancy be addressed with AD differently
than having 2 DCs minimum per domain? Anyone have any
ideas?
Rich
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of joe Sent: Tuesday, October 04, 2005 9:20 PM To: ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't
in Longhorn. As the dev guys put it, this is a tough one. It wouldn't just
be a nobrainer if they had separate instances of AD, there are just tons
of other things involved that make it extremely difficult. It was something
that was brought up in the summit though, not sure how much I can say
around it other than no, it won't be there.
MS feels the focus of this
is dramatically reduced now as well due to the fact that VS is available
and can run DCs. Also the Server Core DCs helps here as well as the DCs
will have a smaller footprint. If folks are NOT in agreement with that
assessment, definitely speak up, it is too late for Longhorn but possibly the
opportunity exists to convince them
for BlackComb.
joe
-----Original Message----- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PM To:
ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] Active Directory wish list
I'd also like to see the
ability to run DCs for multiple domains on the same server. SMBs with
limited resources balk at having to buy additional server hardware for
redundancy on multiple domains, especially when the AD load on the DCs is
minimal. This feature sounds like an offshoot of your list below. If you
can run AD as a service, it might not be that hard to
allow multiple domains similar to multiple websites/DBs on one
server...
I remember discussing this with Stuart Kwan at DEC a couple of
years ago. I hope it makes it into the
mix...
********************** Charlie Kaiser W2K3
MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595
5083 **********************
> -----Original
Message----- > From: [EMAIL PROTECTED] >
[mailto:[EMAIL PROTECTED]
] On Behalf Of joe > Sent: Tuesday, October 04, 2005 4:25 PM >
To: ActiveDir@mail.activedir.org >
Subject: RE: [ActiveDir] Active Directory wish list > > Vista is the client OS. I don't believe they have named
Longhorn > Server yet.I am voting for something like Windows Server 5.4.0
or > something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if > they pronounced their thoughts from the bottom of Lake Washington. > People don't install servers
because they have cool names. > > The biggest non-NDA pieces that I
have heard announced in conferences > or seen on the web already is the
Read Only DC to limit security > exposure for WAN deployments, restartable
AD that can be > stopped/started as necessary, DA/Admin separation so that
you can have
> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and
> DCs running on Server Foundation or now its called
Server Core which > is a GUI-challenged Windows Server. > > I
can also say that there are a myriad of GUI updates for the Admin > tools
though I can't state specifics. BJ Whalen who was involved with > the GPMC
project has been brought in to work on admin experience and > anyone who
has worked with GPOs with and without GPMC know that he > really helped
out. > > All in all, there is some very cool stuff and MS has really
been > listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of > DCRs internally. So if you have ideas, spout them here, they will
most
> certainly be heard. They may not make Longhorn as it is getting
a bit > late to add major changes but your ideas could make it into a
later >
rev. > > > joe > > >
________________________________ > > From: [EMAIL PROTECTED] >
[mailto:[EMAIL PROTECTED]]
On Behalf Of Steven Wood > Sent: Monday, October 03, 2005 3:46 PM >
To: ActiveDir@mail.activedir.org >
Subject: [ActiveDir] Active Directory wish list > > >
Hi, > > With Windows Vista on it's way what's on people's wish list
as far as > Active Directory is concerned? Also are there any big
enhancements > due? > > Thanks > Steven > List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx List
FAQ : http://www.activedir.org/ListFAQ.aspx List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to
attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is
a violation of federal criminal law. Applebee's International, Inc. reserves
the right to monitor and review the content of all messages sent to and from
this e-mail address. Messages sent to or from this e-mail address may be
stored on the Applebee's International, Inc. e-mail system. List
info : http://www.activedir.org/List.aspx List
FAQ : http://www.activedir.org/ListFAQ.aspx List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject to
attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system.
|