I do not have first hand experience with it but have been speaking to some very trusted friends who have been trying to implement it and pretty much anything they say I would take as if I saw it myself. From what I hear there are some "odd" ACEs added to the ACLs (I believe at the NC Head level) that make no sense but are required or you can't install LCS Servers. I believe specifically there is something with a property set that is absolutely worthless (I don't recall the details now). Also you can't substitute the ACEs, you must have the exact ACEs in place that the LCS prep puts into place. That means they aren't checking access rights, they are scanning the ACL looking for a specific ACE which ranks up there with some of the worst things I have seen out of any AD enabled app. This isn't very unusual for Exchange related stuff. The Exchange folks don't seem to really know how to use AD properly and LCS came from Exchange folks and has Exchange Dev all over it. Exchange itself had some very odd delegations that had to be made in the early E2K timeframe that I ran into and bugged that was absolutely meaningless as well if you were trying to delegate minimal permissions. I recall there was one delegation of an attribute that only existed on some config container objects but needed to be applied to users or else the GUI tools wouldn't work. Completely assinine stuff. I guess they are hitting the same crap with LCS. To add even more pain, the MCS guy that my friends have been working with has been just a hair above useless for the whole thing so probably better to sit down and work it out yourself than contract MCS to come in and help out. I have personal experience with the specific MCS person and I am not entirely surprised though this is just one more area where he is supposed to be knowledgeable and this customer is so large that you would expect MCS wouldn't be dumb and send in someone who isn't pretty good with the product. Basically, if you are being forced to use it, you don't have much choice, lube up and go for it. If you do have a choice, go through the product with a fine tooth comb in the lab and document all of the crap and then complain to MS. Possibly if enough people tell them that the functionality isn't good enough to deal with a shitty implementation they might get a clue. Most likely it has gone as far as it has is because most people don't have a clue what they are doing when they are installing things and assume anything out of MS will be done correctly and never verify the changes made in the directory and how much sense they may or may not make. Oh another thing, there is some global group requirement built into LCS for admining the product, from what I heard you have NO CHOICE but to use global groups. This is yet another product that demonstrates that just because it came out of MS doesn't mean it is good or should just be implemented. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 8:43 PM To: [email protected] Subject: RE: [ActiveDir] Extending the schema Do you have any specific examples of the domain-wide ACLs I can keep an eye out for? Unfortunately we don't have much say in this, the 'powers that be' want it implemented, and quickly. _____ From: [EMAIL PROTECTED] on behalf of Lee, Wook Sent: Tue 4/11/2006 7:01 PM To: [email protected] Subject: RE: [ActiveDir] Extending the schema IMHO, LCS puts its configuration system objects in the wrong place, i.e. the system container in the root domain NC. It really should put those types of objects in the configuration NC. It also does a lot of domain-wide ACLs especially if you have a lot of domain. There are configurations that help to moderate this but putting LCS in a large complex forest would be more trouble than it's worth to me. I did it in a 4-domain forest and I didn't like it. It works, but I don't like it. I would recommend a resource forest implementation, but then again, that's just me. :) Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 11, 2006 4:11 PM To: [email protected] Subject: RE: [ActiveDir] Extending the schema My personal opinion is you don't put anything into your production schema that you aren't going to really use regardless of what DCs you have. Especially test LCS, I have heard nothing but bad things about its implementation. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, April 11, 2006 6:59 PM To: [email protected] Subject: [ActiveDir] Extending the schema We're a native win2k domain and are a few DC upgrades away from going to 2003 native mode. We're evaluating Live Communications Server, Sharepoint, Biztalk, etc, etc. Is there any negatives involved in extending the schema if there's a possibility we may scrap these projects all together or is it not such a bad thing like it once was thought to be? Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<attachment: winmail.dat>>
