|
> I actually think we're in agreement here
:)
Phew... good thing, I was getting tired of typing.
:o)
AD can definitely do more
than NOS stuff, but in my heart, that is its primary purpose. For instance, I
will let Exchange into one of my forests, but the minute it starts making it so
people can't authenticate I get out the whip.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 18, 2006 4:16 AM To: [email protected] Subject: RE: [ActiveDir] DNS on a DC or NOT Hey joe,
I actually think we're in agreement here
:)
In a large org with an existing BIND impl - run with it. If
it's mature, well understood and well managed, then why not use it.
Unfortunately, when AD hit the streets, there were many DNS impl which did not
meet its DNS reqs.
As you say, solutions such as QIP offer a better delegation
model and also offer better integration between the various network services
(DHCP, address management, DNS etc).
The idea that AD should be used as a NOS and nothing else
is a huge topic. The jury is still out for me - I'd like to think a product such
as AD could do more for me that just user auth, but then if I adopt a 'best of
breed' approach, I'd use other solutions for aspects besides auth. Perhaps MS
will push AD into new realms or is that where ADAM is
positioned??
Another 2 penneth,
neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2006 17:11 To: [email protected] Subject: RE: [ActiveDir] DNS on a DC or NOT I would say that, in general, ADI zones probably work well
for most people. When it works and things are sunny everything is great, however
when the shape is more pear like it just adds unnecessary issues into the
puzzle. It is very much like most MSFT tech, when things work great, everyone is
happy, when it is broken, most people are at a complete loss of what to even
start to look at because of the levels of complexity[0].
The times I have mostly encountered problems a number of
things had cropped up and I was there to sort things out and having DNS and AD
twisted together like a ball of rubber bands made life extremely painful. I also
dislike all of that crap in AD. I look at AD for one primary overriding thing,
everything else is second. It is my NOS directory. It is there for people to log
on in the morning. Hence I want userids and passwords, everything else is
addons.
When I hit this recent "POSSIBLE BUG"[1] I have
found, let me reiterate POSSIBLE as I got about 18 offline emails already about
it, DNS was all crapped out[2] because of the AD Replication and the last thing
I needed was both AD replication and DNS dorked up at once, however, you don't
get much of a choice if everything is integrated. For instance, a replication
issue can go a little while without resolution, you just have some
inconveniences. If DNS is absolutely NOT responding, your level of pain and the
level of the issue has escalated drammatically, especially if that is your ONLY
DNS.
In scaled environments (read really really large and
decentralized for DNS) I have found that pushing DNS off to non-MSFT tool sets
is my preference. Again preference, sort of like I prefer to spell color as
color instead of as colour but prefer humour to humor. It isn't that I think it
is absolutely wrong like saying aluminum like aluminium. ;o) I feel that
delegated management of DNS is much better handled in BIND or QIP. I have even
seen in a small MSFT only environment (extranet forest for large
multinational) a case where MSFT integrated DNS was not working properly. I
didn't get much into the problem but when I got sick of hearing how much trouble
they kept running into I just told them to follow the corporate standard and
move to QIP. They had a couple of MSFT guys directly involved and they were
coming to bother me about it and I was like, I don't care, you aren't following
the corporate standard, I am not going to go try and figure out your one off.
Whatever problem they found, MSFT, or more accurately, the MSFT folks
involved weren't top shelf enough to work through it. And again... the thing
about services that start with D.
The security of the DNS entries doesn't bother me as I have
never personally encountered a case where someone was trying to hijack DC
records. Possibly if I ran into even a single case of that, it might be
something I would be concerned about.
Anyway, it is personal pref. First pref, not to use MSFT
DNS. Second pref if not getting the first is to not run integrated. Again
however, if in a completely MSFT shop (which I have never worked in), MSFT DNS
makes the most sense, you don't introduce complexity to not run MSFT DNS, that
would be insane.
You want an integrated DNS... Maybe MSFT should be putting
ADAM on DNS Member Servers. I could get behind running it integrated that way
though I still want to be able to say "I don't give a shit what else is
happening, give out addresses if you can start at all" and it needs to not be
something I have to go looking for on the web to enable. Oh and I should always
be able to run the management tools as well, there should not be any reason why
the management tools will not connect to a specific server. Maybe also you get
away from some of the silly security issues with ADI related to using security
principals that don't have domain affinity and could give some capabilty of real
DNS granular delegation like some products have.
joe
[0] I pray that if ADFS gets truly big, it never
breaks.
[1] What this possible bug may be related to is not
something most people would probably be doing, I was testing out some new
functionality of admod (Cross Domain moves) and did something that may
not normally be on a test matrix and my replication stopped dead but
repadmin wasn't reporting the stopped replication correctly. It could have been
a number of things, I am rebuilding a pristine environment to see if I can
duplicate the problem. Barring that I will go back to the non-pristine
environment and see if I can break it again. The key word here is possible, if I
had known for sure it was a for sure bug I would have said so. Emailing me
directly is not going to get any more info out of me on this than what I have
already given. :)
[2]
Defined as started and running but not responding to
anything.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 17, 2006 10:23 AM To: [email protected] Subject: RE: [ActiveDir] DNS on a DC or NOT Interesting stuff joe ......
Many of us have used ADI zones for many (well 7+) years now
with little or no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI
zones offer huge advantages to a typical org over BIND text files. [I won't
expand upon these advantages here, since they are well
documented.]
Have you encountered an isolated issue or a true show
stopper which we should all sit up and take note of?? :)
With regard to running DNS on a DC - if an existing DNS
implementation exists that can support AD, then use it. Otherwise, I see DNS as
a VERY minor overhead, compared with the other services that a DC provides and
would not hesitate to install DNS on a (or indeed every) DC.
my 2 penneth.
Thanks,
neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2006 14:55 To: [email protected] Subject: RE: [ActiveDir] DNS on a DC or NOT If your DNS is integrated, find a big piece of wood to
knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated
if threatened badly enough.
I recently ran into a nasty DNS problem in an integrated
DNS where DNS would start but wouldn't actually respond to anything. It appears
to be related to a possible AD Replication bug I found though. I have to
research a little more and see if it was one off or I can duplicate at will.
Once I removed the items causing the issue replication worked again and DNS came
back to life.
But enough about DNS, I don't speak about services that
start with D. You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL
Server... You get the drift. ;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, May 17, 2006 9:05 AM To: [email protected] Subject: RE: [ActiveDir] DNS on a DC or NOT At the very least it (DNS) should be on ONE of
the DCs. I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I’ve not had an issue/conflict
once. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Krenceski,
William I was reading William
Krenceski Network
Administrator Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
|
