What about DHCP on a DC? We just had an issue where our weekly reboot task to reboot all the DCs failed on one DC and it didn't come back up. Any user at the site who rebooted their PC was down because they couldn't get an IP from DHCP. Our standard is to run DHCP on the DCs at each site. How does everyone else do it? Maybe we just need a backup DHCP scope?
________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 5/23/2006 8:13 PM To: [email protected] Subject: RE: [ActiveDir][OT] DNS on a DC or NOT I think the goal should be to build a stable robust directory service that is as flexible as you make it but not so flexible that you put yourself into bad positions to support any one app. The goals of the Directory folks should be to make sure they have something that everyone can use and something no one group can wipe out. This means that every app is the same to the directory people, they have a dependency on the directory, none are more important than any others in that set of goals. I completely agree with the LDAP auth stuff. LDAP isn't an auth protocol. I can carry water with my two hands cupped together, doesn't mean I am going to try and fill a pool that way. RE: Resource forest for Exchange.... The Exchange delegation model sucks so much water that running a separate forest is almost the only way to efficiently break off Exchange support in a guaranteed safe and secure manner. And there are other solutions to not using MIIS, such as LDSU or other third party syncing. As you know I agree completely on MIIS'es "requirements". Personally I wouldn't even go for SQL 2005 Express. I want to be able to specify any backend store or I want the backend store to be completely and utterly black box like ESE. Both because I don't want to have to worry about grooming it and I don't want to worry about SQL DBA wannabees screwing with it. Just like with AD there are a lot of people who think they know SQL when in fact they can simply spell it, this goes for several DBAs I have met through the years as well as some people I have heard about through others. I heard a story recently about a SQL Expert that made me wonder who tied his shoes in the morning for him. Had I been dealing with him instead of my oh so patient friend, I don't expect he would have reported back to work or his superiors would have let him come back to work. There isn't a class or books teaching people how to manage ESE so that makes it about 10,000% better than SQL Server all alone because the people who will be figuring out how to work with it will be doing so from MSDN API docs and will probably be considerably more capable than your normal Microsoft SQL Server DBA. But that is just one reason why I don't want SQL Server backend for stuff. I recall when we are the summit a couple of years ago when we all were piping up about this. It doesn't appear anyone listened, but I think it is good that we continue to pipe up about it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 23, 2006 10:17 AM To: [email protected] Subject: Re: [ActiveDir][OT] DNS on a DC or NOT No, Exchange is not the only app for the directory. I concur. Exchange does not just leverage the NOS directory for it's usage. It relies on it heavily. In fact, Exchange doesn't exist without it, but... I think the question needs to be answered though: Does the application dictate what the directory can do or should the directory dictate what the application does? I think that's important to the way you design, deploy, and maintain your Active Directory, and other directory services in your organization. The same theory and guidelines apply when you consider SiteMinder (shudder) and SunOne or OpenLDAP and Sendmail or ... the list goes on. Put another way, does the directory exist for the sole purpose of being a directory or does it exist to service multiple applications? If multiple applications, how much should the directory adjust to the needs of it's constituents vs. the constituents adjust to the needs of the directory? <my thought: it's the whole not the part that's important. But neither has a reason to exist without the other, so we're still stuck in a decision loop.> Figuring this out sets the stage for a solid deployment of both the directory service and the applications. NOS directory aside, it is a directory and it's one that can and should be multifunction. Whitepages are nice and cute and all, but have limited use if that's all they do. But if it can also identify and authenticate a security principal (don't give me that LDAP authentication crap either - drives me nuts to hear LDAP being used as an authentication protocol </rant>) now that's real value. What? The hosts can be multi-function devices? Bonus! I like it even better. It's important to decide what the directory service is going to be and how it will be maintained IMHO. -ajm Exchange in a resource forest? Ewwww.... that's less than natural, reduces functionality, increases complexity and moving parts, and MIIS's FP isn't what I call a good solution (I call it a stopper and a reskit utility) until it runs on standard server and SQL 2005 Express and, and.. (why is it we should want to pay extra to get a good design again?) On 5/23/06, joe <[EMAIL PROTECTED]> wrote: > Does the application dictate what the directory can do? > Or should the directory dictate what the application does? But Exchange isn't the only app for the directory... Exchange is generally leveraging the NOS directory for E2K+ deployments, now if you got o a resource forest for Exchange, set it up for the app all day. :) > Those are client-side applications, not Exchange. True, but they need to be planned in the Exchange design as they have tremendous impact on it. Recently I heard of a group that treated BES as an office automation application, I was truly shocked, I never seen it treated as anything but core messaging. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick Sent: Thursday, May 18, 2006 9:13 PM To: [email protected] Subject: Re: [ActiveDir][OT] DNS on a DC or NOT "If someone was lucky enough to have been running AD as a NOS directory for some time they had enough understanding and ammo to tell those MCS guys to bag it when they were saying Exchange-centric things. " Why are you picking on me, joe? :) I think there's a philosophical issue there: Does the application dictate what the directory can do? Or should the directory dictate what the application does? My answer( ICYGAF ) is that neither. The directory is the foundation and as such should tell the applicationS how to play with it to achieve the most reliable service levels. One is not better and without the other, there is not as much meaning in their life </philosophical> Crackberry? DTS? Exchange is a hog, I'll give you that. It eats disk like nobody's business. What you're saying and what I'm hearing are two separate things, I think. Those are client-side applications, not Exchange. BB has an older architecture that works because of the older protocols being brought forward. It's been known for a long time that BES installations can severely limit the performance of a machine. Severely is being optimistic and because of the usage pattern predictability issues, it's a real art to design and deploy reliable email systems these days. Not the same thing however. And the tools? Exchange 2K vs. Exchange 2K3 is a world of difference, but the 2K3 release was an attempt to get admins back to 5.5 functionality levels using the MMC model (don't get me started) and the new architecture of multiple stores without a directory service local to the Exchange server. In the end, the directory separation works out better than other implementations. Exchange works better with the directory than other applications I've seen (worked with application servers lately? -bet you have and know exactly what I'm talking about). But I also question the rubber stamp concept of separating the directory from the server during design. There are times when it's a good idea. Kind of like multiple forests have their place in a design. Not my designs typically, but I can see where it might come into play. Al <still can't see me?> On 5/18/06, joe <[EMAIL PROTECTED]> wrote: Hey I can read it! Good show Al! Dean is a complete noob in terms of Exchange next to me. ;o) But I am not an Exchange guy by any stretch, I am an AD guy who digs into Exchange problems as if they were just any other problem. I know nothing about E5.5. I constantly hear how the admin tools etc suck in E2K+ compared to E5.5, I have no clue, I look away when I see it, I don't want to learn it. > Exchange actually does it better than most, although as joe > points out, there is always room for improvement. Does what better? Exchange certainly uses the directory more than most, it would be a rough morning after the night I said it uses it better than most things and I might find myself married with a crashed car and having a massive hangover at about the same time I start the regrets on saying Exchange did something better... ;o) Good comments on the original idea for AD. I recall itching everytime I heard folks (even Stuart) saying it was the every-directory as I was looking at Enterprise level companies with 10-15+ directories and no one even close to wanting to go to a single one especially the one made by the company who couldn't produce a domain that could reliably go over 40k users (slight exageration there, we were running domains with 60-100k users on them but I was waiting for the bomb to drop).... > Meanwhile, Exchange was the "killer" app that caused people to even > consider that major leap from NT4 to AD I think this helped but in a lot of larger orgs I know they were going to AD before Exchange 2K was considered. The earlier mentioned problem of NT domains that were barely running was a big pusher for very large orgs as well as the idea of getting to a more standards based environment. I feel for anyone who does their AD and Exchange migrations at the same time because they end up building a directory that is dedicated to Exchange and tend to run into fun when trying to do other things. There are a lot of Exchange consultant with a lot of silly ideas on how AD should be configured. If someone was lucky enough to have been running AD as a NOS directory for some time they had enough understanding and ammo to tell those MCS guys to bag it when they were saying Exchange-centric things. > Want a single server to handle 4,000 heavy mapi users? > You can't do that with Exchange 5.x, but you can with Exchange 200x. Just make sure they are *just* heavy MAPI users and not heavy MAPI AND (Blackberry OR Desktop Search) users. I swear I hear more issues because of those two addons than anything else I have heard of (DT Search also includes, probaby incorrectly, apps that archive content). Once you start adding those side apps each user needs to be considered much more than one user, they should be considered 3,4,5,6 users and E2K doesn't scale well to handle that if you are counting users in the singular. Sorry that was wildly OT but I keep hearing about folks complaining that their servers should handle 4000 users fine but they are finding that 1000 users may be a stretch if they are BB or DTS users as well. Good comments overall, bonus that I could actually read it. :o) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick Sent: Thursday, May 18, 2006 9:03 AM To: [email protected] Subject: Re: [ActiveDir][OT] DNS on a DC or NOT <trying this in rich text from gmail to see if it floats; let me know if you can't see the text joe :)> Um, no. (Yes, it does have to be a DC to be a GC.) But other than scalability and simplicity related to troubleshooting/recoverability, what exactly do you sacrifice if you put Exchange on a GC? There are those that think that putting Exchange on a GC is the way to go. There are others that would disagree but what else is new. For those that have been implementing and designing Exchange for a number of years (joe's not really that old compared to Dean ;-) this concept would seem familiar to the Exchange 4-5x days. As a number of apps were promised to do, Exchange heavily utilizes and therefore relies on the AD directory for authentication, authorization, and directory services (identification) (i.e. directory lookups to aid in mail routing, server lookups (DNS), configuration settings (GPO), and GAL services, etc). Exchange actually does it better than most, although as joe points out, there is always room for improvement. If you look at the history, there were some dark days around the Exchange 2000 deployments for Exchange. 2003 got much better and hopefully E12 (what's it called now? I forget) won't get "office-ized" by the org changes going on at Microsoft. I've seen the "servers" that the office team put out and I'm thoroughly less than impressed. Hopefully that gets better, but I'm not a desktop guy and I'm not interested in becoming a desktop focused expert. Those desktop machines and office productivity apps are prime targets for commoditization over the next 5 years IMHO. Too much is at stake for it not to be. But I digress. <history> The original implementation of AD was expected by Microsoft architects to replace ALL of the other directory services you might have and become the centerpiece to your networked computing infrastructure. It's why you'll find things like DNS integrated into the directory. Well, one reason anyway. Anyhow, as time wore on, adoption was slower than hoped for and one reason was that it was a big pill to swallow. Many large companies already had a working NT model (I say that tongue in cheek: it was limping along in large orgs), had working DNS models including administrivia and DR processes (shame on you if you don't), and a working directory structure based on the LDAP standards that, although they started as a client access protocol to X.500 directories, become synonymous with server side implementations. Whatever, only a purist cares I'm sure. It was realized that although AD had a place in the environment, it was not likely going to rule the world overnight as originally expected and designed and marketed and.... It could however be made to play well and nicely and a lot of refinement was put into that release and now R2. Meanwhile, Exchange was the "killer" app that caused people to even consider that major leap from NT4 to AD (which we know now is really not that big a deal, but boy was it scary then, right?) Some are still migrating or just getting started, but to each their own. Exchange was often bashed for not being scalable soooooo.... it makes sense to off-load some of the services to a single purpose machine - we know it as a domain controller/dns host/directory server/etc. Wow. What a great idea. Wait. What if you don't have a network design that can take advantage of that? Maybe it was geared up and refined to be better with a mainframe centric computing model and maybe NT 4.0 was existing there? Hmm... Or maybe your company doesn't have a network that looks like a single 40-story (storey for those across the pond) building with one single high-speed network? Maybe you have users accessing your email and directory from around the globe and maybe 40% of your users are mobile at any given time? Maybe more. Exchange won't play nice with a network like that out of the box because it was geared up to be scalable. Want a single server to handle 4,000 heavy mapi users? You can't do that with Exchange 5.x, but you can with Exchange 200x. Why? Many reasons and I won't bore you with the details. What's important is that if you look at the topology, it might make more sense to put the directory back onto Exchange computers based on the way your network works. Can you scale it as high? No. Is it simple to recover? No (it should be easier than it is IMHO). But does it serve the purpose better? Yes. Can it handle that 150 user density South African office without being hampered by the hamstrung internet connection off the continent? I've been told it's much better performance than using something like cached mode clients or OWA if the server is local. I can believe that. Help me understand why I wouldn't put Exchange on a GC in more situations than I don't? What would I lose? Neil, I'm curious about what you'd pick for an authentication service over AD? Heck, now I'm just rambling though, 'cause this is likely blank ;) Al On 5/18/06, Carlos Magalhaes <[EMAIL PROTECTED]> wrote: > Well currently to have a GC you need that machine to be a DC and as we > all know you don't put Exchange on a DC ;) > > Exchange already feels special ;) > > Carlos Magalhaes > > Krenceski, William wrote: > > Why can't exchange just have the GC on it somehow. I'm not a developer > > by any means of the word. It just seems that if Exchange is "SPECIAL" > > make it feel special...... > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] ] On Behalf Of joe > > Sent: Wednesday, May 17, 2006 7:21 PM > > To: [email protected] > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > LOL. > > > > For those not at the DEC 2006 Dean and joe show presentation, Mark's > > 'Exchange is "SPECIAL"' comment is a direct reference to something I > > said when bouncing around talking about AD and bad applications. I > > miraculously stopped and looked straight at a Microsoft MVP for Exchange > > (Mark) while spouting the truism Exchange is "SPECIAL" in relation to > > how it abuses AD. I was in a groove when I said it so I didn't actually > > realize I was looking at Mark or else I probably would have bust out > > laughing as I did later when he explained what I had done. > > > > I think all of the Exchange MVPs tend to have a special place in their > > heart for me as does the entire Exchange Dev team. ;o) > > > > > > joe > > > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Mark Arnold > > Sent: Wednesday, May 17, 2006 5:29 PM > > To: [email protected] > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > Laura, a "Mucker" is, in English, a good friend. > > You are probably not to be termed a Mucker, other words might apply, but > > Jimmy is one of mine and Dean/Joe is one of yours. > > > > Oh, and Joe is old and smells of wee, so pay no heed to his Exchange > > rants. > > Exchange is indeed "special" because it's such a wonderful solution. OK, > > I should shut up now and go back to my padded cell. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Laura E. Hunter > > Sent: 17 May 2006 21:39 > > To: [email protected] > > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT > > > > > >> BTW, anyone know what a mucker is? I am trying to figure out if I am > >> supposed to be morally outraged. <eg> > >> > >> joe > >> > >> > > > > I use "mucker" as a compliment, but in my vernacular it's used in > > reference to a semi-skilled hockey player whose lack of scoring ability > > is balanced by his ability to check an opposing player into sometime > > next week. > > > > So I guess what I'm saying is...draw your own conclusions. :-) > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > This message has been scanned by Antigen. Every effort has been made to > > ensure it is clean. > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
