Why do you have a weekly reboot task? This isn't NT4 anymore...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 23, 2006 9:27 PM
To: [email protected]; [email protected]
Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
What about DHCP on a DC? We just had an issue where our weekly reboot
task to reboot all the DCs failed on one DC and it didn't come back
up.
Any user at the site who rebooted their PC was down because they
couldn't get an IP from DHCP. Our standard is to run DHCP on the DCs
at each site. How does everyone else do it? Maybe we just need a
backup DHCP scope?
________________________________
From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 5/23/2006 8:13 PM
To: [email protected]
Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
I think the goal should be to build a stable robust directory service
that is as flexible as you make it but not so flexible that you put
yourself into bad positions to support any one app. The goals of the
Directory folks should be to make sure they have something that
everyone can use and something no one group can wipe out. This means
that every app is the same to the directory people, they have a
dependency on the directory, none are more important than any others
in
that set of goals.
I completely agree with the LDAP auth stuff. LDAP isn't an auth
protocol. I can carry water with my two hands cupped together, doesn't
mean I am going to try and fill a pool that way.
RE: Resource forest for Exchange.... The Exchange delegation model
sucks so much water that running a separate forest is almost the only
way to efficiently break off Exchange support in a guaranteed safe and
secure manner. And there are other solutions to not using MIIS, such
as
LDSU or other third party syncing. As you know I agree completely on
MIIS'es "requirements". Personally I wouldn't even go for SQL 2005
Express. I want to be able to specify any backend store or I want the
backend store to be completely and utterly black box like ESE. Both
because I don't want to have to worry about grooming it and I don't
want to worry about SQL DBA wannabees screwing with it. Just like with
AD there are a lot of people who think they know SQL when in fact they
can simply spell it, this goes for several DBAs I have met through the
years as well as some people I have heard about through others. I
heard
a story recently about a SQL Expert that made me wonder who tied his
shoes in the morning for him. Had I been dealing with him instead of
my
oh so patient friend, I don't expect he would have reported back to
work or his superiors would have let him come back to work. There
isn't
a class or books teaching people how to manage ESE so that makes it
about 10,000% better than SQL Server all alone because the people who
will be figuring out how to work with it will be doing so from MSDN
API
docs and will probably be considerably more capable than your normal
Microsoft SQL Server DBA. But that is just one reason why I don't want
SQL Server backend for stuff. I recall when we are the summit a couple
of years ago when we all were piping up about this. It doesn't appear
anyone listened, but I think it is good that we continue to pipe up
about it.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, May 23, 2006 10:17 AM
To: [email protected]
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
No, Exchange is not the only app for the directory. I concur.
Exchange does not just leverage the NOS directory for it's usage. It
relies on it heavily. In fact, Exchange doesn't exist without it,
but...
I think the question needs to be answered though: Does the application
dictate what the directory can do or should the directory dictate what
the application does? I think that's important to the way you design,
deploy, and maintain your Active Directory, and other directory
services in your organization. The same theory and guidelines apply
when you consider SiteMinder (shudder) and SunOne or OpenLDAP and
Sendmail or ... the list goes on. Put another way, does the directory
exist for the sole purpose of being a directory or does it exist to
service multiple applications? If multiple applications, how much
should the directory adjust to the needs of it's constituents vs. the
constituents adjust to the needs of the directory? <my thought: it's
the whole not the part that's important. But neither has a reason to
exist without the other, so we're still stuck in a decision loop.>
Figuring this out sets the stage for a solid deployment of both the
directory service and the applications. NOS directory aside, it is a
directory and it's one that can and should be multifunction.
Whitepages are nice and cute and all, but have limited use if that's
all they do. But if it can also identify and authenticate a security
principal (don't give me that LDAP authentication crap either - drives
me nuts to hear LDAP being used as an authentication protocol </rant>)
now that's real value. What? The hosts can be multi-function devices?
Bonus! I like it even better.
It's important to decide what the directory service is going to be and
how it will be maintained IMHO.
-ajm
Exchange in a resource forest? Ewwww.... that's less than natural,
reduces functionality, increases complexity and moving parts, and
MIIS's FP isn't what I call a good solution (I call it a stopper and a
reskit utility) until it runs on standard server and SQL 2005 Express
and, and.. (why is it we should want to pay extra to get a good design
again?)
On 5/23/06, joe <[EMAIL PROTECTED]> wrote:
> Does the application dictate what the directory can do?
> Or should the directory dictate what the application does?
But Exchange isn't the only app for the directory... Exchange is
generally leveraging the NOS directory for E2K+ deployments, now if
you
got o a resource forest for Exchange, set it up for the app all day.
:)
> Those are client-side applications, not Exchange.
True, but they need to be planned in the Exchange design as they
have tremendous impact on it. Recently I heard of a group that treated
BES as an office automation application, I was truly shocked, I never
seen it treated as anything but core messaging.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED] [mailto: ActiveDir-
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
On Behalf Of Al Mulnick
Sent: Thursday, May 18, 2006 9:13 PM
To: [email protected]
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
"If someone was lucky enough to have been running AD as a NOS
directory for some time they had enough understanding and ammo to tell
those MCS guys to bag it when they were saying Exchange-centric
things.
"
Why are you picking on me, joe? :)
I think there's a philosophical issue there: Does the
application
dictate what the directory can do? Or should the directory dictate
what
the application does?
My answer( ICYGAF ) is that neither. The directory is the
foundation and as such should tell the applicationS how to play with
it
to achieve the most reliable service levels. One is not better and
without the other, there is not as much meaning in their life
</philosophical>
Crackberry? DTS? Exchange is a hog, I'll give you that. It eats
disk like nobody's business. What you're saying and what I'm hearing
are two separate things, I think. Those are client-side applications,
not Exchange. BB has an older architecture that works because of the
older protocols being brought forward. It's been known for a long
time
that BES installations can severely limit the performance of a
machine.
Severely is being optimistic and because of the usage pattern
predictability issues, it's a real art to design and deploy reliable
email systems these days.
Not the same thing however. And the tools? Exchange 2K vs.
Exchange 2K3 is a world of difference, but the 2K3 release was an
attempt to get admins back to 5.5 functionality levels using the MMC
model (don't get me started) and the new architecture of multiple
stores without a directory service local to the Exchange server.
In the end, the directory separation works out better than other
implementations. Exchange works better with the directory than other
applications I've seen (worked with application servers lately? -bet
you have and know exactly what I'm talking about). But I also question
the rubber stamp concept of separating the directory from the server
during design. There are times when it's a good idea. Kind of like
multiple forests have their place in a design. Not my designs
typically, but I can see where it might come into play.
Al
<still can't see me?>
On 5/18/06, joe <[EMAIL PROTECTED]> wrote:
Hey I can read it! Good show Al!
Dean is a complete noob in terms of Exchange next to me.
;o) But I am not an Exchange guy by any stretch, I am an AD guy who
digs into Exchange problems as if they were just any other problem. I
know nothing about E5.5. I constantly hear how the admin tools etc
suck
in E2K+ compared to E5.5, I have no clue, I look away when I see it, I
don't want to learn it.
> Exchange actually does it better than most, although
as
joe
> points out, there is always room for improvement.
Does what better? Exchange certainly uses the directory
more than most, it would be a rough morning after the night I said it
uses it better than most things and I might find myself married with a
crashed car and having a massive hangover at about the same time I
start the regrets on saying Exchange did something better... ;o)
Good comments on the original idea for AD. I recall
itching
everytime I heard folks (even Stuart) saying it was the
every-directory
as I was looking at Enterprise level companies with 10-15+ directories
and no one even close to wanting to go to a single one especially the
one made by the company who couldn't produce a domain that could
reliably go over 40k users (slight exageration there, we were running
domains with 60-100k users on them but I was waiting for the bomb to
drop)....
> Meanwhile, Exchange was the "killer" app that caused
people to even
> consider that major leap from NT4 to AD
I think this helped but in a lot of larger orgs I know
they
were going to AD before Exchange 2K was considered. The earlier
mentioned problem of NT domains that were barely running was a big
pusher for very large orgs as well as the idea of getting to a more
standards based environment. I feel for anyone who does their AD and
Exchange migrations at the same time because they end up building a
directory that is dedicated to Exchange and tend to run into fun when
trying to do other things. There are a lot of Exchange consultant with
a lot of silly ideas on how AD should be configured. If someone was
lucky enough to have been running AD as a NOS directory for some time
they had enough understanding and ammo to tell those MCS guys to bag
it
when they were saying Exchange-centric things.
> Want a single server to handle 4,000 heavy mapi users?
> You can't do that with Exchange 5.x, but you can with
Exchange 200x.
Just make sure they are *just* heavy MAPI users and not
heavy MAPI AND (Blackberry OR Desktop Search) users. I swear I hear
more issues because of those two addons than anything else I have
heard
of (DT Search also includes, probaby incorrectly, apps that archive
content). Once you start adding those side apps each user needs to be
considered much more than one user, they should be considered 3,4,5,6
users and E2K doesn't scale well to handle that if you are counting
users in the singular. Sorry that was wildly OT but I keep hearing
about folks complaining that their servers should handle 4000 users
fine but they are finding that 1000 users may be a stretch if they are
BB or DTS users as well.
Good comments overall, bonus that I could actually read
it.
:o)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] <mailto:ActiveDir-
[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
Sent: Thursday, May 18, 2006 9:03 AM
To: [email protected]
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
<trying this in rich text from gmail to see if it
floats;
let me know if you can't see the text joe :)>
Um, no. (Yes, it does have to be a DC to be a GC.) But
other than scalability and simplicity related to
troubleshooting/recoverability, what exactly do you sacrifice if you
put Exchange on a GC?
There are those that think that putting Exchange on a GC
is
the way to go. There are others that would disagree but what else is
new. For those that have been implementing and designing Exchange for
a number of years (joe's not really that old compared to Dean ;-)
this
concept would seem familiar to the Exchange 4-5x days.
As a number of apps were promised to do, Exchange
heavily
utilizes and therefore relies on the AD directory for authentication,
authorization, and directory services (identification) (i.e. directory
lookups to aid in mail routing, server lookups (DNS), configuration
settings (GPO), and GAL services, etc). Exchange actually does it
better than most, although as joe points out, there is always room for
improvement.
If you look at the history, there were some dark days
around the Exchange 2000 deployments for Exchange. 2003 got much
better and hopefully E12 (what's it called now? I forget) won't get
"office-ized" by the org changes going on at Microsoft. I've seen the
"servers" that the office team put out and I'm thoroughly less than
impressed. Hopefully that gets better, but I'm not a desktop guy and
I'm not interested in becoming a desktop focused expert. Those
desktop
machines and office productivity apps are prime targets for
commoditization over the next 5 years IMHO. Too much is at stake for
it
not to be. But I digress.
<history> The original implementation of AD was expected
by
Microsoft architects to replace ALL of the other directory services
you
might have and become the centerpiece to your networked computing
infrastructure. It's why you'll find things like DNS integrated into
the directory. Well, one reason anyway. Anyhow, as time wore on,
adoption was slower than hoped for and one reason was that it was a
big
pill to swallow. Many large companies already had a working NT model
(I say that tongue in cheek: it was limping along in large orgs), had
working DNS models including administrivia and DR processes (shame on
you if you don't), and a working directory structure based on the LDAP
standards that, although they started as a client access protocol to
X.500 directories, become synonymous with server side implementations.
Whatever, only a purist cares I'm sure. It was realized that although
AD had a place in the environment, it was not likely going to rule the
world overnight as originally expected and designed and marketed
and.... It could however be made to play well and nicely and a lot of
refinement was put into that release and now R2.
Meanwhile, Exchange was the "killer" app that caused
people
to even consider that major leap from NT4 to AD (which we know now is
really not that big a deal, but boy was it scary then, right?) Some
are still migrating or just getting started, but to each their own.
Exchange was often bashed for not being scalable
soooooo.... it makes sense to off-load some of the services to a
single
purpose machine - we know it as a domain controller/dns host/directory
server/etc. Wow. What a great idea. Wait. What if you don't have a
network design that can take advantage of that? Maybe it was geared up
and refined to be better with a mainframe centric computing model and
maybe NT 4.0 was existing there? Hmm... Or maybe your company doesn't
have a network that looks like a single 40-story (storey for those
across the pond) building with one single high-speed network? Maybe
you
have users accessing your email and directory from around the globe
and
maybe 40% of your users are mobile at any given time? Maybe more.
Exchange won't play nice with a network like that out of the box
because it was geared up to be scalable. Want a single server to
handle 4,000 heavy mapi users? You can't do that with Exchange 5.x,
but you can with Exchange 200x. Why? Many reasons and I won't bore you
with the details. What's important is that if you look at the
topology, it might make more sense to put the directory back onto
Exchange computers based on the way your network works. Can you scale
it as high? No. Is it simple to recover? No (it should be easier than
it is IMHO). But does it serve the purpose better? Yes. Can it handle
that 150 user density South African office without being hampered by
the hamstrung internet connection off the continent? I've been told
it's much better performance than using something like cached mode
clients or OWA if the server is local. I can believe that.
Help me understand why I wouldn't put Exchange on a GC
in
more situations than I don't? What would I lose?
Neil, I'm curious about what you'd pick for an
authentication service over AD?
Heck, now I'm just rambling though, 'cause this is
likely
blank ;)
Al
On 5/18/06, Carlos Magalhaes
<[EMAIL PROTECTED]>
wrote:
> Well currently to have a GC you need that machine to
be a
DC and as we
> all know you don't put Exchange on a DC ;)
>
> Exchange already feels special ;)
>
> Carlos Magalhaes
>
> Krenceski, William wrote:
> > Why can't exchange just have the GC on it somehow.
I'm
not a developer
> > by any means of the word. It just seems that if
Exchange is "SPECIAL"
> > make it feel special......
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] ] On
Behalf
Of joe
> > Sent: Wednesday, May 17, 2006 7:21 PM
> > To: [email protected]
> > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> >
> > LOL.
> >
> > For those not at the DEC 2006 Dean and joe show
presentation, Mark's
> > 'Exchange is "SPECIAL"' comment is a direct
reference
to something I
> > said when bouncing around talking about AD and bad
applications. I
> > miraculously stopped and looked straight at a
Microsoft
MVP for Exchange
> > (Mark) while spouting the truism Exchange is
"SPECIAL"
in relation to
> > how it abuses AD. I was in a groove when I said it
so I
didn't actually
> > realize I was looking at Mark or else I probably
would
have bust out
> > laughing as I did later when he explained what I had
done.
> >
> > I think all of the Exchange MVPs tend to have a
special
place in their
> > heart for me as does the entire Exchange Dev team.
;o)
> >
> >
> > joe
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Mark
Arnold
> > Sent: Wednesday, May 17, 2006 5:29 PM
> > To: [email protected]
> > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> >
> > Laura, a "Mucker" is, in English, a good friend.
> > You are probably not to be termed a Mucker, other
words
might apply, but
> > Jimmy is one of mine and Dean/Joe is one of yours.
> >
> > Oh, and Joe is old and smells of wee, so pay no heed
to
his Exchange
> > rants.
> > Exchange is indeed "special" because it's such a
wonderful solution. OK,
> > I should shut up now and go back to my padded cell.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Laura E.
Hunter
> > Sent: 17 May 2006 21:39
> > To: [email protected]
> > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
> >
> >
> >> BTW, anyone know what a mucker is? I am trying to
figure out if I am
> >> supposed to be morally outraged. <eg>
> >>
> >> joe
> >>
> >>
> >
> > I use "mucker" as a compliment, but in my vernacular
it's used in
> > reference to a semi-skilled hockey player whose lack
of
scoring ability
> > is balanced by his ability to check an opposing
player
into sometime
> > next week.
> >
> > So I guess what I'm saying is...draw your own
conclusions. :-)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-
archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> > This message has been scanned by Antigen. Every
effort
has been made to
> > ensure it is clean.
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-
archive.com/activedir%40mail.activedir.org/
> >
> > Confidentiality Notice: The information contained in
this message may be legally privileged and confidential information
intended only for the use of the individual or entity named above. If
the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any release, dissemination, distribution,
or copying of this communication is strictly prohibited. If you have
received this communication in error please notify the author
immediately by replying to this message and deleting the original
message. Thank you.
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/
> >
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.
This e-mail should be read, copied, disseminated and/or used only by
the addressee. If you have received this message in error please
delete
it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
