Interesting ... how many DCs do you have? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Wednesday, May 24, 2006 7:01 AM > To: [email protected]; [email protected] > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > We deploy Microsoft patches to all servers without a reboot, so we just > schedule servers to reboot every weekend so the patches finish up the > installs. It's easier to just have them reboot every week then to try > and determine programmatically if they need a reboot after a patch or > not. > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Brian Desmond > Sent: Tue 5/23/2006 9:03 PM > To: [email protected] > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > Why do you have a weekly reboot task? This isn't NT4 anymore... > > Thanks, > Brian Desmond > [EMAIL PROTECTED] > > c - 312.731.3132 > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > [EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > > Sent: Tuesday, May 23, 2006 9:27 PM > > To: [email protected]; [email protected] > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > > > What about DHCP on a DC? We just had an issue where our weekly > reboot > > task to reboot all the DCs failed on one DC and it didn't come back > up. > > Any user at the site who rebooted their PC was down because they > > couldn't get an IP from DHCP. Our standard is to run DHCP on the DCs > > at each site. How does everyone else do it? Maybe we just need a > > backup DHCP scope? > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of joe > > Sent: Tue 5/23/2006 8:13 PM > > To: [email protected] > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > > > I think the goal should be to build a stable robust directory service > > that is as flexible as you make it but not so flexible that you put > > yourself into bad positions to support any one app. The goals of the > > Directory folks should be to make sure they have something that > > everyone can use and something no one group can wipe out. This means > > that every app is the same to the directory people, they have a > > dependency on the directory, none are more important than any others > in > > that set of goals. > > > > > > I completely agree with the LDAP auth stuff. LDAP isn't an auth > > protocol. I can carry water with my two hands cupped together, > doesn't > > mean I am going to try and fill a pool that way. > > > > > > > > > > RE: Resource forest for Exchange.... The Exchange delegation model > > sucks so much water that running a separate forest is almost the only > > way to efficiently break off Exchange support in a guaranteed safe > and > > secure manner. And there are other solutions to not using MIIS, such > as > > LDSU or other third party syncing. As you know I agree completely on > > MIIS'es "requirements". Personally I wouldn't even go for SQL 2005 > > Express. I want to be able to specify any backend store or I want the > > backend store to be completely and utterly black box like ESE. Both > > because I don't want to have to worry about grooming it and I don't > > want to worry about SQL DBA wannabees screwing with it. Just like > with > > AD there are a lot of people who think they know SQL when in fact > they > > can simply spell it, this goes for several DBAs I have met through > the > > years as well as some people I have heard about through others. I > heard > > a story recently about a SQL Expert that made me wonder who tied his > > shoes in the morning for him. Had I been dealing with him instead of > my > > oh so patient friend, I don't expect he would have reported back to > > work or his superiors would have let him come back to work. There > isn't > > a class or books teaching people how to manage ESE so that makes it > > about 10,000% better than SQL Server all alone because the people who > > will be figuring out how to work with it will be doing so from MSDN > API > > docs and will probably be considerably more capable than your normal > > Microsoft SQL Server DBA. But that is just one reason why I don't > want > > SQL Server backend for stuff. I recall when we are the summit a > couple > > of years ago when we all were piping up about this. It doesn't appear > > anyone listened, but I think it is good that we continue to pipe up > > about it. > > > > > > > > > > > > > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > [EMAIL PROTECTED] On Behalf Of Al Mulnick > > Sent: Tuesday, May 23, 2006 10:17 AM > > To: [email protected] > > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT > > > > > > No, Exchange is not the only app for the directory. I concur. > > Exchange does not just leverage the NOS directory for it's usage. It > > relies on it heavily. In fact, Exchange doesn't exist without it, > > but... > > > > > > I think the question needs to be answered though: Does the > application > > dictate what the directory can do or should the directory dictate > what > > the application does? I think that's important to the way you > design, > > deploy, and maintain your Active Directory, and other directory > > services in your organization. The same theory and guidelines apply > > when you consider SiteMinder (shudder) and SunOne or OpenLDAP and > > Sendmail or ... the list goes on. Put another way, does the directory > > exist for the sole purpose of being a directory or does it exist to > > service multiple applications? If multiple applications, how much > > should the directory adjust to the needs of it's constituents vs. the > > constituents adjust to the needs of the directory? <my thought: it's > > the whole not the part that's important. But neither has a reason to > > exist without the other, so we're still stuck in a decision loop.> > > > > > > > > Figuring this out sets the stage for a solid deployment of both the > > directory service and the applications. NOS directory aside, it is a > > directory and it's one that can and should be multifunction. > > Whitepages are nice and cute and all, but have limited use if that's > > all they do. But if it can also identify and authenticate a security > > principal (don't give me that LDAP authentication crap either - > drives > > me nuts to hear LDAP being used as an authentication protocol > </rant>) > > now that's real value. What? The hosts can be multi-function devices? > > Bonus! I like it even better. > > > > > > > > It's important to decide what the directory service is going to be > and > > how it will be maintained IMHO. > > > > > > > > -ajm > > > > > > Exchange in a resource forest? Ewwww.... that's less than natural, > > reduces functionality, increases complexity and moving parts, and > > MIIS's FP isn't what I call a good solution (I call it a stopper and > a > > reskit utility) until it runs on standard server and SQL 2005 Express > > and, and.. (why is it we should want to pay extra to get a good > design > > again?) > > > > > > > > > > > > > > > > On 5/23/06, joe <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Does the application dictate what the directory can do? > > > > > Or should the directory dictate what the application does? > > > > > > > > But Exchange isn't the only app for the directory... Exchange > is > > generally leveraging the NOS directory for E2K+ deployments, now if > you > > got o a resource forest for Exchange, set it up for the app all day. > :) > > > > > > > > > > > > > > > > > Those are client-side applications, not Exchange. > > > > > > > > True, but they need to be planned in the Exchange design as > they > > have tremendous impact on it. Recently I heard of a group that > treated > > BES as an office automation application, I was truly shocked, I never > > seen it treated as anything but core messaging. > > > > > > > > > > > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: [EMAIL PROTECTED] [mailto: ActiveDir- > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > ] > > On Behalf Of Al Mulnick > > > > > > Sent: Thursday, May 18, 2006 9:13 PM > > > > > > To: [email protected] > > > > > > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT > > > > > > > > > > > > > > > > "If someone was lucky enough to have been running AD as a NOS > > directory for some time they had enough understanding and ammo to > tell > > those MCS guys to bag it when they were saying Exchange-centric > things. > > " > > > > > > > > Why are you picking on me, joe? :) > > > > > > I think there's a philosophical issue there: Does the > application > > dictate what the directory can do? Or should the directory dictate > what > > the application does? > > > > > > > > My answer( ICYGAF ) is that neither. The directory is the > > foundation and as such should tell the applicationS how to play with > it > > to achieve the most reliable service levels. One is not better and > > without the other, there is not as much meaning in their life > > </philosophical> > > > > > > > > Crackberry? DTS? Exchange is a hog, I'll give you that. It eats > > disk like nobody's business. What you're saying and what I'm hearing > > are two separate things, I think. Those are client-side applications, > > not Exchange. BB has an older architecture that works because of the > > older protocols being brought forward. It's been known for a long > time > > that BES installations can severely limit the performance of a > machine. > > Severely is being optimistic and because of the usage pattern > > predictability issues, it's a real art to design and deploy reliable > > email systems these days. > > > > > > > > Not the same thing however. And the tools? Exchange 2K vs. > > Exchange 2K3 is a world of difference, but the 2K3 release was an > > attempt to get admins back to 5.5 functionality levels using the MMC > > model (don't get me started) and the new architecture of multiple > > stores without a directory service local to the Exchange server. > > > > > > > > In the end, the directory separation works out better than > other > > implementations. Exchange works better with the directory than other > > applications I've seen (worked with application servers lately? -bet > > you have and know exactly what I'm talking about). But I also > question > > the rubber stamp concept of separating the directory from the server > > during design. There are times when it's a good idea. Kind of like > > multiple forests have their place in a design. Not my designs > > typically, but I can see where it might come into play. > > > > > > > > Al > > <still can't see me?> > > > > > > > > On 5/18/06, joe <[EMAIL PROTECTED]> wrote: > > > > > > Hey I can read it! Good show Al! > > > > > > Dean is a complete noob in terms of Exchange next to > me. > > ;o) But I am not an Exchange guy by any stretch, I am an AD guy who > > digs into Exchange problems as if they were just any other problem. I > > know nothing about E5.5. I constantly hear how the admin tools etc > suck > > in E2K+ compared to E5.5, I have no clue, I look away when I see it, > I > > don't want to learn it. > > > > > > > > > > > > > > > > > > > > > Exchange actually does it better than most, although > as > > joe > > > > > points out, there is always room for improvement. > > > > > > > > Does what better? Exchange certainly uses the directory > > more than most, it would be a rough morning after the night I said it > > uses it better than most things and I might find myself married with > a > > crashed car and having a massive hangover at about the same time I > > start the regrets on saying Exchange did something better... ;o) > > > > > > > > > > > > > > > > > > > > Good comments on the original idea for AD. I recall > itching > > everytime I heard folks (even Stuart) saying it was the > every-directory > > as I was looking at Enterprise level companies with 10-15+ > directories > > and no one even close to wanting to go to a single one especially the > > one made by the company who couldn't produce a domain that could > > reliably go over 40k users (slight exageration there, we were running > > domains with 60-100k users on them but I was waiting for the bomb to > > drop).... > > > > > > > > > > > > > > > > > > > > > > > > > Meanwhile, Exchange was the "killer" app that caused > > people to even > > > > > consider that major leap from NT4 to AD > > > > > > I think this helped but in a lot of larger orgs I know > they > > were going to AD before Exchange 2K was considered. The earlier > > mentioned problem of NT domains that were barely running was a big > > pusher for very large orgs as well as the idea of getting to a more > > standards based environment. I feel for anyone who does their AD and > > Exchange migrations at the same time because they end up building a > > directory that is dedicated to Exchange and tend to run into fun when > > trying to do other things. There are a lot of Exchange consultant > with > > a lot of silly ideas on how AD should be configured. If someone was > > lucky enough to have been running AD as a NOS directory for some time > > they had enough understanding and ammo to tell those MCS guys to bag > it > > when they were saying Exchange-centric things. > > > > > > > > > > > > > > > > > > > > > > > > > Want a single server to handle 4,000 heavy mapi > users? > > > > > You can't do that with Exchange 5.x, but you can with > > Exchange 200x. > > > > > > > > Just make sure they are *just* heavy MAPI users and not > > heavy MAPI AND (Blackberry OR Desktop Search) users. I swear I hear > > more issues because of those two addons than anything else I have > heard > > of (DT Search also includes, probaby incorrectly, apps that archive > > content). Once you start adding those side apps each user needs to be > > considered much more than one user, they should be considered 3,4,5,6 > > users and E2K doesn't scale well to handle that if you are counting > > users in the singular. Sorry that was wildly OT but I keep hearing > > about folks complaining that their servers should handle 4000 users > > fine but they are finding that 1000 users may be a stretch if they > are > > BB or DTS users as well. > > > > > > > > > > > > > > > > Good comments overall, bonus that I could actually read > it. > > :o) > > > > > > > > > > joe > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] [mailto: > > [EMAIL PROTECTED] <mailto:ActiveDir- > > [EMAIL PROTECTED]> ] On Behalf Of Al Mulnick > > Sent: Thursday, May 18, 2006 9:03 AM > > > > > > To: [email protected] > > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT > > > > > > > > > > > > > > > > > > <trying this in rich text from gmail to see if it > floats; > > let me know if you can't see the text joe :)> > > > > Um, no. (Yes, it does have to be a DC to be a GC.) > But > > other than scalability and simplicity related to > > troubleshooting/recoverability, what exactly do you sacrifice if you > > put Exchange on a GC? > > > > > > > > There are those that think that putting Exchange on a > GC > is > > the way to go. There are others that would disagree but what else is > > new. For those that have been implementing and designing Exchange > for > > a number of years (joe's not really that old compared to Dean ;-) > this > > concept would seem familiar to the Exchange 4-5x days. > > > > > > > > As a number of apps were promised to do, Exchange > heavily > > utilizes and therefore relies on the AD directory for authentication, > > authorization, and directory services (identification) (i.e. > directory > > lookups to aid in mail routing, server lookups (DNS), configuration > > settings (GPO), and GAL services, etc). Exchange actually does it > > better than most, although as joe points out, there is always room > for > > improvement. > > > > > > > > If you look at the history, there were some dark days > > around the Exchange 2000 deployments for Exchange. 2003 got much > > better and hopefully E12 (what's it called now? I forget) won't get > > "office-ized" by the org changes going on at Microsoft. I've seen the > > "servers" that the office team put out and I'm thoroughly less than > > impressed. Hopefully that gets better, but I'm not a desktop guy and > > I'm not interested in becoming a desktop focused expert. Those > desktop > > machines and office productivity apps are prime targets for > > commoditization over the next 5 years IMHO. Too much is at stake for > it > > not to be. But I digress. > > > > > > > > <history> The original implementation of AD was > expected > by > > Microsoft architects to replace ALL of the other directory services > you > > might have and become the centerpiece to your networked computing > > infrastructure. It's why you'll find things like DNS integrated into > > the directory. Well, one reason anyway. Anyhow, as time wore on, > > adoption was slower than hoped for and one reason was that it was a > big > > pill to swallow. Many large companies already had a working NT model > > (I say that tongue in cheek: it was limping along in large orgs), had > > working DNS models including administrivia and DR processes (shame on > > you if you don't), and a working directory structure based on the > LDAP > > standards that, although they started as a client access protocol to > > X.500 directories, become synonymous with server side > implementations. > > Whatever, only a purist cares I'm sure. It was realized that although > > AD had a place in the environment, it was not likely going to rule > the > > world overnight as originally expected and designed and marketed > > and.... It could however be made to play well and nicely and a lot of > > refinement was put into that release and now R2. > > > > > > > > Meanwhile, Exchange was the "killer" app that caused > people > > to even consider that major leap from NT4 to AD (which we know now is > > really not that big a deal, but boy was it scary then, right?) Some > > are still migrating or just getting started, but to each their own. > > > > > > > > Exchange was often bashed for not being scalable > > soooooo.... it makes sense to off-load some of the services to a > single > > purpose machine - we know it as a domain controller/dns > host/directory > > server/etc. Wow. What a great idea. Wait. What if you don't have a > > network design that can take advantage of that? Maybe it was geared > up > > and refined to be better with a mainframe centric computing model and > > maybe NT 4.0 was existing there? Hmm... Or maybe your company doesn't > > have a network that looks like a single 40-story (storey for those > > across the pond) building with one single high-speed network? Maybe > you > > have users accessing your email and directory from around the globe > and > > maybe 40% of your users are mobile at any given time? Maybe more. > > Exchange won't play nice with a network like that out of the box > > because it was geared up to be scalable. Want a single server to > > handle 4,000 heavy mapi users? You can't do that with Exchange 5.x, > > but you can with Exchange 200x. Why? Many reasons and I won't bore > you > > with the details. What's important is that if you look at the > > topology, it might make more sense to put the directory back onto > > Exchange computers based on the way your network works. Can you scale > > it as high? No. Is it simple to recover? No (it should be easier than > > it is IMHO). But does it serve the purpose better? Yes. Can it handle > > that 150 user density South African office without being hampered by > > the hamstrung internet connection off the continent? I've been told > > it's much better performance than using something like cached mode > > clients or OWA if the server is local. I can believe that. > > > > > > > > Help me understand why I wouldn't put Exchange on a GC > in > > more situations than I don't? What would I lose? > > > > > > > > Neil, I'm curious about what you'd pick for an > > authentication service over AD? > > > > > > > > Heck, now I'm just rambling though, 'cause this is > likely > > blank ;) > > > > > > > > > > Al > > > > > > On 5/18/06, Carlos Magalhaes > <[EMAIL PROTECTED]> > > wrote: > > > Well currently to have a GC you need that machine to > be a > > DC and as we > > > > > all know you don't put Exchange on a DC ;) > > > > > > > > Exchange already feels special ;) > > > > > > > > Carlos Magalhaes > > > > > > > > Krenceski, William wrote: > > > > Why can't exchange just have the GC on it somehow. > I'm > > not a developer > > > > > > by any means of the word. It just seems that if > > Exchange is "SPECIAL" > > > > make it feel special...... > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] ] On > Behalf > > Of joe > > > > Sent: Wednesday, May 17, 2006 7:21 PM > > > > To: [email protected] > > > > > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > > > > > LOL. > > > > > > > > For those not at the DEC 2006 Dean and joe show > > presentation, Mark's > > > > > > 'Exchange is "SPECIAL"' comment is a direct > reference > > to something I > > > > > > said when bouncing around talking about AD and bad > > applications. I > > > > miraculously stopped and looked straight at a > Microsoft > > MVP for Exchange > > > > > > (Mark) while spouting the truism Exchange is > "SPECIAL" > > in relation to > > > > > > how it abuses AD. I was in a groove when I said it > so I > > didn't actually > > > > realize I was looking at Mark or else I probably > would > > have bust out > > > > > > laughing as I did later when he explained what I > had > > done. > > > > > > > > > > I think all of the Exchange MVPs tend to have a > special > > place in their > > > > heart for me as does the entire Exchange Dev team. > ;o) > > > > > > > > > > > > > > joe > > > > > > > > > > > > > > > > > > -- > > > > O'Reilly Active Directory Third Edition - > > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto: [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> ] On Behalf Of Mark > Arnold > > > > Sent: Wednesday, May 17, 2006 5:29 PM > > > > To: [email protected] > > > > > > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT > > > > > > > > > > Laura, a "Mucker" is, in English, a good friend. > > > > You are probably not to be termed a Mucker, other > words > > might apply, but > > > > > > Jimmy is one of mine and Dean/Joe is one of yours. > > > > > > > > > > Oh, and Joe is old and smells of wee, so pay no > heed > to > > his Exchange > > > > rants. > > > > Exchange is indeed "special" because it's such a > > wonderful solution. OK, > > > > > > I should shut up now and go back to my padded cell. > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto: [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> ] On Behalf Of Laura E. > > Hunter > > > > Sent: 17 May 2006 21:39 > > > > To: [email protected] > > > > > > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT > > > > > > > > > > > > > >> BTW, anyone know what a mucker is? I am trying to > > figure out if I am > > > >> supposed to be morally outraged. <eg> > > > > > >> > > > >> joe > > > >> > > > > > >> > > > > > > > > I use "mucker" as a compliment, but in my > vernacular > > it's used in > > > > reference to a semi-skilled hockey player whose > lack > of > > scoring ability > > > > > > is balanced by his ability to check an opposing > player > > into sometime > > > > > > next week. > > > > > > > > So I guess what I'm saying is...draw your own > > conclusions. :-) > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail- > > archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > This message has been scanned by Antigen. Every > effort > > has been made to > > > > ensure it is clean. > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > http://www.mail- > > archive.com/activedir%40mail.activedir.org/ > > > > > > > > Confidentiality Notice: The information contained > in > > this message may be legally privileged and confidential information > > intended only for the use of the individual or entity named above. If > > the reader of this message is not the intended recipient, or the > > employee or agent responsible to deliver it to the intended > recipient, > > you are hereby notified that any release, dissemination, > distribution, > > or copying of this communication is strictly prohibited. If you have > > received this communication in error please notify the author > > immediately by replying to this message and deleting the original > > message. Thank you. > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: http://www.mail- > > archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: http://www.mail- > > archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > This e-mail is confidential, may contain proprietary information of > > Cameron and its operating Divisions and may be confidential or > > privileged. > > > > This e-mail should be read, copied, disseminated and/or used only by > > the addressee. If you have received this message in error please > delete > > it, together with any attachments, from your system. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail- > > archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary information of > Cameron and its operating Divisions and may be confidential or > privileged. > > This e-mail should be read, copied, disseminated and/or used only by > the addressee. If you have received this message in error please delete > it, together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
