I am with both of you, that post scared me to death from a few angles.
1. You are patching and just letting DCs reboot and hoping for the
best? I reboot DCs immediately after a patch because if it is going to
blow, I want to know right then when I patched it, I also like having
the hands on control of exactly when DCs reboot. Visualize the case
where a patch is deployed to all DCs and they all reboot on Sunday and
none of them come back up. What are you doing then Charlie Brown?
2. No one knew the DC didn't come back up or the service didn't come
back up until users didn't work??? OI! As Al said, if you have a
service on a machine that doesn't fail over automatically then you
MUST monitor it to within an inch of its life and start paging every
30 seconds until it comes back online.
Would I do DHCP on a DC? I don't know, I would rather not but it
wouldn't bother too much, but I also have a rule about things going on
DCs that make the DCs one off, I don't do it unless there is
absolutely no choice whatsoever and then those DCs get special (read
expensive) hands on support - which is why this should be as few as
possible. DCs that fit this are Exchange GCs, PDC, and any DCs that
are targeted by syncing apps (ADC, MIIS) and have no backups for that
functionality.
I would look at doing DHCP over the WAN, what is it, I think you need
BootP helpers on the routers to get the requests across and then have
a centralized server giving out the addresses, maybe have that as a
backup if the local DC pukes or just do it that way. DHCP is very
light traffic.
The reboots themselves don't bother me as I have seen SixSigma
projects that pointed out that DCs that were rebooted on a regular
basis had better overall availability. In the widget company we used
to reboot WAN Site DCs weekly but then through similar study projects
found it was better to reboot every couple of weeks instead so one of
my teammates worked up a beauty script that ran through scheduler that
only rebooted every few weeks. The main idea behind it was that a DC
that hung up was often difficult to deal with over the wire and
rebooting helped alleviate hang issues. Once we had DRAC/ILO type
functionality everywhere it was less of an issue but we still found
the rebooting every month or a couple of times a month was useful. It
isn't a competition to see how long the servers can stay running
consecutively, it is about making sure the environment is stable and
available and if regular reboots can help with that, so be it. DCs are
nice because the way they should be configured rebooting a DC at any
time shouldn't be an issue. I say shouldn't because Exchange GCs still
cause heartache when you reboot them and since the ESM/WMI mechanism
for determining which GCs are being used is crap (and the Exchange
team knows this very clearly as I bugged it with them a year ago) and
doesn't work properly you never really know for sure which GCs are in
use.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick
*Sent:* Wednesday, May 24, 2006 9:06 AM
*To:* [email protected]
*Subject:* Re: [ActiveDir][OT] DNS on a DC or NOT
I'm with Brian on this one: why a weekly reboot. Saying that, I just
found out yesterday that the company I'm at now does a weekly reboot
as a matter of course. This could take some time.....
Putting DHCP on a DC is not an issue in my opinion. The issue is with
your implementation from what you've posted. The implementation
doesn't take into account the failure of any one service without an
outage being realized. Put in another perspective, if you deploy AD
you're deploying a "fabric" of hosts that together provide an
identification and authentication service (some authorization as well,
but for another conversation at another time). In this case, your
Active Directory likely continued to work, but your DHCP "service"
didn't follow the same rules.
Therefore, the goal of any app deployed on a DC should be to have it
be as resilient a service as Active Directory; the loss of any single
host in an Active Directory environment should not deny services
provided by that host.
Several things to consider: your DHCP lease times were too short. I'm
not sure why, but apparently there's a shortage of ip addresses out
there in many sites. I think that's a shame and that people should
allocate the money to purchase the additional ip addresses on those
private networks. :)
Additionally, you should strongly consider how your scopes are laid
out. 80/20 or 50/50 split designs for DHCP are common and can help
solve that problem as well as extended outage problems.
Consider not having a "standard" reboot cycle for Windows boxes. It
really plays havoc with them and reduces the efficiency that they can
otherwise achieve. There's a document out there somewhere from
microsoft detailing the memory and cpu impact to frequent reboots.
I'll try to dig it up if that's of value.
Al
On 5/23/06, *Rimmerman, Russ* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
What about DHCP on a DC? We just had an issue where our weekly
reboot task to reboot all the DCs failed on one DC and it didn't
come back up. Any user at the site who rebooted their PC was down
because they couldn't get an IP from DHCP. Our standard is to run
DHCP on the DCs at each site. How does everyone else do
it? Maybe we just need a backup DHCP scope?
________________________________
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> on behalf of joe
Sent: Tue 5/23/2006 8:13 PM
To: [email protected] <mailto:[email protected]>
Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
I think the goal should be to build a stable robust directory
service that is as flexible as you make it but not so flexible
that you put yourself into bad positions to support any one app.
The goals of the Directory folks should be to make sure they have
something that everyone can use and something no one group can
wipe out. This means that every app is the same to the directory
people, they have a dependency on the directory, none are more
important than any others in that set of goals.
I completely agree with the LDAP auth stuff. LDAP isn't an auth
protocol. I can carry water with my two hands cupped together,
doesn't mean I am going to try and fill a pool that way.
RE: Resource forest for Exchange.... The Exchange delegation model
sucks so much water that running a separate forest is almost the
only way to efficiently break off Exchange support in a guaranteed
safe and secure manner. And there are other solutions to not using
MIIS, such as LDSU or other third party syncing. As you know I
agree completely on MIIS'es "requirements". Personally I wouldn't
even go for SQL 2005 Express. I want to be able to specify any
backend store or I want the backend store to be completely and
utterly black box like ESE. Both because I don't want to have to
worry about grooming it and I don't want to worry about SQL DBA
wannabees screwing with it. Just like with AD there are a lot of
people who think they know SQL when in fact they can simply spell
it, this goes for several DBAs I have met through the years as
well as some people I have heard about through others. I heard a
story recently about a SQL Expert that made me wonder who tied his
shoes in the morning for him. Had I been dealing with him instead
of my oh so patient friend, I don't expect he would have reported
back to work or his superiors would have let him come back to
work. There isn't a class or books teaching people how to manage
ESE so that makes it about 10,000% better than SQL Server all
alone because the people who will be figuring out how to work with
it will be doing so from MSDN API docs and will probably be
considerably more capable than your normal Microsoft SQL Server
DBA. But that is just one reason why I don't want SQL Server
backend for stuff. I recall when we are the summit a couple of
years ago when we all were piping up about this. It doesn't appear
anyone listened, but I think it is good that we continue to pipe
up about it.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] On Behalf Of Al Mulnick
Sent: Tuesday, May 23, 2006 10:17 AM
To: [email protected] <mailto:[email protected]>
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
No, Exchange is not the only app for the directory. I
concur. Exchange does not just leverage the NOS directory for
it's usage. It relies on it heavily. In fact, Exchange doesn't
exist without it, but...
I think the question needs to be answered though: Does the
application dictate what the directory can do or should the
directory dictate what the application does? I think that's
important to the way you design, deploy, and maintain your Active
Directory, and other directory services in your organization. The
same theory and guidelines apply when you consider SiteMinder
(shudder) and SunOne or OpenLDAP and Sendmail or ... the list goes
on. Put another way, does the directory exist for the sole purpose
of being a directory or does it exist to service multiple
applications? If multiple applications, how much should the
directory adjust to the needs of it's constituents vs. the
constituents adjust to the needs of the directory? <my thought:
it's the whole not the part that's important. But neither has a
reason to exist without the other, so we're still stuck in a
decision loop.>
Figuring this out sets the stage for a solid deployment of both
the directory service and the applications. NOS directory aside,
it is a directory and it's one that can and should be
multifunction. Whitepages are nice and cute and all, but have
limited use if that's all they do. But if it can also identify
and authenticate a security principal (don't give me that LDAP
authentication crap either - drives me nuts to hear LDAP being
used as an authentication protocol </rant>) now that's real value.
What? The hosts can be multi-function devices? Bonus! I like it
even better.
It's important to decide what the directory service is going to be
and how it will be maintained IMHO.
-ajm
Exchange in a resource forest? Ewwww.... that's less than
natural, reduces functionality, increases complexity and moving
parts, and MIIS's FP isn't what I call a good solution (I call it
a stopper and a reskit utility) until it runs on standard server
and SQL 2005 Express and, and.. (why is it we should want to pay
extra to get a good design again?)
On 5/23/06, joe <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
> Does the application dictate what the directory can do?
> Or should the directory dictate what the application does?
But Exchange isn't the only app for the directory...
Exchange is generally leveraging the NOS directory for E2K+
deployments, now if you got o a resource forest for Exchange, set
it up for the app all day. :)
> Those are client-side applications, not Exchange.
True, but they need to be planned in the Exchange design as
they have tremendous impact on it. Recently I heard of a group
that treated BES as an office automation application, I was truly
shocked, I never seen it treated as anything but core messaging.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> ] On Behalf Of Al Mulnick
Sent: Thursday, May 18, 2006 9:13 PM
To: [email protected]
<mailto:[email protected]>
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
"If someone was lucky enough to have been running AD as a
NOS directory for some time they had enough understanding and ammo
to tell those MCS guys to bag it when they were saying
Exchange-centric things. "
Why are you picking on me, joe? :)
I think there's a philosophical issue there: Does the
application dictate what the directory can do? Or should the
directory dictate what the application does?
My answer( ICYGAF ) is that neither. The directory is the
foundation and as such should tell the applicationS how to play
with it to achieve the most reliable service levels. One is not
better and without the other, there is not as much meaning in
their life </philosophical>
Crackberry? DTS? Exchange is a hog, I'll give you that. It
eats disk like nobody's business. What you're saying and what I'm
hearing are two separate things, I think. Those are client-side
applications, not Exchange. BB has an older architecture that
works because of the older protocols being brought forward. It's
been known for a long time that BES installations can severely
limit the performance of a machine. Severely is being optimistic
and because of the usage pattern predictability issues, it's a
real art to design and deploy reliable email systems these days.
Not the same thing however. And the tools? Exchange 2K vs.
Exchange 2K3 is a world of difference, but the 2K3 release was an
attempt to get admins back to 5.5 functionality levels using the
MMC model (don't get me started) and the new architecture of
multiple stores without a directory service local to the Exchange
server.
In the end, the directory separation works out better than
other implementations. Exchange works better with the directory
than other applications I've seen (worked with application servers
lately? -bet you have and know exactly what I'm talking about).
But I also question the rubber stamp concept of separating the
directory from the server during design. There are times when
it's a good idea. Kind of like multiple forests have their place
in a design. Not my designs typically, but I can see where it
might come into play.
Al
<still can't see me?>
On 5/18/06, joe <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hey I can read it! Good show Al!
Dean is a complete noob in terms of Exchange next
to me. ;o) But I am not an Exchange guy by any stretch, I am an AD
guy who digs into Exchange problems as if they were just any other
problem. I know nothing about E5.5. I constantly hear how the
admin tools etc suck in E2K+ compared to E5.5, I have no clue, I
look away when I see it, I don't want to learn it.
> Exchange actually does it better than most,
although as joe
> points out, there is always room for improvement.
Does what better? Exchange certainly uses the
directory more than most, it would be a rough morning after the
night I said it uses it better than most things and I might find
myself married with a crashed car and having a massive hangover at
about the same time I start the regrets on saying Exchange did
something better... ;o)
Good comments on the original idea for AD. I recall
itching everytime I heard folks (even Stuart) saying it was the
every-directory as I was looking at Enterprise level companies
with 10-15+ directories and no one even close to wanting to go to
a single one especially the one made by the company who couldn't
produce a domain that could reliably go over 40k users (slight
exageration there, we were running domains with 60-100k users on
them but I was waiting for the bomb to drop)....
> Meanwhile, Exchange was the "killer" app that
caused people to even
> consider that major leap from NT4 to AD
I think this helped but in a lot of larger orgs I
know they were going to AD before Exchange 2K was considered. The
earlier mentioned problem of NT domains that were barely running
was a big pusher for very large orgs as well as the idea of
getting to a more standards based environment. I feel for anyone
who does their AD and Exchange migrations at the same time because
they end up building a directory that is dedicated to Exchange and
tend to run into fun when trying to do other things. There are a
lot of Exchange consultant with a lot of silly ideas on how AD
should be configured. If someone was lucky enough to have been
running AD as a NOS directory for some time they had enough
understanding and ammo to tell those MCS guys to bag it when they
were saying Exchange-centric things.
> Want a single server to handle 4,000 heavy mapi
users?
> You can't do that with Exchange 5.x, but you can
with Exchange 200x.
Just make sure they are *just* heavy MAPI users and
not heavy MAPI AND (Blackberry OR Desktop Search) users. I swear I
hear more issues because of those two addons than anything else I
have heard of (DT Search also includes, probaby incorrectly, apps
that archive content). Once you start adding those side apps each
user needs to be considered much more than one user, they should
be considered 3,4,5,6 users and E2K doesn't scale well to handle
that if you are counting users in the singular. Sorry that was
wildly OT but I keep hearing about folks complaining that their
servers should handle 4000 users fine but they are finding that
1000 users may be a stretch if they are BB or DTS users as well.
Good comments overall, bonus that I could actually
read it. :o)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> ] On Behalf Of Al Mulnick
Sent: Thursday, May 18, 2006 9:03 AM
To: [email protected]
<mailto:[email protected]>
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
<trying this in rich text from gmail to see if it
floats; let me know if you can't see the text joe :)>
Um, no. (Yes, it does have to be a DC to be a
GC.) But other than scalability and simplicity related to
troubleshooting/recoverability, what exactly do you sacrifice if
you put Exchange on a GC?
There are those that think that putting Exchange on
a GC is the way to go. There are others that would disagree but
what else is new. For those that have been implementing and
designing Exchange for a number of years (joe's not really that
old compared to Dean ;-) this concept would seem familiar to the
Exchange 4-5x days.
As a number of apps were promised to do, Exchange
heavily utilizes and therefore relies on the AD directory for
authentication, authorization, and directory services
(identification) (i.e. directory lookups to aid in mail routing,
server lookups (DNS), configuration settings (GPO), and GAL
services, etc). Exchange actually does it better than most,
although as joe points out, there is always room for improvement.
If you look at the history, there were some dark
days around the Exchange 2000 deployments for Exchange. 2003 got
much better and hopefully E12 (what's it called now? I forget)
won't get "office-ized" by the org changes going on at Microsoft.
I've seen the "servers" that the office team put out and I'm
thoroughly less than impressed. Hopefully that gets better, but
I'm not a desktop guy and I'm not interested in becoming a desktop
focused expert. Those desktop machines and office productivity
apps are prime targets for commoditization over the next 5 years
IMHO. Too much is at stake for it not to be. But I digress.
<history> The original implementation of AD was
expected by Microsoft architects to replace ALL of the other
directory services you might have and become the centerpiece to
your networked computing infrastructure. It's why you'll find
things like DNS integrated into the directory. Well, one reason
anyway. Anyhow, as time wore on, adoption was slower than hoped
for and one reason was that it was a big pill to swallow. Many
large companies already had a working NT model (I say that tongue
in cheek: it was limping along in large orgs), had working DNS
models including administrivia and DR processes (shame on you if
you don't), and a working directory structure based on the LDAP
standards that, although they started as a client access protocol
to X.500 directories, become synonymous with server side
implementations. Whatever, only a purist cares I'm sure. It was
realized that although AD had a place in the environment, it was
not likely going to rule the world overnight as originally
expected and designed and marketed and.... It could however be
made to play well and nicely and a lot of refinement was put into
that release and now R2.
Meanwhile, Exchange was the "killer" app that
caused people to even consider that major leap from NT4 to AD
(which we know now is really not that big a deal, but boy was it
scary then, right?) Some are still migrating or just getting
started, but to each their own.
Exchange was often bashed for not being scalable
soooooo.... it makes sense to off-load some of the services to a
single purpose machine - we know it as a domain controller/dns
host/directory server/etc. Wow. What a great idea. Wait. What
if you don't have a network design that can take advantage of
that? Maybe it was geared up and refined to be better with a
mainframe centric computing model and maybe NT 4.0 was existing
there? Hmm... Or maybe your company doesn't have a network that
looks like a single 40-story (storey for those across the pond)
building with one single high-speed network? Maybe you have users
accessing your email and directory from around the globe and maybe
40% of your users are mobile at any given time? Maybe more.
Exchange won't play nice with a network like that out of the box
because it was geared up to be scalable. Want a single server to
handle 4,000 heavy mapi users? You can't do that with Exchange
5.x, but you can with Exchange 200x. Why? Many reasons and I won't
bore you with the details. What's important is that if you look
at the topology, it might make more sense to put the directory
back onto Exchange computers based on the way your network works.
Can you scale it as high? No. Is it simple to recover? No (it
should be easier than it is IMHO). But does it serve the purpose
better? Yes. Can it handle that 150 user density South African
office without being hampered by the hamstrung internet connection
off the continent? I've been told it's much better performance
than using something like cached mode clients or OWA if the server
is local. I can believe that.
Help me understand why I wouldn't put Exchange on a
GC in more situations than I don't? What would I lose?
Neil, I'm curious about what you'd pick for an
authentication service over AD?
Heck, now I'm just rambling though, 'cause this is
likely blank ;)
Al
On 5/18/06, Carlos Magalhaes
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
> Well currently to have a GC you need that machine
to be a DC and as we
> all know you don't put Exchange on a DC ;)
>
> Exchange already feels special ;)
>
> Carlos Magalhaes
>
> Krenceski, William wrote:
> > Why can't exchange just have the GC on it
somehow. I'm not a developer
> > by any means of the word. It just seems that if
Exchange is "SPECIAL"
> > make it feel special......
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> > [mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] On Behalf Of joe
> > Sent: Wednesday, May 17, 2006 7:21 PM
> > To: [email protected]
<mailto:[email protected]>
> > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> >
> > LOL.
> >
> > For those not at the DEC 2006 Dean and joe show
presentation, Mark's
> > 'Exchange is "SPECIAL"' comment is a direct
reference to something I
> > said when bouncing around talking about AD and
bad applications. I
> > miraculously stopped and looked straight at a
Microsoft MVP for Exchange
> > (Mark) while spouting the truism Exchange is
"SPECIAL" in relation to
> > how it abuses AD. I was in a groove when I said
it so I didn't actually
> > realize I was looking at Mark or else I
probably would have bust out
> > laughing as I did later when he explained what
I had done.
> >
> > I think all of the Exchange MVPs tend to have a
special place in their
> > heart for me as does the entire Exchange Dev
team. ;o)
> >
> >
> > joe
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> > [mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]><mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> ] On Behalf Of Mark
Arnold
> > Sent: Wednesday, May 17, 2006 5:29 PM
> > To: [email protected]
<mailto:[email protected]>
> > Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> >
> > Laura, a "Mucker" is, in English, a good friend.
> > You are probably not to be termed a Mucker,
other words might apply, but
> > Jimmy is one of mine and Dean/Joe is one of yours.
> >
> > Oh, and Joe is old and smells of wee, so pay no
heed to his Exchange
> > rants.
> > Exchange is indeed "special" because it's such
a wonderful solution. OK,
> > I should shut up now and go back to my padded
cell.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> > [mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> ] On Behalf Of Laura
E. Hunter
> > Sent: 17 May 2006 21:39
> > To: [email protected]
<mailto:[email protected]>
> > Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
> >
> >
> >> BTW, anyone know what a mucker is? I am trying
to figure out if I am
> >> supposed to be morally outraged. <eg>
> >>
> >> joe
> >>
> >>
> >
> > I use "mucker" as a compliment, but in my
vernacular it's used in
> > reference to a semi-skilled hockey player whose
lack of scoring ability
> > is balanced by his ability to check an opposing
player into sometime
> > next week.
> >
> > So I guess what I'm saying is...draw your own
conclusions. :-)
> > List info :
http://www.activedir.org/List.aspx
<http://www.activedir.org/List.aspx>
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> >
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> > This message has been scanned by Antigen. Every
effort has been made to
> > ensure it is clean.
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> >
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > Confidentiality Notice: The information
contained in this message may be legally privileged and
confidential information intended only for the use of the
individual or entity named above. If the reader of this message is
not the intended recipient, or the employee or agent responsible
to deliver it to the intended recipient, you are hereby notified
that any release, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by
replying to this message and deleting the original message. Thank
you.
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
<http://www.mail-archive.com/activedir%40mail.activedir.org/>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
