Apologies as I’m
reading in digest. But I just wanted to chip something into this surrounding OU’s
versus groups as it was something that I’ve been thinking about on my
mind-numbing commute.
I understood that RODC’s
could be configured to be a read only subset of objects (users) from the writeable
AD, or that you could set them to cache which would also be useful to catch
user population at a given site if this was unknown. I remember there being a
long discussion at the back of DEC about people wanting the subset replication
to be based around OU’s rather than groups, and lots of people being
quite passionate about it. The thing that struck me was how would you then deal
with group membership where the group was sat in a totally different part of
the tree? Somehow you’ve got to get that closed set to work with, which
is very loosely linked to migration strategies. (Blimey I must have paid
attention on that migration course all of those years ago.). And then you’ve
got constraints on OU structures for if they are now partitions for replication
in some capacity.
How wrong is this
understanding?
If it’s kind of right,
then at some point in the future are we going to see multiple domain partitions
hosted on DC’s? ‘Cos that would be nice as well as the ability to replicate
subsets as read only. Where a GC could hold writeable copies of domain
partitions that weren’t from it’s particular domain in the forest…..
etc… mmm DC consolidation, the possibilities!
Then going more OT. There
were also rumblings about ROGC’s so that didn’t contain sensitive
info and could be used purely for email purposes without the baggage of a full
fat DC. Is this correct and how does this relate to Exchange 2007 and it’s
Edge servers, which from what I can gather are looking to suck bits of the AD
into an ADAM for kind of the same purpose as an ROGC would perform? I may be
totally babbling now.
RE:
[ActiveDir] Read-Only Domain Controller and Server Core
- From:
"Grillenmeier, Guido" <[EMAIL PROTECTED]>
- Date: Sat, 29 Jul 2006 17:14:51 +0100
|
Al,
that’s basically getting back at what Eric said and the more I think
about it, the more I have to agree: there is only a certain percentage of
companies that are able to setup an OU structure by geography and certainly
no single OU structure will fit for all companies. I have myself worked with
quite a lot of customers, where OUs by location made sense – but also
some that had a mix of location-OUs for computers and business units-OUs for
users. And others simply adjust it to their helpdesk model – depending
on who needs to manage which part of the world.
Thinking more about
the travel bit, it will be easy to understand that this doesn’t make
the password caching story any easier. If you want full coverage for WAN
outages (which is the main reason that you want to cache the passwords in the
first place), then you may need to match those traveling users (and
computers) to multiple sites – this is where the fun begins with
figuring out how to handle the password replication policies for RODCs. Granted,
OUs suddenly make less sense, since a user and a computer can only be in a
single OU, but they can belong to multiple groups…
|
|
