Excellent points David.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 22, 2006 6:02 PM To: [email protected] Subject: RE: [ActiveDir] mailNickName(OT) While I firmly agree that guidance should never be blindly followed, regardless of the source, I'd add that customers who say "Microsoft reviewed this" or something like that should not necessarily be taken to mean the design was in any way developed by or recommended by MS (I can't speak for the OP; I'm just making a general statement.) I've seen many a customer fight for a MS stamp of approval on a design that in no way is best practices but "works" and meets the bare bones supportability requirements. Also, recommendations to change a design are often met with "but it works and I don't want to possibly break it just to comply with best practices so unless you tell me it's completely broken we're not changing it." But that's rarely disclosed when problems come up down the road. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 22, 2006 4:21 PM To: [email protected] Subject: RE: [ActiveDir] mailNickName(OT) I have to admit some surprise that you have that large of an org and haven't hit issues in collisions on the name space when using firstname.lastname. Actually I find it more than surprising, I expect you have some exceptions or some folks got a display name that isn't something they totally prefer, like a Ted became a Theodore or something for example... On the MSFT helped with the design comment... I realize you weren't around for it but don't confuse "someone from MSFT" helped with the design with "MSFT" helped with the design. It is something I learned a long time ago to separate. Not every MSFT resource is as knowledgeable as they should be in every area they may be called in to work on... i.e. When using say MCS or PSS to help with things, don't blindly follow, understand what they are designing or asking you to do. Obviously this isn't strictly limited to MSFT, this goes for every company that has "experts" that come in and help. While you hope you get all of the experience of Microsoft in every Microsoft employee (or all of the experience of Company X from every Company X employee) who visits you, the simple and obvious truth of the matter is that you don't. You get a person with some level X of experience who has some level X of access to other people. Some of these people will be extremely experienced in what you are doing (or some aspect of what you are doing), some will pretend they are. Some will know who to contact to verify plans/ideas, some won't, some won't even care to because they feel they know enough themselves. I have met all versions of these. My favorites are those who are comfortable enough in themselves to actually say "I don't know the anwers to that" or "I am not sure" that is quickly followed by "But I will find out". Interestingly, the people willing to say I don't know tend to be the ones that most of the other MSFT folks consider to be some of the brightest folks working on those things... Imagine that. At any point if you get the feeling that the person is more of a shyster than an expert, call them out and ask for them to get someone else on the phone to talk it out as well. If you are in a 100k+ org, you should have the weight to even get someone from Redmond on the phone to help answer questions. Also don't be afraid to just ask here, say someone said X and Y and we aren't exactly sure if that is accurate... People here will either say yes, no, it depends, or where &%#$ are your smilies... All of that to say, even if someone from MSFT helped with some design of something, don't rely on that meaning it authoritatively the most optimal configuration or even how it should be done at all. You are on better ground if you get an official design review from PSS because then several folks should be looking at it, but even still... I have seen some funny recommendations even in those that I have completely ignored. Basically you need to have some good understanding of what you are doing as well. In a small company the repercussions and actually the need for special thinking is greatly reduced, Microsoft Redmond targets those situations. In larger companies above the 30/50/80/100k user marks, IMO, someone better have a good understanding of AD unless all of your support is farmed out to another company and then someone there better have a really good understanding. If you want to read on, there is a funny story I have of an MSFT Exchange Alliance Premier person who had an issue saying I don't know and radically impacted his image and how the customer viewed him... This just came up in a chat I had with someone recently so since it is fresh in my head... I was in a training class several years ago when this Alliance tech ventured onto the topic of the general ACL model that he thought he understood and I started questioning him on it because he said something that I knew to be wrong. I was personally curious how far he would take his incorrect answer so asked a couple of leading questions that should have sent warnings to him. He didn't stop, in fact, he kept going with it and actually ended his responses to my questions with something like "I am only wrong once per year and this isn't the time" or something really silly like that. I let him smile for a few seconds as I looked at the other Microsoft folks in the back of the room who knew me and realized something bad was happening and then I pointed out some errors for him. From that second on he looked like a gomer to the customer (us) but worse, to every MSFT person in that room, they couldn't stop laughing. A year later I recall he was still actively being ribbed about it. I expect even now he gets the occasional poke... I know every time he says something to the customer, even still, they question whether or not they can trust the answer. Going back even farther I once had another PSS Alliance Exchange Tech tell me that the limitation in Windows 2000 with 5000 members in a group had been fixed, just not documented as fixed. I was told that so I would stop asking questions about whether or not something was going to break or not if we exceeded 5000 users on an Exchange DB. I later figured out why it really wasn't a problem but it was silly an Alliance Tech made up a statement like that to stop me from questioning it. I have lots more stories like that. Then I also have lots of stories (more good stories than bad actually) where certain MSFT people were absolutely amazing when they helped me and were perfectly willing to admit they weren't sure about something and went and figured it out and went so far above and beyond I couldn't believe it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, November 22, 2006 1:55 PM To: [email protected] Subject: Re: [ActiveDir] mailNickName(OT) The place I'm currently at is a large 110,000 + user bank. They use the hr employee id# for sAMAccountName and upn and in turn the dn. They use firstname.lastname for smtp and mailNickName and consquently legacyExchangeDN. Why, I have no idea. They had a lot of input from MS in setting up their forest/exchange ORG, so I'm not sure why it is this way. For some backround, they use lotus as well as exchange and use a dirX ldap server for common address book and sendmail address rewrite. For the hour db, they use peoplesoft which they are going to sync up with AD with MIIS soon. I'm not sure what all this has to do with mailNickName format, but it may provide some backround or potential trouble in the future. Thanks for all your input. On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > Other than being used for access by other protocols such as pop, imap, and > owa, last I checked it's also the value used for the x.400 like address > which is used for mail delivery internally by Exchange. You wouldn't want > that to be non-unique else you might have to call somebody like joe to come > in and help clean up :) > > I'm surprised that this company you're at has not gone to unique values for > this. I'm equally surprised they don't have other issues with their > Exchange deployment, but it's possible you haven't gotten far enough into it > yet to notice some of them. > > I've blogged about my thoughts regarding what should be globally unique in > an AD/Exchange environment. It's a long enough blog it may even be a good > candidate for an essay or possibly a sleep aid. > > If you want the details, have a read. The short answer is that you want > every user to be unique and to have a consistent and trouble-free > experience. That keeps you from being up late at night with international > customers first and your local in-country customers the next day. > Mailnickname is one of the attributes that should be unique same as > samaccountname and smtp address (some are enforced per forest, some per > domain but all should be enforced regardless in my opinion). Since they can > often feed on one another, I maintan that samaccountname should be the > user's foundational, non-changing, never touched as long as that person is a > member of the company in good standing, network id. Exchange relies on > Active Directory and as such you're better following the same rules . > > > Al > > On 11/22/06, joe <[EMAIL PROTECTED]> wrote: > > > > The mailnickname isn't populated in a similar way to display name. The > > common ways for mailnickname generation and its population are through the > > RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use > > CDOEXM). This is unlike displayname which has ADUC as its common way to be > > populated. Certainly they could have done something like that but they > > didn't. > > > > Changing the format is ok, most companies don't do it but some do. But if > > there is going to be a change, change to something that is guaranteed to > > be > > unique in your organization. Display names are very often not unique; > > definitely not unique at scale which is why Al said, it don't scale.... Go > > to any larger company in the US and type in Smith, Jones, Brown, or > > Johnson > > in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, > > Bob's, > > Carol's, Fred's, John's, Steve's, etc... If you are multi-national try > > Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg, > > Schulz, or Schmidt. > > > > The attribute is used quite a bit in Exchange. Where all it is used I will > > let some Exchange person respond if they want, but look quickly at a > > mailbox > > enabled user and check how many times you see the value. Note that none of > > the other attributes that use mailNickname in their initial generation > > will > > change if you change mailnickname, you absolutely wouldn't want that or > > else > > it would break certain types of delivery for that user. I have seen some > > nasty issues in larger orgs that resulted in mailNicknames not being > > unique. > > The problems can be solved by mechanisms other than unique mailNicknames > > but > > unique mailNicknames is by far the easiest way to handle it. I have a tool > > that reports bad Exchange attribute settings in an Org and duplicate > > mailNickname is one of them that I flag as fairly high priority due to my > > experiences. > > > > joe > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Tuesday, November 21, 2006 10:07 PM > > To: [email protected] > > Subject: Re: [ActiveDir] mailNickName(OT) > > > > well, the company i currently work for sets the mailNickName of all > > users to "firstname.lastname". > > I didnt know there was any issue with changing the format of that > > attribute. > > > > we have around 110,000 users mixed between Exchange and Lotus Domino > > and this is the format they have been using(why, i'm not sure, I just > > started here) > > > > I thought there could be a way to change the default format of the > > mailNickName attribute the same way you could change the format of the > > displayname. > > > > What issues can arise by changing the mailNickname format. > > > > I mean, what is this attibute for used exactly? > > I thought this was only used for POP3 and IMAP and maybe OWA and ADC. > > And I didnt think changing it could affect anything. > > Can you guys educate me, please? > > > > Thanks > > > > On 11/21/06, joe <[EMAIL PROTECTED]> wrote: > > > Not that I am aware of. > > > > > > I am with Al on this, keep it as the sAMAccountName. This value while > > isn't > > > enforced to be unique really should be. Using sAMAccountName helps with > > that > > > though it still allows duplicates in different domains. > > > > > > joe > > > > > > -- > > > O'Reilly Active Directory Third Edition - > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > > Sent: Tuesday, November 21, 2006 5:19 AM > > > To: activedirectory > > > Subject: [ActiveDir] mailNickName(OT) > > > > > > Is there anyway to change the format of the mailNickName attibute to > > > be something other than sAMAccountName automatically? > > > Is there something like a "display specifiers" change that could > > > change the format during the automatic generation of it to be > > > "firstname.lastname" or can this only be scripted? > > > > > > Thanks > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/[email protected]/ > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/[email protected]/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/[email protected]/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/[email protected]/ > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
