Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with <AOL>Me too!</AOL>, I'll bring up the one that makes me crazy that no-one has mentioned yet:
Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's "AD as a service" will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura > -----Original Message----- > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 02, 2005 6:30 PM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Biggest AD Gripes > > DFS-R is only supported for custom DFS namespaces. MS at the > moment does not support DFS-R for SYSVOL replication. MS > states that in the DFS-R overview document page 16 > > See: > http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 > c69-d224-4423-8eac-18d5883e7bc2&DisplayLang=en > > QUOTE: > > DFS Replication is not supported for SYSVOL replication in > Windows Server 2003 R2. Do not attempt to configure DFS > Replication on SYSVOL by disabling FRS and setting up a > replication group for SYSVOL. Continue to use FRS for SYSVOL > replication on domain controllers running Windows Server 2003 > R2. FRS and DFS Replication can co-exist on the same member > server or domain controller. > > > A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! > > Cheers > #JORGE# > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes > Sent: Tue 8/2/2005 11:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Biggest AD Gripes > > > > * Using the new DFS-Replication mechanism in R2 for the SYSVOL > > This is available AFAIK if all your servers are running R2 :P > > Carlos Magalhaes > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: 02 August 2005 09:59 PM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Biggest AD Gripes > > http://www.novell.com :o) > > Bloody NetWare bigot ... > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, > Jorge de > Sent: Tuesday, August 02, 2005 2:06 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Biggest AD Gripes > > A while ago I put some AD feature thoughts in a textfile not knowing > what to > do with them at that moment > > Here goes: > > * Active Directory thoughts: > * OU = security principal > * Possibility to merge Forests > * "Cut and paste" a domain from one forest to another > * Domain concept: > * Domain controller -> directory server (not > specific to > a > certain domain, but hosting naming contexts) > * Password policies not only per domain but > also per OU > * Keep domain as a replication boundary but > remove the > flat > structure (prevent context login like NDS -> Aliases?) > * Multiple replication boundaries (naming > contexts) per > directory server > * Remove domain as an entity. Forest is only entity > needed > * Integrate file system and possible other resources into the > directory (e.g. search where security principals are used) > * Permissioning TOP-DOWN and BOTTOM-UP (file system) > * Delegation of Control: ability to dictate MEMBERS attribute > AND > the MEMBEROF attribute (so the possibility exists to dictate > which users > can > be added to what groups) > * Disabling sidhistory? > * Loginscripts at container level > * Using the new DFS-Replication mechanism in R2 for > the SYSVOL > > Just some thoughts. Interesting? > > Cheers, > #JORGE# > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, August 02, 2005 18:25 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Biggest AD Gripes > > So what are everyone's biggest AD Gripes? I am not talking > about gripes > about things that use AD like GPOs[1] or Exchange or NFS or anything > else > like that. I mean actual AD really missed the boat because of > this that > or > the other thing. > > Like > > o I dislike that when you defunct an attribute it doesn't purge the > information in the directory for that attribute. > > o The fact that AD Security policy is managed through a technology > dependent > on AD and replicates both within AD and the other technology. > > o I dislike that there is no true schema delete. > > o I dislike the fact that I can't specify which branches of the tree > replicate where. > > o I dislike the fact that GUIDs are represented in multiple > ways in the > directory. > > o I dislike the implementation of property sets especially since they > could > be so incredible awesomely cool. Specifically I dislike that an > attribute > can only be in a single property set. > > o I dislike creator/owner on SDs. > > o I dislike the lack of configurable business rules. > > o I dislike the fact that I can't run multiple domains on a single > domain > controller. > > > > Etc etc. I have more but lets see what others say. Everyone pipe up. > Let's pretend that MS will actually see this, let's further say let's > pretend MS AD Developers will see this. What would you tell > them if you > were > sitting in the room with them? > > > > joe > > > > > > [1] I do not consider GPOs to be part of AD. They are a > technology that > leverages AD. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
