|
Ever since Exchange 2000 the saying has been that if you
want to be an Exchange administrator you need to be a programmer. It
really hasn't been much different with AD.
Ed Crowley MCSE+Internet MVP
Freelance E-Mail
Philosopher
Protecting the world from PSTs and Bricked
Backups!™
It is suprising no one has responded to this with the
"pat" answer... this is describing MIIS and the workflow piece they
have built into it and the idea being that AD is simply a store. MIIS
supplies the business logic such as triggers and dynamic updates, etc. I don't
necessarily agree with it, but it is what Stuart Kwan (of the Ottawa Kwan Clan)
has been saying at DEC for the last few years. I personally would like to see
more logic and triggers, etc in AD as well as more extensible functionality like
the password filters, etc that are fully supported. I dislike the idea that I
may need to spin up an entirely different product as well as SQL Server to
manage my AD environment. If MIIS started using ESE I would be that much closer
to accepting it because then I don't have a database product that I have to
install and pay special attention to (not to mention buy at some ridiculous
price), it is a back end black box piece. I just was chatting with an MCS guy
who had to work on a MS Product last week that back ended into SQL and they
went to move it and it was a disaster. Possibly MS could make it so that SQL
backend could be as smooth to use as ESE is in the backend of AD (how much work
have you really had to do on your ESE Database? How many tools are available to
do so? That will give an indication of how much the tools are needed.)
but I haven't seen it yet. I recall when MS came to one of my customers to work
on piloting MOM with the SQL backend and what a disaster that was, and in
talking to the MCS guys, it wasn't a one off. More logic has to be in the
application in order to use ESE over SQL, but maybe that is what some of these
apps need, more logic.
As for the advanced scripters part... my 10 or less
year prediction... if you want to stay in an IT position, I highly recommend
becoming an advanced scripter if not an admin with full blown programming
capability. Companies are going to continue slimming down and the technologies
are going to handle more and more of the "simple things" automatically meaning
if you don't have the advanced scripting/architecting/troubleshooting skills,
the chances are not good to remain working on the stuff. You will slowly get
overwhelmed as more stuff gets loaded on to the point that you are no longer
effective without advanced scripting skills and someone who is will remain
when the company decides to save more money and a good chunk of the staff gets
cut. I see the Server Foundation aka Server Core OS pushing this even harder
when companies deploy more and more headless machines with no GUI to speak of. I
have already been seeing this where groups that used to have large numbers of
admins are whittled down to maybe a third of what they had with only the people
with serious automation skills remaining behind. Which is actually a favor for
those that don't have those skills as they would be completely overwhelmed in
short order. I visualize us moving to two extremes for corporate IT Admins, the
people watching colored lights where there is a requirement for an actual person
to be looking at a screen versus depending on automated paging systems, etc
(there are customers that require this) and the high end advanced admins. Small
business shops are where I see most of the other admins going to (if they
stay in admin work) and possibly Susan can speak to where she thinks
scripting and such is going in that world as she has her finger on the pulse of
SBS. SBS can't be run, at this time, on Server Core, it has too much junk in the
trunk so it will continue looking like the servers of today until MS works out
how to make them run on Core and then I visualize one Susan running SBS for many
companies from the comfort of her home with better and better scripts and tools
or some company that specializes in running small businesses like that if they
don't already exist.
Look at this way, companies and admins are all complaining
about how much time they have to spend on stupid things like patching and
clicking on this or that or whatever it is they feel is a waste of time. MS is
listening, MS is reacting, MS is fixing. Us as admins complain because we don't
want to worry about stupid things. Companies complain because they want to
reduce their systems management costs. The more the systems handle themselves,
the less they need admins doing it. Not saying we will ever get to a point where
admins aren't needed, but the number of them will surely reduce drammatically
and only the very useful or the very very cheap will tend to hang around.
Having very strong scripting skills makes someone very useful.
Centralization and work force reduction will continue to be the norm and
in fact will probably accelerate.
joe
I would like a better
way of making bulk changes to AD. There seems to be caveats with every scripting
method. Also some more advanced management like maybe a way to create new users
and automatically e-mail their superior based on an attribute in the user
account with the new account information. Maybe there are ways to do these
things via advanced scripting, but I would like an easier way for those of us
admins who are not advanced scripters.
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rich
Milburn
Sent: Wednesday,
October 05, 2005 5:29 PM
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory
wish list
I’m not
saying we need a better solution
here, and there are factors due
to the internal/external nature of our business that PSS (I think) recommended
the design we have. When we
built it, the empty root was widely considered to be the best design. My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point). We don’t really need load
balancing for this size – but we need 2 servers for each domain if we want to
avoid the risk of having the only DC for a domain go down. My point was
that the directory is a database, but it’s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they’re
working on that, as I think Joe mentioned and is non-NDA). Securing a copy
of the directory and making it available means doing that for the entire server
unit right now, not just the directory – a different database model than say
SQL. Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database? Maybe
not. I was just asking the question in hopes of sparking some new ideas of
ways to mitigate the risk a single DC domain incurs today. J
---------------------------------------------------------------------------
Rich
Milburn
MCSE, Microsoft MVP -
Directory Services
Sr
Network Analyst, Field Platform Development
Applebee's
International, Inc.
4551
W. 107th
St
Overland
Park,
KS 66207
913-967-2819
---------------------------------------------------------------------------
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Phil
Renouf
Sent: Wednesday, October
05, 2005 2:37 PM
To:
ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory
wish list
My question would be: for a small directory
of 5000 users, why do you have 3 domains? If it is for separate password
policies, then perhaps a better wish list item would be the ability to have
multiple password policies in one domain.
On 10/5/05, Rich Milburn <[EMAIL PROTECTED]>
wrote:
I think the biggest reason people want to
be able to run multiple
domains on one server is the same reason practically
no one (except for
SBS) installs just one DC, and the same reason we always
install a
minimum of 2 for a domain. We have a forest root and 2
child domains
model, and it takes us 6 servers to run that - for basically
2
directories and fewer than 5000 users. That seems like a waste
of
hardware in some situations - especially if you have multiple orgs
that
you run. The parallel might be for a web hosting company to
have 2 full
web servers for each domain they host - in case 1 goes down, they
still
have a second. VS is an answer, yes, although you still
need a full
server license for each VM. The thing with domains is
you don't want to
only have 1 online copy of the directory. MS
didn't seem too convinced
there was a good reason to have an online second
server - they cited
backups as a good solution to the issue. In a
big org the cost of an
additional server to provide redundancy is negligible,
but is having an
online copy (second DC) really the BEST way to do
this? And it doesn't
help SBS users, since they can (correct me if
I'm wrong) only have 1 DC.
I realize it may be the best way we have with
W2K3, but how could the
issue of redundancy be addressed with AD differently
than having 2 DCs
minimum per domain? Anyone have any
ideas?
Rich
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Active Directory wish list
Yeah I can say that it isn't
in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just
be a nobrainer if they had separate
instances of
AD, there are just tons
of other things involved that make it extremely
difficult. It was something
that was brought up in the summit though,
not
sure how much I can say
around it other than no, it won't be there.
MS feels the focus of this
is dramatically reduced now as well due to
the
fact that VS is available
and can run DCs. Also the Server Core DCs
helps
here as well as the DCs
will have a smaller footprint. If folks are NOT
in
agreement with that
assessment, definitely speak up, it is too late for
Longhorn but possibly the
opportunity exists to convince them
for
BlackComb.
joe
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Active Directory wish list
I'd also like to see the
ability to run DCs for multiple domains on the
same
server. SMBs with
limited resources balk at having to buy additional
server
hardware for
redundancy on multiple domains, especially when the AD load
on
the DCs is
minimal. This feature sounds like an offshoot of your list
below.
If you
can run AD as a service, it might not be that hard to
allow
multiple
domains similar to multiple websites/DBs on one
server...
I remember discussing this with Stuart Kwan at DEC a couple of
years
ago. I
hope it makes it into the
mix...
**********************
Charlie Kaiser
W2K3
MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595
5083
**********************
> -----Original
Message-----
> From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED]
] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
>
To: ActiveDir@mail.activedir.org
>
Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named
Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0
or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is
if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers
because they have cool names.
>
> The biggest non-NDA pieces that I
have heard announced in conferences
> or seen on the web already is the
Read Only DC to limit security
> exposure for WAN deployments, restartable
AD that can be
> stopped/started as necessary, DA/Admin separation so that
you can have
> an Admin on a DC that "can't" achieve Domain-wide DA
level rights, and
> DCs running on Server Foundation or now its called
Server Core which
> is a GUI-challenged Windows Server.
>
> I
can also say that there are a myriad of GUI updates for the Admin
> tools
though I can't state specifics. BJ Whalen who was involved with
> the GPMC
project has been brought in to work on admin experience and
> anyone who
has worked with GPOs with and without GPMC know that he
> really helped
out.
>
> All in all, there is some very cool stuff and MS has really
been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source
of
> DCRs internally. So if you have ideas, spout them here, they will
most
> certainly be heard. They may not make Longhorn as it is getting
a bit
> late to add major changes but your ideas could make it into a
later
>
rev.
>
>
> joe
>
>
>
________________________________
>
> From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED]]
On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
>
To: ActiveDir@mail.activedir.org
>
Subject: [ActiveDir] Active Directory wish list
>
>
>
Hi,
>
> With Windows Vista on it's way what's on people's wish list
as far as
> Active Directory is concerned? Also are there any big
enhancements
> due?
>
> Thanks
> Steven
>
List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL
INFORMATION may be contained in this message or any attachments.
This
information is strictly confidential and may be subject to
attorney-client
privilege. This message is intended only for the use of the
named addressee. If
you are not the intended recipient of this message,
unauthorized forwarding,
printing, copying, distribution, or using such
information is strictly
prohibited and may be unlawful. If you have received
this in error, you should
kindly notify the sender by reply e-mail and
immediately destroy this message.
Unauthorized interception of this e-mail is
a violation of federal criminal law.
Applebee's International, Inc. reserves
the right to monitor and review the
content of all messages sent to and from
this e-mail address. Messages sent to
or from this e-mail address may be
stored on the Applebee's International, Inc.
e-mail system.
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY
NOTICE-------
PRIVILEGED / CONFIDENTIAL
INFORMATION may be contained in this message or any attachments. This
information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system.
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you.
|
|
