Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away.
Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. >From: "joe" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: <ActiveDir@mail.activedir.org> >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode >Date: Mon, 10 Oct 2005 10:32:26 -0400 > >To move this in a slightly different direction. How would people feel about >a BlackComb Super Forest Functional Mode where not only are DCs impacted >but >every machine touching the DCs are affected. I.E. MS allows multiple >domains >on a single DC but not for any pre-BlackComb clients. I.E. Complete break >with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel >about it. Once in this mode, no going back. Legacy clients pre-Blackcomb >have no clue how to use the domains, etc. > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir and >it's authentication abilities. IIRC, multiple domains via LDAP only work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm not >so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they >need multiple instances of DC's? I realize that a best practice is to have >multiple servers that can provide some failure tolerant behaviors, but I'm >wondering what type of work a SMB does that requires multiple full blown AD >domain instances and therefore multiple servers etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: <ActiveDir@mail.activedir.org> > >Subject: RE: [ActiveDir] Active Directory wish list > >Date: Mon, 10 Oct 2005 08:52:25 +0100 > > > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > >[MVP] > >Sent: 06 October 2005 01:51 > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >I'd be surprised if we see this in my lifetime, or at least before I > >retire. > > > >Ed Crowley MCSE+Internet MVP > >Freelance E-Mail Philosopher > >Protecting the world from PSTs and Bricked Backups!T > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser > >Sent: Wednesday, October 05, 2005 2:34 PM > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >What I want is to be able to run multiple domains on one OS > >installation and segment the directories from each other. That way I > >don't need to run multiple licenses of the OS, nor do I need hardware > >that can power 4 VMs. > >I already run VMs using VMWare in my test lab; it works but I'd prefer > >to be able to run AD as a service and have it be smart enough to be > >able to segment itself without needing a separate OS... > > > >********************** > >Charlie Kaiser > >W2K3 MCSA/MCSE/Security, CCNA > >Systems Engineer > >Essex Credit / Brickwalk > >510 595 5083 > >********************** > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > > [MVP] > > > Sent: Wednesday, October 05, 2005 10:07 AM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > You can. It's called Microsoft Virtual Server. > > > > > > Ed Crowley MCSE+Internet MVP > > > Freelance E-Mail Philosopher > > > Protecting the world from PSTs and Bricked Backups!T > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > > Kaiser > > > Sent: Tuesday, October 04, 2005 6:37 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > I'd also like to see the ability to run DCs for multiple domains on > > > the same server. SMBs with limited resources balk at having to buy > > > additional server hardware for redundancy on multiple domains, > > > especially when the AD load on the DCs is minimal. This feature > > > sounds > > > > > like an offshoot of your list below. > > > If you can run AD as a service, it might not be that hard to allow > > > multiple domains similar to multiple websites/DBs on one server... > > > > > > I remember discussing this with Stuart Kwan at DEC a couple of years > > > ago. I hope it makes it into the mix... > > > > > > ********************** > > > Charlie Kaiser > > > W2K3 MCSA/MCSE/Security, CCNA > > > Systems Engineer > > > Essex Credit / Brickwalk > > > 510 595 5083 > > > ********************** > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > > > Sent: Tuesday, October 04, 2005 4:25 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > > > Vista is the client OS. I don't believe they have named Longhorn > > > > Server yet.I am voting for something like Windows Server 5.4.0 or > > > > something like that. I realize that the marketing group would have > > > > something to say about it but I figure the best thing from > > > them is if > > > > they pronounced their thoughts from the bottom of Lake Washington. > > > > People don't install servers because they have cool names. > > > > > > > > The biggest non-NDA pieces that I have heard announced in > > > conferences > > > > or seen on the web already is the Read Only DC to limit security > > > > exposure for WAN deployments, restartable AD that can be > > > > stopped/started as necessary, DA/Admin separation so that > > > you can have > > > > an Admin on a DC that "can't" achieve Domain-wide DA level > > > rights, and > > > > DCs running on Server Foundation or now its called Server > > > Core which > > > > is a GUI-challenged Windows Server. > > > > > > > > I can also say that there are a myriad of GUI updates for the > > > > Admin tools though I can't state specifics. BJ Whalen who was > > > involved with > > > > the GPMC project has been brought in to work on admin > > > experience and > > > > anyone who has worked with GPOs with and without GPMC know that he > > > > really helped out. > > > > > > > > All in all, there is some very cool stuff and MS has really been > > > > listening to the community on what they want and need. I know that > > > > this list is watched for ideas and such and has been the source of > > > > DCRs internally. So if you have ideas, spout them here, > > > they will most > > > > certainly be heard. They may not make Longhorn as it is > > > getting a bit > > > > late to add major changes but your ideas could make it into a > > > > later rev. > > > > > > > > > > > > joe > > > > > > > > > > > > ________________________________ > > > > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Steven > > > > Wood > > > > Sent: Monday, October 03, 2005 3:46 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: [ActiveDir] Active Directory wish list > > > > > > > > > > > > Hi, > > > > > > > > With Windows Vista on it's way what's on people's wish list > > > as far as > > > > Active Directory is concerned? Also are there any big enhancements > > > > due? > > > > > > > > Thanks > > > > Steven > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > >PLEASE READ: The information contained in this email is confidential > >and intended for the named recipient(s) only. If you are not an > >intended recipient of this email please notify the sender immediately > >and delete your copy from your system. You must not copy, distribute or > >take any further action in reliance on it. Email is not a secure method > >of communication and Nomura International plc ('NIplc') will not, to > >the extent permitted by law, accept responsibility or liability for (a) > >the accuracy or completeness of, or (b) the presence of any virus, worm > >or similar malicious or disabling code in, this message or any > >attachment(s) to it. If verification of this email is sought then > >please request a hard copy. Unless otherwise stated this email: (1) is > >not, and should not be treated or relied upon as, investment research; > >(2) contains views or opinions that are solely those of the author and > >do not necessarily represent those of NIplc; (3) is intended for > >informational purposes only and is not a recommendation, solicitation > >or offer to buy or sell securities or related financial instruments. > >NIplc does not provide investment services to private customers. > >Authorised and regulated by the Financial Services Authority. > >Registered in England no. 1550505 VAT No. 447 2492 35. Registered > >Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the > >Nomura group of companies. > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
