Well, that's really my point. You can't really take away some of those "apps" that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy.
I can be open minded and forward thinking. Let's just leave it at "provide same or better functionality" as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I may just not be seeing it the right way. I may be thinking in terms of today's architecture and that it is sooooooooo tied to the registry (For the love of <insert your deity here> is that???) that it would not be truly separated in tomorrows implementation. That's likely a wrong assumption and I can easily get over that. But I don't see the effort paying off if I have to discard 10 years of legacy software applications and process trash to get to a point where I save a few dollars on hardware vs. using VM technology (software or hardware based doesn't matter to me in this conversation although I would prefer hardware to alleviate any cross-over ties to the OS in case of failure; totally autonomous and hardware separated [2]) [1] Buzz-word-bingo champ, cubicle farm #3, cubicle cluster #2 - 1998 [2] Right. So any gains in hardware ability have historically resulted in higher prices. That would likely negate the savings I might have had if I had gone with multiple smaller hardware devices or if I had used software VM [3] [3] It's almost circular logic at some point <G> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. >From: "joe" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: <ActiveDir@mail.activedir.org> >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode >Date: Mon, 10 Oct 2005 10:32:26 -0400 > >To move this in a slightly different direction. How would people feel >about a BlackComb Super Forest Functional Mode where not only are DCs >impacted but every machine touching the DCs are affected. I.E. MS >allows multiple domains >on a single DC but not for any pre-BlackComb clients. I.E. Complete break >with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel >about it. Once in this mode, no going back. Legacy clients pre-Blackcomb >have no clue how to use the domains, etc. > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir and >it's authentication abilities. IIRC, multiple domains via LDAP only work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm >not so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they >need multiple instances of DC's? I realize that a best practice is to have >multiple servers that can provide some failure tolerant behaviors, but I'm >wondering what type of work a SMB does that requires multiple full blown AD >domain instances and therefore multiple servers etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: <ActiveDir@mail.activedir.org> > >Subject: RE: [ActiveDir] Active Directory wish list > >Date: Mon, 10 Oct 2005 08:52:25 +0100 > > > >Maybe you should read about eDIR/NDS... :) Novell did this back in > >'93. > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > >[MVP] > >Sent: 06 October 2005 01:51 > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >I'd be surprised if we see this in my lifetime, or at least before I > >retire. > > > >Ed Crowley MCSE+Internet MVP > >Freelance E-Mail Philosopher > >Protecting the world from PSTs and Bricked Backups!T > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie > >Kaiser > >Sent: Wednesday, October 05, 2005 2:34 PM > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >What I want is to be able to run multiple domains on one OS > >installation and segment the directories from each other. That way I > >don't need to run multiple licenses of the OS, nor do I need hardware > >that can power 4 VMs. I already run VMs using VMWare in my test lab; > >it works but I'd prefer to be able to run AD as a service and have it > >be smart enough to be able to segment itself without needing a > >separate OS... > > > >********************** > >Charlie Kaiser > >W2K3 MCSA/MCSE/Security, CCNA > >Systems Engineer > >Essex Credit / Brickwalk > >510 595 5083 > >********************** > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed > > > Crowley [MVP] > > > Sent: Wednesday, October 05, 2005 10:07 AM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > You can. It's called Microsoft Virtual Server. > > > > > > Ed Crowley MCSE+Internet MVP > > > Freelance E-Mail Philosopher > > > Protecting the world from PSTs and Bricked Backups!T > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > > Kaiser > > > Sent: Tuesday, October 04, 2005 6:37 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > I'd also like to see the ability to run DCs for multiple domains > > > on the same server. SMBs with limited resources balk at having to > > > buy additional server hardware for redundancy on multiple domains, > > > especially when the AD load on the DCs is minimal. This feature > > > sounds > > > > > like an offshoot of your list below. > > > If you can run AD as a service, it might not be that hard to allow > > > multiple domains similar to multiple websites/DBs on one server... > > > > > > I remember discussing this with Stuart Kwan at DEC a couple of > > > years ago. I hope it makes it into the mix... > > > > > > ********************** > > > Charlie Kaiser > > > W2K3 MCSA/MCSE/Security, CCNA > > > Systems Engineer > > > Essex Credit / Brickwalk > > > 510 595 5083 > > > ********************** > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > > > Sent: Tuesday, October 04, 2005 4:25 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > > > Vista is the client OS. I don't believe they have named Longhorn > > > > Server yet.I am voting for something like Windows Server 5.4.0 > > > > or something like that. I realize that the marketing group would > > > > have something to say about it but I figure the best thing from > > > them is if > > > > they pronounced their thoughts from the bottom of Lake > > > > Washington. People don't install servers because they have cool > > > > names. > > > > > > > > The biggest non-NDA pieces that I have heard announced in > > > conferences > > > > or seen on the web already is the Read Only DC to limit security > > > > exposure for WAN deployments, restartable AD that can be > > > > stopped/started as necessary, DA/Admin separation so that > > > you can have > > > > an Admin on a DC that "can't" achieve Domain-wide DA level > > > rights, and > > > > DCs running on Server Foundation or now its called Server > > > Core which > > > > is a GUI-challenged Windows Server. > > > > > > > > I can also say that there are a myriad of GUI updates for the > > > > Admin tools though I can't state specifics. BJ Whalen who was > > > involved with > > > > the GPMC project has been brought in to work on admin > > > experience and > > > > anyone who has worked with GPOs with and without GPMC know that > > > > he really helped out. > > > > > > > > All in all, there is some very cool stuff and MS has really been > > > > listening to the community on what they want and need. I know > > > > that this list is watched for ideas and such and has been the > > > > source of DCRs internally. So if you have ideas, spout them > > > > here, > > > they will most > > > > certainly be heard. They may not make Longhorn as it is > > > getting a bit > > > > late to add major changes but your ideas could make it into a > > > > later rev. > > > > > > > > > > > > joe > > > > > > > > > > > > ________________________________ > > > > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Steven > > > > Wood > > > > Sent: Monday, October 03, 2005 3:46 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: [ActiveDir] Active Directory wish list > > > > > > > > > > > > Hi, > > > > > > > > With Windows Vista on it's way what's on people's wish list > > > as far as > > > > Active Directory is concerned? Also are there any big > > > > enhancements due? > > > > > > > > Thanks > > > > Steven > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > >PLEASE READ: The information contained in this email is confidential > >and intended for the named recipient(s) only. If you are not an > >intended recipient of this email please notify the sender immediately > >and delete your copy from your system. You must not copy, distribute > >or take any further action in reliance on it. Email is not a secure > >method of communication and Nomura International plc ('NIplc') will > >not, to the extent permitted by law, accept responsibility or > >liability for (a) the accuracy or completeness of, or (b) the > >presence of any virus, worm or similar malicious or disabling code > >in, this message or any > >attachment(s) to it. If verification of this email is sought then > >please request a hard copy. Unless otherwise stated this email: (1) is > >not, and should not be treated or relied upon as, investment research; > >(2) contains views or opinions that are solely those of the author and > >do not necessarily represent those of NIplc; (3) is intended for > >informational purposes only and is not a recommendation, solicitation > >or offer to buy or sell securities or related financial instruments. > >NIplc does not provide investment services to private customers. > >Authorised and regulated by the Financial Services Authority. > >Registered in England no. 1550505 VAT No. 447 2492 35. Registered > >Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the > >Nomura group of companies. > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
