Agreed - the legacy APIs pose a serious problem in many cases. After noodling over the LDAP issue a little more, and recalling that ports are specified in the SRV records :), any AD aware of SRV aware system/application should be able to handle multiple instances of LDAP on a single server (assuming they are each using a different port or IP).
The SYSVOL issue is also negligible as, like you said, the file system hierarchy was clearly designed with the domain name embedded. The only issue here that remains (in its current incarnation) is that of data replication. Given the advancements shown in DFSR this should be easily overcome with the only problem being replicating data to places it should not be (i.e. a legacy DC running some antiquated OS like W2K or W2K3 pre-R2 ;-). There are of course other unhandled issues such as which domain should the IUSR_Machine user object be created in if IIS is installed/running on a multi-domain capable DC? (Or better yet, should the IUSR account exist at all?) Regardless, there is a substantial trail of legacy issues that have to be handled before multi-domain DCs can come to fruition. Of course we should more properly be talking about multi-forest DCs as opposed to multi-domain DCs - or does that just blur the entire security boundary issue a bit too much? Needless to say, given the current technology, using virtual guest operating systems atop your favorite virtualization product is a viable way to generally satisfy the need for running multiple domains on a single piece of hardware as opposed to the desire of running them all on a single OS instance albeit at a higher theoretical cost for system management and other pay for software that is installed in each instance. Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I don't think the issue is there. When you make an LDAP call, you specify where you want to go, the hierarchy is all there and required in the call. Also I don't believe the issue is in SYSVOL, if you look at the sysvol structure, it has the domain component in there. In fact when I first saw that in say Oct 1999 in the gold product I was thinking... Hmmmm is MS thinking about supporting multiple domains from a single DC? One of the big issues is at the level of all of the old NET style calls. You specify a server, not a domain, then it assumes there is one auth point on that one server (i.e. one SAM in the old days) and it works it. If a call came in for user bob on server123 and there were three domains or partitions or x hosted all of which have bob, which one gets sent back? If the old NET functionality got dumped, I would be rewriting quite a bit of code. The only reason I am not already doing it is that there is no impetus to, it works, I don't have to worry about it. At the same time, that holds back from doing newer and cooler things if MS did offer the option to move on. If that option were there though... I would start rewriting to get to it. At the present time, there is no sign of the death of the NET API so there is no reason to rewrite something that works fine using it unless there is some other reason (like you need something that isn't accessible through the API). Even on this list which has a lot of the more eager techofolks, we discuss the WinNT provider and other NET API based methods quite a bit for accessing AD. How come everyone isn't only using the LDAP methods? Answer, because the NET API methods still work for many things. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, October 10, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying "wish" here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Active Directory wish list > > I agree. SMB business can be very complex. > > Can you expand on the idea that VM's aren't working well for you? I'm > trying to understand the difference between that and a multiple domain > DC for that scenario. > > I'd have to say that smaller, cheaper dc's (desktop class?) have > always worked well for me in the past when doing functionality > testing. > Scalability requires full-blown hardware. But I'm not seeing where VM > environments aren't working as well as you'd like a physical > environment to work? What's the difference in this situation? > > For availability, I could see some value in a DC configured to host > mulitple domains because I could designate one to be the failover for > several domains. Otherwise, I'm not sure I get it. Is this like a > LPAR concept you're talking about? That would be more helpful to you > in these situations? > If so, how is that different than VM's? > > Test environments are notoriously able to take down servers without > warning. > I would often prefer to use a VM to decrease that risk of consuming > all resources to destruction. That provides some isolation while not > requiring extra hardware. > > VM's require licenses (the OS and apps do) FWIW. You're only saving on > the hardware and environmentals that I can see, but I'm trying to > understand what I'm missing. > > > ----- Original Message ----- > From: "Charlie Kaiser" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Monday, October 10, 2005 11:05 AM > Subject: RE: [ActiveDir] Active Directory wish list > > > For us, it's the ability to run parallel domains for test/development > purposes. We have our production domain, my IT test domain, and our > LOB application test domain. I'd have another IT test domain if I had > the available hardware right now. > We are required to test and document all changes to the LOB app and a > significant number of people work in that test domain. > Running it on VMs > or old hardware doesn't cut it gracefully, although that's what I do. > Since management won't write the check for additional > hardware/licenses, we do what we can. > But if we had one beefy server to replace 3, and one server license to > replace 3, it would be much more cost effective to do, and would > increase performance for the user community. > In my last gig, we had multiple domains that were used for development > and customer support departments. The support kids especially needed > multiple domains to recreate customer environments and various > software versions. > I can think of a lot of reasons to need multiple domains/forests in an > SMB environment. Regulatory compliance, 24x7 availability that > mandates full testing prior to implementation in production, customer > support domains, etc. Just because a business is small doesn't mean it > can't have complex requirements... > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > > Sent: Monday, October 10, 2005 7:10 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list I'm curious, > > Charlie and Neil. What services do these SMB's offer that they need > > multiple instances of DC's? I realize that a best practice is to > > have multiple servers that can provide some failure tolerant > > behaviors, but I'm wondering what type of work a SMB does that > > requires multiple full blown AD domain instances and therefore > > multiple servers etc. Can you expand that? > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
