re: "some virtualization and isolation of processes and threads ..."
A CS teacher once told me that in general in computers whenever you hear
the word "virtual", you can replace with "slow" ...
- virtual memory (yeah, yeah I'm really thinking of paging, not VM,
but I used a Mac first, so it stuck with me.)
- virtual machine
- virtual reality (though getting fastish these days)
-
But for the most part it is true.
To actually virtualize threads, processes, (and in this case we're
probably thinking the subcomponents in lsass: Kerb, NTLM, SAM, LSA, AD)
you may not be willing to pay the perf cost. And subsequently the
hardware cost to handle the same load. Usually you don't need hard
virtualization just good architecture to achieve most of the benefits of
good isolation.
Also there is a cost to isolation (whether through virtualization or
architecture), it almost always implies "a hop", some sort of link that
has a certain liklihood to break. In many circumstances isolation
actually decreases overall system stability (and diagnosability often
decreases too) for the purpose of taking in some sort of more dynamic
flexibility.
I don't know what brought out that spout of abstract crap ...
Cheers,
-BrettSh [msft]
On Tue, 11 Oct 2005, Al Mulnick wrote:
> You know what would really be great? If Microsoft were to make it so that
> the architecture didn't allow those quirky little things that occur in the
> products when they are deployed together on the same machines. Like
> Exchange not using any other DC if it's deployed on a DC type of quirk.
>
> Some real virtualization and isolation of processes and threads so that if
> something were to crash (heavens forbid) it couldn't make a big mess of the
> rest of the platform. Across all product lines.
>
> Why?
>
> Because the real value Microsoft has over other products out there is that
> their products have the same look and feel and work together easily which
> translates to lower integration/acquisition/deployment costs if I use their
> products. If I try to "save" money by going with something else that I have
> to customize in-house, I may not be able to do so as well, as easily or as
> cost-effectively.
>
> Because eventually I have to pay the programmers, architects, and support
> costs and since I'm not a tech company, I am not geared to do that. I can
> either lower my quality, my expectations, or my costs, but likely not all
> three if I roll my own large products.
>
> Seriously, getting rid of legacy baggage is fine and dandy as long as there
> is a reason other than complaining. I notice that the *nix crowd has their
> own problems. If I were to write something for a *nix platform, my first
> choice is to figure out which manufacturer? Then which version. Then what
> hardware platform in some cases. I don't have that with Microsoft products
> to the same extent. To me, they sit somewhere between Macintosh/Mainframe
> and *nix platforms. Mac/MF is very controlled in terms of revision and
> hardware (from the manufacturer of course). *nix is more open if you
> include the linux crowd which makes stability much more difficult.
> Microsoft is x86/x64 based. Some choices, but also a lot of same old at the
> OS level.
>
> If I were to write an app, it would likely be targeted at WindowsXP first.
> Then I'd figure out a path to go to some of the intel based *nix distros.
> Several companies are going the other direction as well, from *nix platforms
> to Windows to follow the customers. But the reason I would take that
> approach is to get the app to the widest possible audience first and then
> chase the other customers.
>
> Kill the legacy. Ok. Timelines and how you get the app developer ecosystem
> to come along or be there first are the questions to answer.
>
> Does that mean scrapping the domain model? Hmm... Not sure. Does it mean
> scrapping the security model? Maybe. What about blurring lines between my
> network and your network? Better do that else risk being left in the closet.
>
>
> What about the desktops? Anything radical? Depends on above I think, as
> long as the NOS concept stays intact. Should it?
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, October 10, 2005 8:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
>
>
> Again, I am speaking legacy baggage. If you were a UNIX developer, would you
> rather stick to writing to old proprietary interfaces or using standards
> based interfaces like LDAP and Kerberos, etc. Again, all of the integration
> going on now is working in those areas. Those areas will move fine into the
> new realms. It is the old NET based stuff that need to be burned out of the
> product. Exactly the stuff that all of the non-MS folks have bitched about
> year after year. Dumping the legacy gives us a chance to move forward and
> not be stuck with the idea that a DC is x and can't be anything but x.
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> Sent: Monday, October 10, 2005 6:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
>
> Hmm... No, I disagree joe. Microsoft does need to worry about adoption of
> their products and any barriers, real or imagined, to that adoption. *nix
> integration is a reality. Get used to it. Be sure to take it into account
> for future releases. Be sure to protect the investment of your developer
> followers [1]. Create a framework that developers can develop to and be
> somewhat future proof else your customers won't adopt your products.
> Remember, customers don't buy operating systems for the sake of the
> operating system, they buy them for what they do and what they contribute to
> their business. It's the applications that the company wants to run that
> causes people to buy new OS and new hw. 64bit computing would be a great
> example of that. And MS gets it as evidenced by their strategy to embrace
> the developers prior to the release. It's about the applications not the
> OS. It's just that the applications don't exist without a solid foundation
> such as a really strong, reliable, and easy to maintain OS running the
> hardware.
>
> It takes time to build the ecosystem, but adoption only happens when there
> is a compelling reason. Apps are that reason.
>
>
> [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he
> said that? Because they totally dissed the dev community prior to that.
> Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the
> first place? Because they have the absolute latest and greatest technology?
> Nope. Because they have the best technology? Nope (seen RMS lately? I rest
> that case) Because they have the most applications written for their
> platform? Yep. Can't swing a dead cat without hitting a MS application. Even
> open source writes apps that run on Windows because they want their apps
> adopted.
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, October 10, 2005 4:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
>
>
> > - Blackcomb clients would need to be available several years before
> > the
> blackcomb server.
>
> Well no, that is why you have the functional mode associated with it. It
> doesn't just happen, the customer chooses to do it. Someone setting up a
> brand new environment would be good to go immediately. Someone with legacy
> that they are trying to clean up could take as long as they like. The
> benefit is that it is a step forward.
>
> > - Impact on non-Windows clients would need to be assessed. [SAMBA,
> > nix,
> Mac etc]
>
> By the vendors who supply those clients and the people who have them
> deployed, yes. Not MS. Part of the reason we are stuck with so much legacy
> baggage is due to MS worrying so much about the legacy clients that they do
> not control. There are some great blogs out there of stuff MS has done to
> make it so incorrectly written apps work with their changes and results in
> all sorts of special cases in the OS. That is the kind of stuff I would like
> to see going away. It makes MS more limber and hopefully less chance for
> weird corner cases.
>
>
> The new model may not look anything like the current model, the fact that
> you have a functional mode to jump to this mode allows the customer to
> choose when to go to it. At some point, maybe two revs past Blackcomb, that
> new mode is the mode Windows uses and all legacy is gone.
>
>
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, October 10, 2005 11:45 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
>
> 2 immediate comments:
>
> - Blackcomb clients would need to be available several years before the
> blackcomb server.
> - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac
> etc]
>
>
>
> neil
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: 10 October 2005 15:32
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
>
> To move this in a slightly different direction. How would people feel about
> a BlackComb Super Forest Functional Mode where not only are DCs impacted but
> every machine touching the DCs are affected. I.E. MS allows multiple domains
> on a single DC but not for any pre-BlackComb clients. I.E. Complete break
> with legacy capability?
>
> Personally I wouldn't mind seeing something like that but how do others feel
> about it. Once in this mode, no going back. Legacy clients pre-Blackcomb
> have no clue how to use the domains, etc.
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> Sent: Monday, October 10, 2005 10:10 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
>
> While I generally agree this would be great, I have to ask about eDir and
> it's authentication abilities. IIRC, multiple domains via LDAP only
> work
> just fine. It's called ADAM in its latest incarnation. But for the
> authentication[1] and other apps that support/work with AD to provide
> identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a
> multi-instance/single-server deployment. LDAP sure. The other apps, I'm not
> so sure.
>
>
> I'm curious, Charlie and Neil. What services do these SMB's offer that they
> need multiple instances of DC's? I realize that a best practice is to have
> multiple servers that can provide some failure tolerant behaviors, but I'm
> wondering what type of work a SMB does that requires multiple full blown AD
> domain instances and therefore multiple servers etc. Can you expand that?
>
>
> [1] LDAP is not an authentication protocol; Kerberos is though.
>
> -ajm
> CCBW
>
> >From: <[EMAIL PROTECTED]>
> >Reply-To: ActiveDir@mail.activedir.org
> >To: <ActiveDir@mail.activedir.org>
> >Subject: RE: [ActiveDir] Active Directory wish list
> >Date: Mon, 10 Oct 2005 08:52:25 +0100
> >
> >Maybe you should read about eDIR/NDS... :) Novell did this back in '93.
> >
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley
> >[MVP]
> >Sent: 06 October 2005 01:51
> >To: ActiveDir@mail.activedir.org
> >Subject: RE: [ActiveDir] Active Directory wish list
> >
> >I'd be surprised if we see this in my lifetime, or at least before I
> >retire.
> >
> >Ed Crowley MCSE+Internet MVP
> >Freelance E-Mail Philosopher
> >Protecting the world from PSTs and Bricked Backups!T
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
> >Sent: Wednesday, October 05, 2005 2:34 PM
> >To: ActiveDir@mail.activedir.org
> >Subject: RE: [ActiveDir] Active Directory wish list
> >
> >What I want is to be able to run multiple domains on one OS
> >installation and segment the directories from each other. That way I
> >don't need to run multiple licenses of the OS, nor do I need hardware
> >that can power 4 VMs.
> >I already run VMs using VMWare in my test lab; it works but I'd prefer
> >to be able to run AD as a service and have it be smart enough to be
> >able to segment itself without needing a separate OS...
> >
> >**********************
> >Charlie Kaiser
> >W2K3 MCSA/MCSE/Security, CCNA
> >Systems Engineer
> >Essex Credit / Brickwalk
> >510 595 5083
> >**********************
> >
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley
> > > [MVP]
> > > Sent: Wednesday, October 05, 2005 10:07 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Active Directory wish list
> > >
> > > You can. It's called Microsoft Virtual Server.
> > >
> > > Ed Crowley MCSE+Internet MVP
> > > Freelance E-Mail Philosopher
> > > Protecting the world from PSTs and Bricked Backups!T
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
> > > Kaiser
> > > Sent: Tuesday, October 04, 2005 6:37 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Active Directory wish list
> > >
> > > I'd also like to see the ability to run DCs for multiple domains on
> > > the same server. SMBs with limited resources balk at having to buy
> > > additional server hardware for redundancy on multiple domains,
> > > especially when the AD load on the DCs is minimal. This feature
> > > sounds
> >
> > > like an offshoot of your list below.
> > > If you can run AD as a service, it might not be that hard to allow
> > > multiple domains similar to multiple websites/DBs on one server...
> > >
> > > I remember discussing this with Stuart Kwan at DEC a couple of years
>
> > > ago. I hope it makes it into the mix...
> > >
> > > **********************
> > > Charlie Kaiser
> > > W2K3 MCSA/MCSE/Security, CCNA
> > > Systems Engineer
> > > Essex Credit / Brickwalk
> > > 510 595 5083
> > > **********************
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > > > Sent: Tuesday, October 04, 2005 4:25 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Active Directory wish list
> > > >
> > > > Vista is the client OS. I don't believe they have named Longhorn
> > > > Server yet.I am voting for something like Windows Server 5.4.0 or
> > > > something like that. I realize that the marketing group would have
>
> > > > something to say about it but I figure the best thing from
> > > them is if
> > > > they pronounced their thoughts from the bottom of Lake Washington.
> > > > People don't install servers because they have cool names.
> > > >
> > > > The biggest non-NDA pieces that I have heard announced in
> > > conferences
> > > > or seen on the web already is the Read Only DC to limit security
> > > > exposure for WAN deployments, restartable AD that can be
> > > > stopped/started as necessary, DA/Admin separation so that
> > > you can have
> > > > an Admin on a DC that "can't" achieve Domain-wide DA level
> > > rights, and
> > > > DCs running on Server Foundation or now its called Server
> > > Core which
> > > > is a GUI-challenged Windows Server.
> > > >
> > > > I can also say that there are a myriad of GUI updates for the
> > > > Admin tools though I can't state specifics. BJ Whalen who was
> > > involved with
> > > > the GPMC project has been brought in to work on admin
> > > experience and
> > > > anyone who has worked with GPOs with and without GPMC know that he
>
> > > > really helped out.
> > > >
> > > > All in all, there is some very cool stuff and MS has really been
> > > > listening to the community on what they want and need. I know that
>
> > > > this list is watched for ideas and such and has been the source of
>
> > > > DCRs internally. So if you have ideas, spout them here,
> > > they will most
> > > > certainly be heard. They may not make Longhorn as it is
> > > getting a bit
> > > > late to add major changes but your ideas could make it into a
> > > > later rev.
> > > >
> > > >
> > > > joe
> > > >
> > > >
> > > > ________________________________
> > > >
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Steven
> > > > Wood
> > > > Sent: Monday, October 03, 2005 3:46 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Active Directory wish list
> > > >
> > > >
> > > > Hi,
> > > >
> > > > With Windows Vista on it's way what's on people's wish list
> > > as far as
> > > > Active Directory is concerned? Also are there any big enhancements
>
> > > > due?
> > > >
> > > > Thanks
> > > > Steven
> > > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> >List info : http://www.activedir.org/List.aspx
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >List info : http://www.activedir.org/List.aspx
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> >PLEASE READ: The information contained in this email is confidential
> >and intended for the named recipient(s) only. If you are not an
> >intended recipient of this email please notify the sender immediately
> >and delete your copy from your system. You must not copy, distribute or
>
> >take any further action in reliance on it. Email is not a secure method
>
> >of communication and Nomura International plc ('NIplc') will not, to
> >the extent permitted by law, accept responsibility or liability for (a)
>
> >the accuracy or completeness of, or (b) the presence of any virus, worm
>
> >or similar malicious or disabling code in, this message or any
> >attachment(s) to it. If verification of this email is sought then
> >please request a hard copy. Unless otherwise stated this email: (1) is
> >not, and should not be treated or relied upon as, investment research;
> >(2) contains views or opinions that are solely those of the author and
> >do not necessarily represent those of NIplc; (3) is intended for
> >informational purposes only and is not a recommendation, solicitation
> >or offer to buy or sell securities or related financial instruments.
> >NIplc does not provide investment services to private customers.
> >Authorised and regulated by the Financial Services Authority.
> >Registered in England no. 1550505 VAT No. 447 2492 35. Registered
> >Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the
> >Nomura group of companies.
> >
> >List info : http://www.activedir.org/List.aspx
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> PLEASE READ: The information contained in this email is confidential and
> intended for the named recipient(s) only. If you are not an intended
> recipient of this email please notify the sender immediately and delete your
> copy from your system. You must not copy, distribute or take any further
> action in reliance on it. Email is not a secure method of communication and
> Nomura International plc ('NIplc') will not, to the extent permitted by law,
> accept responsibility or liability for (a) the accuracy or completeness of,
> or (b) the presence of any virus, worm or similar malicious or disabling
> code in, this message or any attachment(s) to it. If verification of this
> email is sought then please request a hard copy. Unless otherwise stated
> this email: (1) is not, and should not be treated or relied upon as,
> investment research; (2) contains views or opinions that are solely those of
> the author and do not necessarily represent those of NIplc; (3) is intended
> for informational purposes only and is not a recommendation, solicitation or
> offer to buy or sell securities or related financial instruments. NIplc
> does not provide investment services to private customers. Authorised and
> regulated by the Financial Services Authority. Registered in England no.
> 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
> London, EC1A 4NP. A member of the Nomura group of companies.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
