Re: [ActiveDir] Domain Trusts.
Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
It's not that big of a deal for client software (last message)On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote:That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than
RE: [ActiveDir] Raid 1 tangent -- Vendor Domain
I don't have a lot of experience yet with x64 DCs but my gut says that assuming you have enough RAM to cache the entire DIT and you aren't constantly rebooting the DC or doing things that force the cache to be trimmed, the disk subsystem is really only going to be important for writes (which we have already said aren't really all that much of what AD is doing) and the initial caching of the DIT. The key as joe pointed out nicely in his short note below is the size of your DIT and if it can be cached in memory by the DC. For large AD infrastructures, this is where the benefit of 64-bit DCs (either x64 or Itanium, with Itanium usually being an overkill for most AD environments). A 32-bit OS has 4GB virtual memory available that it can directly address usually split evenly between user/application memory and kernel memory, i.e. 2GB each. Win2000 DCs can use a max of approx. 512MB for the LSASS (AD) process, which is about how much of the DIT it can cache. LSASS has already been improved quite a bit for Win2003 DC, which can cache up to 1.5GB of the normal virtual address space available to the DC. Using the /3GB switch you can force the kernel to use less memory (1GB), so that you have up to 3GB available for your applications - note that apps that leverage kernel memory (such as IIS) are hurt by using this switch. For Win2000 DCs (Advanced Server only) you can use the /3GB switch to increase the DIT cache to 1GB. For Win2003 DCs (Standard and Enterprise) it's up to 2.7GB. The 32-bit x86 systems that use more than 4 GB of physical memory cannot directly address this memory - instead they leverge a technology called Physical Addressing Extensions (PAE). This is a segmented memory model that requires the use of Address Windowing Extensions (AWE) allowing the memory beyond 4 GB to be swapped in and out of an AWE window that exists in the first 4 GB of memory. These memory management technologies do cost expensive CPU cycles and are not nearly as efficient as direct 64-bit addressing. With 64-bit addressing there is no need for a /3GB switch or other memory extension techniques, as you can (theoretically) *directly* address up to 2^64 bits of memory, which is equal to 16 exa-bites (=16 billion GB). Naturally, there isn't any HW available yet to host this much memory. But we can soon expect standard server systems that are capable of handling a few hundred GBs of memory - nothing you should need anytime soon for your AD. Microsofts's support for physical memory for it's Win2003 64bit OSs is thus limited as well: - 32GB for the x64 Standard Edition - 1TB for the x64 and Itanium Enterprise and Datacenter editions So, even with a Win2003 x64 Standard Edition DC you can directly address up to 32GB of memory in your servers - the available physical memory will be split up evenly into user and kernel memory, meaning that with 32GB you'd have 16GB available for applications (and with a pure DC this would give you roughly 14GB for caching your AD DIT). Not many will need it for their ADs, but with the Enterprise or Datacenter editions you can cache approx. up to 460GB of your DIT in memory... We've done quite extensive internal tests at HP to evaluate how 64bit DCs would do performancewise as GCs (for Exchange and authentication) and found that a single 64bit DC (with sufficient RAM to cache our whole DIT, which is almost 9GB in size), could easily replace 3-4 of our current 32bit GCs. Disc configuration hardly played a role for these performance gains. Naturally we have the greatest ratio for consolidation in our largest datacenters. I can only suggest everyone to have a closer look at using 64bit for their DCs as well - it will be very benefitial down the road. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 22, 2006 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers
RE: [ActiveDir] 64bit Windows
Renaming the thead due to change of focus topic I've been doing quite a bit with my own 64bit notebook (using WinXP x64) in the past few weeks and I do have to say that there are plenty of little surprises. Many of which don't play a role for servers, which are used with a much lesser range of applications and drivers (usually no issues with high res video; WLAN; bluetooth etc.). I was actually more successful to get the right drivers for WinXPx64 than for VISTAx64, which is why I stuck with WinXP for now (this will change soon, as Vendors pick up their support for Vista and any driver will have to be available as 32 and 64bit to be Vista ready). But it's not only drivers, it's also some 32bit applications that - although they don't have a driver dependency (which must all be 64bit)- simply refuse to run in the WOW64 instance (a 32-bit Windows instance on in a Win x64 OS). Have to say that the most important 32bit apps (such as MS Office 2003) and naturally all 64bit apps do run though without issues.And I can work around most of the other 32-bit problems by leveraging a 32-bit WinXP VM on the same box (not ideal, but better than two machines). So a lot of testing is required either for deployment of 64-bit clients (which I'd rather do with Vista when released) or even with 64-bit Terminal Servers that are used to host office applications for users (generally a great idea, as you have plenty of more virtual memory available for hosting many more users per TS). See my other note on 64-bit for DCsin the "Raid 1 tangent -- Vendor Domain" thread with many more details on the difference of memory handling between the two worlds. 64bit is certainly the right way to go for most larger AD deployments. I'd love to hear about other's experience with 64-bit Windows - how are you leveraging it and what were the problems you've been running into...? What were your solutionsor workarounds? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:26 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain It's not that big of a deal for client software (last message) On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: "Albert Duro" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: "joe" [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is
RE: [ActiveDir] Domain Trusts.
because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with "user environment". If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go "I know it's automatically created when I create the object, but what can I do with the trust" any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a "semi-isolated" units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
[ActiveDir] OT: Interview Techniques
All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] 64bit Windows
You haven't met beancounter apps have you? Many of them will not function. Yes, it's a big deal. When even Microsoft's own ISA 2004 doesn't have a released 64 bit client released for a 64 bit Windows and you have to set them up as securenat clients. adoption by vendors has not occurred. Grillenmeier, Guido wrote: /Renaming the thead due to change of focus topic/ I've been doing quite a bit with my own 64bit notebook (using WinXP x64) in the past few weeks and I do have to say that there are plenty of little surprises. Many of which don't play a role for servers, which are used with a much lesser range of applications and drivers (usually no issues with high res video; WLAN; bluetooth etc.). I was actually more successful to get the right drivers for WinXPx64 than for VISTAx64, which is why I stuck with WinXP for now (this will change soon, as Vendors pick up their support for Vista and any driver will have to be available as 32 and 64bit to be Vista ready). But it's not only drivers, it's also some 32bit applications that - although they don't have a driver dependency (which must all be 64bit) - simply refuse to run in the WOW64 instance (a 32-bit Windows instance on in a Win x64 OS). Have to say that the most important 32bit apps (such as MS Office 2003) and naturally all 64bit apps do run though without issues. And I can work around most of the other 32-bit problems by leveraging a 32-bit WinXP VM on the same box (not ideal, but better than two machines). So a lot of testing is required either for deployment of 64-bit clients (which I'd rather do with Vista when released) or even with 64-bit Terminal Servers that are used to host office applications for users (generally a great idea, as you have plenty of more virtual memory available for hosting many more users per TS). See my other note on 64-bit for DCs in the Raid 1 tangent -- Vendor Domain thread with many more details on the difference of memory handling between the two worlds. 64bit is certainly the right way to go for most larger AD deployments. I'd love to hear about other's experience with 64-bit Windows - how are you leveraging it and what were the problems you've been running into...? What were your solutions or workarounds? /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Hargraves *Sent:* Sunday, July 23, 2006 5:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Raid 1 tangent -- Vendor Domain It's not that big of a deal for client software (last message) On 7/23/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone: Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: That's a command line guy for you... :o) The thing is that I type in a very odd way two, my whole right hand just one or two fingers from my left hand. People tend to get a bit confused when they see me type. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Gent Sent: Saturday, July 22, 2006 7:29 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain joe, you must type really, really fast - Original Message - From: Albert Duro [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: [ActiveDir] Domain Trusts.
Go to google, type in Token limitation and click on the first item...On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with user environment. If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] OT: Interview Techniques
Is he a manager or a technical lead? There's a world of difference between the two.Technical leads have many of the responsibilities of a manager (handing out tasks, interfacing with upper management, discipline, etc...) but also have to be able to 'get their hands dirty', in other words, they basically have to be very strong technically. If you're interviewing for a manager who isn't going to be doing anything technical, then just make sure that A) you don't grant him schema/enterprise admin rights, so that he can't screw everything up on you and B) He knows enough to where you're not holding his hand in *every* discussion that goes down the technical path. If he's a technical lead... he should know how to deal with people and know nearly as much as you do, if not more. If he's going to be digging into AD and having to work on fixing problems when they appear, then you need to make sure that he's not going to screw things up because he's trying to remember what they taught him in that 2-week class 8 months ago. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: AllI am currently in the process of interviewing jobcandidates who if successful will become my boss ;-)Basically the manager who will be his boss has askedme to do the technical side of the interview and check if the candidates are OK. I've had the pleasure ofinterviewing 2 so far and they were pretty weaktechnically. I am not sure if I have been spoilt bythe creme-de-la-creme here but I did check them a little thoroughly especially with the candidate whowas bold enough to mention under key skills verystrong knowledge of windows 2000/2003 ActiveDirectory.Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up underpressure and reply that the questions I am asking areonly worthy knowledge to those working at Microsoft.And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as theguys had the audacity to demand pretty much twice thepay I am getting and were paper MCSE's.The feedback we received from the candidatesafterwards said the interview style was . aggressive.So, my question to you guys is, if you interviewingsomeone for a Windows tech-lead position (with focuson AD), how technical would you want him to be? Thisis a guy who would be steering the design of an infrastructure to support tens of thousands of users.CheersMudha{Newbie AD Guru wannabe ;0) }__Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
LOL. If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter. But I like to see how they react and how they deal with questions. Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer? The last is the worst thing they can ever do. I demand honesty in the work I do. If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: AllI am currently in the process of interviewing jobcandidates who if successful will become my boss ;-) Basically the manager who will be his boss has askedme to do the technical side of the interview and checkif the candidates are OK. I've had the pleasure ofinterviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt bythe creme-de-la-creme here but I did check them alittle thoroughly especially with the candidate whowas bold enough to mention under key skills very strong knowledge of windows 2000/2003 ActiveDirectory.Now I am definitely no expert, but if someone is boldenough to claim that, he better not buckle up underpressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft.And this is the reply I got when I asked him what theFSMO roles did. Actually, I got a little miffed as theguys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's.The feedback we received from the candidatesafterwards said the interview style was .aggressive.So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focuson AD), how technical would you want him to be? Thisis a guy who would be steering the design of aninfrastructure to support tens of thousands of users. CheersMudha{Newbie AD Guru wannabe ;0) }__Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
A lead tech better be pretty darn technical with strong troubleshooting skills. It is tough to interview someone for the latter as asking questions like this and this are occurring, what do you do or what is wrong are usually not productive. One thing to keep in mind is that just about anyone who has some experience with AD could likely ask a question someone else couldn't answer, there is no one that knows every single aspect of Active Directory and could answer any possible question cold. However, a general chat about what they have been doing with their knowledge and maybe where they picked it up can cause things to float up that give you a good understanding of what they know and what they can figure out. In general I would say it is tough to hire for a lead tech for an already existing team unless the team is aware of the person already and has some measure of respect for the person. Usually, in my experience, the lead tends to float to the top when the team is working together and it just naturally becomes obvious who the lead should be. To artificially force a lead can hurt the team and I have been in several circumstances where that has occurred. The lead may feel they need to show how smart they are or the team may feel they need to see if they can outwit the lead; either thing occurring and the team isn't a team but a competition. The best tech leads I have run into have all been people who DON'T want to run a team, they just want to solve technical problems and lead by solving problems well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
He is a technical lead but with some responisbilities of a manager. He would be mostly doing managerial duties as you have identified. But he will need to get his hands dirty when the going gets tough. Most importantly, he will need to identify customer requirements and ensure the design we produce with him is steered in the correct direction. He will also need to sell solutions to the customer that will benefit both parties ;-) I seem to recall reading somewhere some comments from either joe or Jorge. But I cant find it anymore. Hence the post. Cheers --- Matt Hargraves [EMAIL PROTECTED] wrote: Is he a manager or a technical lead? There's a world of difference between the two. Technical leads have many of the responsibilities of a manager (handing out tasks, interfacing with upper management, discipline, etc...) but also have to be able to 'get their hands dirty', in other words, they basically have to be very strong technically. If you're interviewing for a manager who isn't going to be doing anything technical, then just make sure that A) you don't grant him schema/enterprise admin rights, so that he can't screw everything up on you and B) He knows enough to where you're not holding his hand in *every* discussion that goes down the technical path. If he's a technical lead... he should know how to deal with people and know nearly as much as you do, if not more. If he's going to be digging into AD and having to work on fixing problems when they appear, then you need to make sure that he's not going to screw things up because he's trying to remember what they taught him in that 2-week class 8 months ago. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
Interesting, I have a pretty different view on tech lead. The things you mention (handing out tasks, interfacing with upper management, discipline, etc...) are out and out managerial tasks from my viewpoint and if I had a manager and a tech lead, I wouldn't take any of that from the tech lead. I consider tech lead as senior techy, the guy whom you go to when you are out of ideas on what to do next to solve a technical problem. The manageris you go to for interfacing with anyone outside of the group, personnel issues and getting your tasks.I think the manager and the tech lead need to work very closely but that is mostly to keep the manager in a good place, informed,and pointed in the right direction such that managerial decisions don't adversely impact the technical aspects of the work too much as well as letting the manager know what the technical priorities are from the tech leads viewpoint and so the manager can tell the tech lead what the real priorities are as they are decided by the manager. For instance if going into a meeting with a "customer"[1] the tech lead feeds the manager with as much knowledge as necessary so the manager isn't completely at a loss in the meeting and as things dive into tech, if they do, the tech lead is either there (if it is known ahead of time it will get deep)or available via phone to help. Tech and managerial pieces do not normally fit together well, very different skill sets and strengths needed to do one or the other well. Very few people, IMO, can be good at tech and good at managerial. Unfortunately many companies do not see this and in order for someone to move up through the ranks they must assume managerial duties when in fact the company should have a managerial track and a technical track for the folks to follow so they can stick with the areas in which they have the greatest strength. Hopefully it is getting more and more obvious to companies that trying to make people spend all of the their time trying to improveon their weaknesses versus utilizing their strengths is a losing proposition. To put it another way, if someone is an amazing techy and a horrible manager, you don't force them to spend their time trying to be a mediocre manager. That is the person that everyone will point at and say they are a sucky manager. joe [1] Define as you wish, different groups have different customers. IT has the business, the business could have another aspect of the business or external, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques Is he a manager or a technical lead? There's a world of difference between the two.Technical leads have many of the responsibilities of a manager (handing out tasks, interfacing with upper management, discipline, etc...) but also have to be able to 'get their hands dirty', in other words, they basically have to be very strong technically. If you're interviewing for a manager who isn't going to be doing anything technical, then just make sure that A) you don't grant him schema/enterprise admin rights, so that he can't screw everything up on you and B) He knows enough to where you're not holding his hand in *every* discussion that goes down the technical path. If he's a technical lead... he should know how to deal with people and know nearly as much as you do, if not more. If he's going to be digging into AD and having to work on fixing problems when they appear, then you need to make sure that he's not going to screw things up because he's trying to remember what they taught him in that 2-week class 8 months ago. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: AllI am currently in the process of interviewing jobcandidates who if successful will become my boss ;-)Basically the manager who will be his boss has askedme to do the technical side of the interview and check if the candidates are OK. I've had the "pleasure" ofinterviewing 2 so far and they were pretty weaktechnically. I am not sure if I have been spoilt bythe creme-de-la-creme here but I did check them a little thoroughly especially with the candidate whowas bold enough to mention under key skills "verystrong knowledge of windows 2000/2003 ActiveDirectory".Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up underpressure and reply that the questions I am asking areonly worthy knowledge to those working at Microsoft.And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as theguys had the audacity to demand pretty much twice thepay I am getting and were paper MCSE's.The feedback we received from the candidatesafterwards said the interview
RE: [ActiveDir] OT: Interview Techniques
Yeah Al interviewed me once and I didn't get the job because I started crying. I found his car in the parking lot and punched holes in the tires. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, July 23, 2006 1:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques LOL. If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter. But I like to see how they react and how they deal with questions. Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer? The last is the worst thing they can ever do. I demand honesty in the work I do. If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: AllI am currently in the process of interviewing jobcandidates who if successful will become my boss ;-) Basically the manager who will be his boss has askedme to do the technical side of the interview and checkif the candidates are OK. I've had the "pleasure" ofinterviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt bythe creme-de-la-creme here but I did check them alittle thoroughly especially with the candidate whowas bold enough to mention under key skills "very strong knowledge of windows 2000/2003 ActiveDirectory".Now I am definitely no expert, but if someone is boldenough to claim that, he better not buckle up underpressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft.And this is the reply I got when I asked him what theFSMO roles did. Actually, I got a little miffed as theguys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's.The feedback we received from the candidatesafterwards said the interview style was .aggressive.So, my question to you guys is, if you interviewingsomeone for a Windows tech-lead position (with focuson AD), how technical would you want him to be? Thisis a guy who would be steering the design of aninfrastructure to support tens of thousands of users.CheersMudha{Newbie AD Guru wannabe ;0) }__Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5 orgs to 2003 Them - blah blah blah Me - Ok, can you name the three types of connection agreements in the ADC? Them - well uh blah blah well uh excuse excuse Me - other questions Me - So would you be comfortable migrating a 10K user 5.5 org to 2003? Them - Absolutely Me - How can you be comfortable doing that when you can't even explain the first step of the migration to me? In any case, others have put some really good advice here. What you want in a technical lead is someone who can get their hands dirty without getting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. That person needs to be able to deal with upper management, and they also need to make sure their self esteem is in check - none of that I did X when all they did is watch. Hiring your new manager can be a little difficult on both sides from the point of view of why wasn't someone on your team promoted to that position? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
Thanks Al. Thats very useful. I value those comments more than $0.04 ;0). Especially the comments in the last paragraph. The last thing I want is someone who is going to prevent any of my suggestions getting through because he doesnt understand and has influence over the final design. I had one guy who claimed to be from a reputable IT services company and he explained a redesign he'd done. Basically he wrecked a perfectly working and functioning detailed role based delegation model because it was too complex. Instead of the structured organisation the original plan had based on location and business unit, he basically classed all users as normal and admin. Domain admins all over the place. 2nd level support guys with schema admin rights because they were trained to make the necessary application specific schema changes. WTF? And what's up with these damn contractors that want to re-build from scratch a lab just because they cant fix it. And all that was wrong was there was no _msdcs.forestfqdn to resolve gc records. Beats me how they get jobs. Ugh! I cant believe that people have the guts to lie like that on their CVs. Cheers --- Al Mulnick [EMAIL PROTECTED] wrote: LOL. If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter. But I like to see how they react and how they deal with questions. Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer? The last is the worst thing they can ever do. I demand honesty in the work I do. If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
--- joe [EMAIL PROTECTED] wrote: A lead tech better be pretty darn technical with strong troubleshooting skills. It is tough to interview someone for the latter as asking questions like this and this are occurring, what do you do or what is wrong are usually not productive. I was thinking of giving a VM based env on a laptop for them to fix just to see what their TS skills are like. Fixing it would be nice but it was more to see his thinking style. One thing to keep in mind is that just about anyone who has some experience with AD could likely ask a question someone else couldn't answer, there is no one that knows every single aspect of Active Directory and could answer any possible question cold. I thought Sanjay could? (http://www.activedirectoryconsulting.com/background.html) :-( Sorry. However, a general chat about what they have been doing with their knowledge and maybe where they picked it up can cause things to float up that give you a good understanding of what they know and what they can figure out. # I agree and I am doing that. Thanks In general I would say it is tough to hire for a lead tech for an already existing team unless the team is aware of the person already and has some measure of respect for the person. Usually, in my experience, the lead tends to float to the top when the team is working together and it just naturally becomes obvious who the lead should be. To artificially force a lead can hurt the team and I have been in several circumstances where that has occurred. The lead may feel they need to show how smart they are or the team may feel they need to see if they can outwit the lead; either thing occurring and the team isn't a team but a competition. Hmm. Thats very true.To be honest, I am yet to work with a real good team. You never know I might get lucky soon. The best tech leads I have run into have all been people who DON'T want to run a team, they just want to solve technical problems and lead by solving problems well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Cheers __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
LOL. Yeah. Never a good idea to have customised BIG AL number plates. ;-) On 7/23/06, joe [EMAIL PROTECTED] wrote: Yeah Al interviewed me once and I didn't get the job because I started crying. I found his car in the parking lot and punched holes in the tires. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, July 23, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques LOL. If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter. But I like to see how they react and how they deal with questions. Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer? The last is the worst thing they can ever do. I demand honesty in the work I do. If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] back up strategies
Hi all, I am interested in your stories about back up strategies / procedures with all advantages and disadvantages involved. For example: Set up -Weekends full backups 2 tapes -Working days incremental5 tapes -monthly full backups...12 tapes...1 each month. Which strategy is most efficient and reliable? When do you use full, copy, differential, incremental or daily? (Considering windows backup utility) Which software do you use? How often do you test a restore? (a few files) How often do you perform a full restore? If exchange or sql server is involved. For example with veritas remote agents. How often do you perform a restore on exchange databases / sql server databases? Do you keep an exact copy of the backup hardware involved on a external location in case of fire/ theft? All info is very appreciated. Thanks! Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] 64bit Windows
thanks Susan - yep, I've felt the pain with VPN support myself - mine is not related to ISA 2004 though. As mentioned in my other reply, can you be a bit more specific on the beancounter (financial?) apps. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, July 23, 2006 6:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 64bit Windows You haven't met beancounter apps have you? Many of them will not function. Yes, it's a big deal. When even Microsoft's own ISA 2004 doesn't have a released 64 bit client released for a 64 bit Windows and you have to set them up as securenat clients. adoption by vendors has not occurred. Grillenmeier, Guido wrote: /Renaming the thead due to change of focus topic/ I've been doing quite a bit with my own 64bit notebook (using WinXP x64) in the past few weeks and I do have to say that there are plenty of little surprises. Many of which don't play a role for servers, which are used with a much lesser range of applications and drivers (usually no issues with high res video; WLAN; bluetooth etc.). I was actually more successful to get the right drivers for WinXPx64 than for VISTAx64, which is why I stuck with WinXP for now (this will change soon, as Vendors pick up their support for Vista and any driver will have to be available as 32 and 64bit to be Vista ready). But it's not only drivers, it's also some 32bit applications that - although they don't have a driver dependency (which must all be 64bit) - simply refuse to run in the WOW64 instance (a 32-bit Windows instance on in a Win x64 OS). Have to say that the most important 32bit apps (such as MS Office 2003) and naturally all 64bit apps do run though without issues. And I can work around most of the other 32-bit problems by leveraging a 32-bit WinXP VM on the same box (not ideal, but better than two machines). So a lot of testing is required either for deployment of 64-bit clients (which I'd rather do with Vista when released) or even with 64-bit Terminal Servers that are used to host office applications for users (generally a great idea, as you have plenty of more virtual memory available for hosting many more users per TS). See my other note on 64-bit for DCs in the Raid 1 tangent -- Vendor Domain thread with many more details on the difference of memory handling between the two worlds. 64bit is certainly the right way to go for most larger AD deployments. I'd love to hear about other's experience with 64-bit Windows - how are you leveraging it and what were the problems you've been running into...? What were your solutions or workarounds? /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Hargraves *Sent:* Sunday, July 23, 2006 5:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Raid 1 tangent -- Vendor Domain It's not that big of a deal for client software (last message) On 7/23/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone: Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: That's a command line guy for you... :o) The thing is that I type in a very odd way two, my whole right hand just one or two fingers from my left hand. People tend to get a bit confused when they see me type. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL
RE: [ActiveDir] Domain Trusts.
Matt, I'm quite aware of the token limitations in AD (and the lovely attack vectors around this "feature") - however, creating a separate domain for this reason would fall under administrative isolation, which is not how you've phrased your previous reply. So I'm a little but puzzled as to what your real goal is. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 7:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Go to google, type in "Token limitation" and click on the first item... On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with "user environment". If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go "I know it's automatically created when I create the object, but what can I do with the trust" any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a "semi-isolated" units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
[ActiveDir] Have you built an R2 Forest?
If so... you may want to peek at http://blog.joeware.net/2006/07/23/484/ entitled "R2 tombstoneLifetime boo boo" -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] DNS Issue
David, A few more questions. When you state you cleared the cache I want to insure this meant clearing the Cache on the DNS Server not the client resolver cache. Also if you open the DNS snap-in in advanced mode and look in the cache do you see a record for nyc.test.com and if so can you provide a screenshot of the entry from the DNS MMC? Finally can you go the DNS server open a cmd prompt and launch nslookup. Type set d2 without the quotes so that you get additional debug output and then type in nyc.test.com and post the output. Why am I asking all of these questions? Well we had a few issues where the DNS servers cache may not correctly cache entries causing the behavior that you are seeing. Sometimes even though you clear the cache if the record is looked up frequently then even clearing the cache will not resolve the issue long enough to see it corrected. I thought that all of these had been addressed by the build that you are running however the output from the above tests should let us see what is going on. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Sat 7/22/2006 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue Hi Steve Binary version is 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) Clearing the cache does not fix the issue. Thanks David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 22 Jul 2006 0:56 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue What version of the DNS binary are you running and if you clear the cache instead of restart DNS does it resolve the issue? Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Fri 7/21/2006 4:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Issue We have a single Windows 2003 SP1 forest/domain. DCs run AD integated zones. We have Forwarders configured for a domain e.g. test.com with 2 IP addresses entered for the DNS servers in test.com. We have seen a strange issue where queries for a host in the sub-domain nyc.test.com fail (even when doing an nslookup directly from the DC). When we restart the DNS service on the DC resolution succeeds for a host in nyc.test.com. After time it appears resolution fails again. Another observation is when (after time) name resolution fails for a host in nyc.test.com and we explicitly add nyc.test.com as another Forwarder and without restarting the DNS service names in nyc.test.com resolves. Remove the forwarding to nyc.test.com and resolution fails! Any ideas? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Trusts.
I was just curious if I could avoid the 2-way transitive trust. Current resources in domains for those resources are being moved into AD. Many have 1-way trusts and we'd like to keep that status if possible. I was hoping I could do it in the same forest, but since that's not possible we just have to make sure that the situation is evaluated by more parties and there is concensus on what we're going forward with. I guess I shouldn't have said 'moved out of...' as 'avoided being brought into...' though some of the resources are already in the user environment and mattering on the way that we go, will possibly need to be moved out eventually, for consistency's sake. On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Matt, I'm quite aware of the token limitations in AD (and the lovely attack vectors around this feature) - however, creating a separate domain for this reason would fall under administrative isolation, which is not how you've phrased your previous reply. So I'm a little but puzzled as to what your real goal is. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 7:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Go to google, type in Token limitation and click on the first item... On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with user environment. If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
[ActiveDir] Incomplete Initial Replication?
Hello: Last week, I promoted a virtual server (Host: W2k3 SP1 Std running W2k5 VS R2; Guest: W2k3 R2 ENT) to a DC. It was the second DC at that site. Prior to the promotion, I pointed its DNS to the site's first DC, joined the domain, and the promo'd. I confirmed that the new DC was placed in the correct Site. Things appeared to go fine, and I left it to allow AD to do its thing with site links. I then changed the GC and IP bridgehead for that site from the old DC to the new DC. Things are now a mess. The original DC is kicking out lots of KCC errors (1865, 1866, and 1311). When I try to force replication with replmon or dssite, it chokes. (Replmon actually does not see any other servers or partitions.) If I try to Replicate Now on the old DC with the new DC, I get the following error: The naming context is in the process of being removed or is not replicated from the specified server. On the new DC, most things seem right except that I am getting periodic errors: Event 53258: MS DTC could not correctly process a DC Promotion/Demotion event. It appears that the old DC did not receive all the info about the new DC's promotion. Old DC will get demoted. Should I attempt to correct the replication issues or just forcibly demote the old DC? If the former, any thoughts on how to clean it up? Many thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Domain Trusts.
I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here: From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx Automatic Trusts By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. Parent-child trust A parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics: *It can exist only between two domains in the same tree and namespace. *The parent domain is always trusted by the child domain. *It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy. Tree-root trust A tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions: *It can be established only between the roots of two trees in the same forest. *It must be transitive and two-way. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sun 7/23/2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment. But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80/ * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sat 2006-07-22 00:35 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest? The only way to have a non 2-way trust is to make a separate forest? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] back up strategies
What is your plan? Do you want speed in restoration or backup? Do you have a 24-hour facility or is it an 8-hour facility? Do you have a tape changer or a single tape unit (changing tapes daily)?If you have an 8-hour facility and the server is close to you, then weekend fulls and differentials is fine. If you have a 24-hour facility, then weekend full and incrementals might be the way to go. If you want to be able to have quick full system restores, then daily full backups is the best, but if you have a 24-hour facility then it's not practical and you're better off going with differentials throughout the week (2-tape restore). I generally recommend more tapes, though. Something more like 20 daily tapes and 5 weekly tapes so that you can always go back at least a month. You don't always realize that something needs to be restored immediately and being able to go back 3-4 weeks without going to the previous month's 'master' backup tape is always nice. Tapes don't cost *that* much and if going back 3 weeks can save an engineer 30 hours of work on a CAD drawing, then it's a good plan. But if you can only go back 1 and a half or 4 weeks back... you just lost 30 hours worth of work at around $75-100 per hour, that's between $2250 and 3k saved by one restoration. On 7/23/06, Quatro Info [EMAIL PROTECTED] wrote: Hi all,I am interested in your stories about back up strategies / procedures with all advantages and disadvantages involved.For example:Set up-Weekends full backups 2 tapes-Working days incremental5 tapes -monthly full backups...12 tapes...1 each month.Which strategy is most efficient and reliable?When do you use full, copy, differential, incremental or daily? (Considering windows backup utility)Which software do you use? How often do you test a restore? (a few files)How often do you perform a full restore?If exchange or sql server is involved. For example with veritas remote agents. How often do you perform a restore on exchange databases / sql server databases?Do you keep an exact copy of the backup hardware involved on a external location in case of fire/ theft?All info is very appreciated.Thanks! JorreList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] back up strategies
Why tapes? (Just wondering as we've found tapes haven't kept up with drive sizes and need for speed during a backup window) NAS, SAN, rotation of harddrives... etc...etc.. Matt Hargraves wrote: What is your plan? Do you want speed in restoration or backup? Do you have a 24-hour facility or is it an 8-hour facility? Do you have a tape changer or a single tape unit (changing tapes daily)? If you have an 8-hour facility and the server is close to you, then weekend fulls and differentials is fine. If you have a 24-hour facility, then weekend full and incrementals might be the way to go. If you want to be able to have quick full system restores, then daily full backups is the best, but if you have a 24-hour facility then it's not practical and you're better off going with differentials throughout the week (2-tape restore). I generally recommend more tapes, though. Something more like 20 daily tapes and 5 weekly tapes so that you can always go back at least a month. You don't always realize that something needs to be restored immediately and being able to go back 3-4 weeks without going to the previous month's 'master' backup tape is always nice. Tapes don't cost *that* much and if going back 3 weeks can save an engineer 30 hours of work on a CAD drawing, then it's a good plan. But if you can only go back 1 and a half or 4 weeks back... you just lost 30 hours worth of work at around $75-100 per hour, that's between $2250 and 3k saved by one restoration. On 7/23/06, *Quatro Info* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi all, I am interested in your stories about back up strategies / procedures with all advantages and disadvantages involved. For example: Set up -Weekends full backups 2 tapes -Working days incremental5 tapes -monthly full backups...12 tapes...1 each month. Which strategy is most efficient and reliable? When do you use full, copy, differential, incremental or daily? (Considering windows backup utility) Which software do you use? How often do you test a restore? (a few files) How often do you perform a full restore? If exchange or sql server is involved. For example with veritas remote agents. How often do you perform a restore on exchange databases / sql server databases? Do you keep an exact copy of the backup hardware involved on a external location in case of fire/ theft? All info is very appreciated. Thanks! Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
So basically it sounds like you need a technically savvy person who has very good understanding of AD, but is going to come back to you with any concerns about a design direction that you've come up with instead of going through and revamping it completely... 'basic user' or 'admins'... ROFLMAO Schema updates are uncommon enough to where nobody really needs that level of access on a day-to-day basis. My description of a technical lead was because I've run into companies where they expect their manager for the IT department to basically be the 3rd/4th level of support for problems. They expect the manager to do the 'heavy lifting' on the technical side of things and basically be a technical lead *and* a manager. I tend to agree that running into someone who can do both is like finding a roc's tooth. They're out there, just few and far between. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: LOL. Yeah. Never a good idea to have customised BIG AL number plates.;-)On 7/23/06, joe [EMAIL PROTECTED] wrote: Yeah Al interviewed me once and I didn't get the job because I started crying. I found his car in the parking lot and punched holes in the tires. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Sunday, July 23, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques LOL.If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter.But I like to see how they react and how they deal with questions.Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer?The last is the worst thing they can ever do.I demand honesty in the work I do.If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Trusts.
Thanks, that's exactly what I was looking for. Oddly enough, it's somewhere on MS's site, though my 5-8 queries never came up with it (the wonderful joys of searching on microsoft.com). Now I can give them 2 options separate forest with a 1-way trust or a subdomain (since there really isn't a difference between a separate tree and a subdomain). On 7/24/06, Steve Linehan [EMAIL PROTECTED] wrote: I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here:From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspxAutomatic TrustsBy default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. Parent-child trustA parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics: *It can exist only between two domains in the same tree and namespace.*The parent domain is always trusted by the child domain.*It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy. Tree-root trustA tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions: *It can be established only between the roots of two trees in the same forest.*It must be transitive and two-way.Thanks,-Steve From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sun 7/23/2006 10:09 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts.Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment. But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest.We're looking at other options internally and it's possible that we may not need security isolation for these other domains.Time will tell. You've all been very helpful, thank you.Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst.Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /GuidoFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts.1-yep2-yepMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)(Tel : +31-(0)40-29.57.777(Mobile : +31-(0)6- 26.26.62.80 http://26.26.62.80/* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest? List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Raid 1 tangent -- Vendor Domain
The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. Actually, log IOs were quite low, considering. I bet a single spindle pair would have been enough for most of my work. The real killer was random I/O throughout the DB. Here I was pushing 1800 read / 1800 write for most of the run. I really needed more SAN paths because I'm pretty sure that was the bottleneck (it just wasn't set up to have as many redundant paths as I didn't anticipate the bottlenecks hit). I keep meaning to write a follow-up post with a lot of data. I'll do so this week and post it so this sort of stuff is a bit more clear. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 22, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the Exchange server just aren't working properly and the drivers are experiencing timeout issues (for some reason I want to say HBA here) O poor network configurations and odd load balancing solutions, etc that generate a whole bunch of say keep alive traffic on the segment that no one had any idea about because no one understood the solution nor took time to look at the network traces. Or maybe the infamous Full/100 on one end and half/100 on the other. Whatever. O Applications that beat the crap out of Exchange that weren't accounted for in the design well or at all... such as Blackberry or Desktop Search or various Archive solutions O Poorly written event sinks, disclaimer type