[ActiveDir] ADAM silent install
Title: ADAM silent install Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] mailNickName(OT)
I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent) documentation that explicitly says not to do that? Or didn't you know that it wouldn't work like that? I mean, it's common sense right? Anyhow, I always remember two things about consultants - without common understanding, there can be no common sense (I ripped that off in case you wonder) and everything should be explicitly written down. When in doubt ask for the project notes and verify that the information you're working off of is explicitly stated and see if you can find out why. I can tell you if it's a Microsoft employee, you should have no issue asking that person directly to see if they can remember what the thinking was behind that and if that's still considered a best practice in light of what you want to do. It's entirely possible that the way the question was asked, the answer makes perfect sense (within that context anyway). It's more probable the question wasn't asked because nobody thought it was important to ask at the time. Exchange folks rarely care about such things unless they also happen to be deep in Directory Services - rare animal that can do that and carry on a conversation with a non-geek ;) Out of curiousity, what made you ask in the first place? On 11/22/06,
RE: [ActiveDir] ADAM silent install
Since the current user is not an ADAM admin, he is not able to import LDIF files (since ldifde is launched in current users context). To get around the problem, you must specify SourceUsername and SourcePassword parameters in the unattend file. Another option is to import the LDIFs manually or from script, after ADAM install completes. Dmitri From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 23, 2006 1:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM silent install Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] ADAM silent install
Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Scaling up with AD or ADAM?
Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're thinking separate directories BTW - a live one for the 2M users, and an archive one for the 10M historical records. Would you recommend ADAM? With how many DCs if so? (the web apps would likely be hosted at a single site). Perhaps full-fledged AD? How many DCs? Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Lee Flight wrote: Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already member of administrators. My current workaround is to comment out the ImportLDIFFiles statement and import them after the instance has been created. Just wondered if this was a known problem. /kkh List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5
Found it, had to use my home pc to get to the ftp link from Microsoft... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, November 22, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5 Hi, Could someone please, please, please help me find the PFINFO.exe tool for Exchange 5.5. I've found the ftp link for it on the Google group's message board but when I try it, it says I don't have permissions. I also don't have access to the Resource Kit for Win2k. Reasons that someone out there should help me... 1. I've asked nicesee my mom did raise me to be polite... 2. You'll save the remaining hair I have on my head. 3. Keep me from cursing 4. I won't have to drink some Pepto-Bismol for my ulcer 5. My wife will appreciate it, as it gives me gas when I drink Pepto-Bismol. 6. I'll be a hero to my co-workers, since we won't have to go thru all our PF to look for Zombie users by hand 7. It's the season john
RE: [ActiveDir] mailNickName(OT)
Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent) documentation that explicitly says not to do that? Or didn't you know that it wouldn't work like that? I mean, it's common sense right? Anyhow, I always remember two things about consultants - without common understanding, there can be no common sense (I ripped that off in case you wonder) and everything should be explicitly written down. When in doubt ask for the project notes and verify that the information you're working off of is
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
I am not sure if I interpreted you correctly. After reading your reply again I now think you would go with the single quad because even with one quad, cpu resources would not be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: donderdag 23 november 2006 0:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system You mean that it is in fact overkill. I have thought about this and I know that it probably is. 2 Dual Cores will be probably overkill as well. Both options probably being overkill, with one quad, we at least have the option to add another one later in case this may be necessary and one quad will be cheaper than 2 Duals. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: woensdag 22 november 2006 19:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
Yeah. I suspect you'll bottleneck on disk and memory before you do on CPU, so 1 quad will get you more than enough, as would I suspect 1 dual. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Thursday, November 23, 2006 4:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I am not sure if I interpreted you correctly. After reading your reply again I now think you would go with the single quad because even with one quad, cpu resources would not be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: donderdag 23 november 2006 0:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system You mean that it is in fact overkill. I have thought about this and I know that it probably is. 2 Dual Cores will be probably overkill as well. Both options probably being overkill, with one quad, we at least have the option to add another one later in case this may be necessary and one quad will be cheaper than 2 Duals. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: woensdag 22 november 2006 19:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] mailNickName(OT)
Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote: Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent) documentation that explicitly says not to do that? Or didn't you know that it wouldn't work like that? I
RE: [ActiveDir] mailNickName(OT)
Tom, How the external domain listed on the Enterprise Recipient Policy? (especially the 'authoritative' checkbox). SMTP domains being shared between multiple messaging environments gets pretty complicated, and Lotus and Exchange won't share a common LDAP instance for Sendmail to use. I wonder why your config doesn't just have each messaging system set outgoing addresses and let Sendmail forward the traffic out as-is... --James -Original Message- From: Tom Kern [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 11/23/06 5:19 PM Subject: Re: [ActiveDir] mailNickName(OT) Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote: Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of
Re: [ActiveDir] mailNickName(OT)
Sharing can get complicated which is why they went this route. Lotus and Exchange dont use a common ldap instance, so sendmail uses dirX for ldap lookups for address rewriting. the external addy is a proxy address in the policy NOT a primary address(mail attribute). I guess everyone in the corp wants to have the corp name.com as an external addy, as far as i can see...:) thanks On 11/23/06, Wells, James Arthur [EMAIL PROTECTED] wrote: Tom, How the external domain listed on the Enterprise Recipient Policy? (especially the 'authoritative' checkbox). SMTP domains being shared between multiple messaging environments gets pretty complicated, and Lotus and Exchange won't share a common LDAP instance for Sendmail to use. I wonder why your config doesn't just have each messaging system set outgoing addresses and let Sendmail forward the traffic out as-is... --James -Original Message- From: Tom Kern [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 11/23/06 5:19 PM Subject: Re: [ActiveDir] mailNickName(OT) Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote: Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word
RE: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
Yeah, but don't try running it on vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 23, 2006 1:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCO NTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted +-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1. Right-click on the Start button and select Explore. 2. Navigate to each first folder on the list above. 3. Right click on the folder and select Properties. 4. Click on the Security tab. 5. Select Everyone in Group or user names. Note: If Everyone is not listed in that window, click on Add, then type in Everyone in the Enter the object names to select and click OK. If the Multiple Names Found box pops up, select Everyone and click OK. 6. Add a checkmark to the Full Control checkbox and click OK. 7. Repeat steps 1-6 for each folder on the list above. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] mailNickName(OT)
I don't understand your issue, then. Can you rehash it for me and I'll make a second attempt? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote: Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out
Re: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
Patience. That's the next goal and will be rectified as well. (Intuit beta tester and yes, they are doing a special beta for that) Michael B. Smith wrote: Yeah, but don't try running it on vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 23, 2006 1:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCO NTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted +-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1. Right-click on the Start button and select Explore. 2. Navigate to each first folder on the list above. 3. Right click on the folder and select Properties. 4. Click on the Security tab. 5. Select Everyone in Group or user names. Note: If Everyone is not listed in that window, click on Add, then type in Everyone in the Enter the object names to select and click OK. If the Multiple Names Found box pops up, select Everyone and click OK. 6. Add a checkmark to the Full Control checkbox and click OK. 7. Repeat steps 1-6 for each folder on the list above. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Scaling up with AD or ADAM?
That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're thinking separate directories BTW - a live one for the 2M users, and an archive one for the 10M historical records. Would you recommend ADAM? With how many DCs if so? (the web apps would likely be hosted at a single site). Perhaps full-fledged AD? How many DCs? Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Lee Flight wrote: Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already
Re: [ActiveDir] Scaling up with AD or ADAM?
Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're thinking separate directories BTW - a live one for the 2M users, and an archive one for the 10M historical records. Would you recommend ADAM? With how many DCs if so? (the web apps would likely be hosted at a single site). Perhaps full-fledged AD? How many DCs? Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
Hi Victor, ESX is licensed per CPU socket, so from that point of view a single quad-core CPU is half the ESX licensing price of two dual-core CPUs. Just something else to consider... Cheers, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Friday, 24 November 2006 09:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I am not sure if I interpreted you correctly. After reading your reply again I now think you would go with the single quad because even with one quad, cpu resources would not be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: donderdag 23 november 2006 0:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system You mean that it is in fact overkill. I have thought about this and I know that it probably is. 2 Dual Cores will be probably overkill as well. Both options probably being overkill, with one quad, we at least have the option to add another one later in case this may be necessary and one quad will be cheaper than 2 Duals. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: woensdag 22 november 2006 19:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ** Information contained in this e-mail, including accompanying documents, is intended for use of the addressee only. If you are not the intended recipient, please notify the sender as soon as possible and delete the e-mail. If you are not the intended recipient, you may not distribute, copy, act upon, retain or otherwise use this e-mail or information contained here. The confidential and possibly privileged nature of the information contained in this e-mail is not waived by reason of mistaken delivery to other than the intended recipient. Your use or reproduction of this e-mail and accompanying documents may also breach South East Water Limited's copyright.
