RE: [ActiveDir] BlackComb Super Forest Functional Mode
It is an interesting point to ponder joe. Fast and flexible vs. slow and archaic. Hmm... Ok, I can buy some of that. But to bring a finer point to the conversation, you're saying that to provide a competitive advantage, major changes need to be in place? Push the envelope from a technology perspective? Drop the legacy so we can be more nimble? I think we're dancing around the same tree to some degree Joe. I think we need to provide some options to dispose of legac options. We may disagree about the timelines and how we implement that change, but we can agree to kick the legacy out in favor of nimble and fast companies that don't cling to the past but embrace the future with eyes wide open. Oh. Exchange wasn't the app I was thinking of, and it's not NetBios names, it's short name res that are the requirement (mostly for setup and some "legacy" components) ;) (No NetBios calls that I'm aware of). SMS on the other hand... That leads to the idea that Microsoft should clean its own house first. I'm all for that. I'll go back to an earlier statement: Microsoft's value is that their products are good enough and they work well together (products from the same company) so as to reduce my ownership costs in terms of acquisition, integration/deployment, and learning curve/support. Does that make it right? Hmm Not sure, but as with many things made, there is certainly room for improvement. Like I said, I think some virtualization and some reliability are important. I think that I'd love to have that flexibility. I also think we need to understand what the security architecture needs to be before we go off and build to it. We'll need to have api's, third-party apps, and a basket of figs. But we'll need to define the problem more clearly before we can answer the question. Is the problem the technology? Or the way it's used? If the latter, is that because of the technology? Can we make it better by severing ties to the legacy systems? Or is there value there? Better yet, when is the value of today's technology no longer useful to those that own it? Is it when it costs more to maintain the legacy than it does to acquire, develop, and deploy the future? Or is it too late at that point? How does AD (same name?) identity, authentication, and authorization (IAA) systems fit into that? -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 11, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > It's not MS software that relies on old API's? How do you explain WINS requirements?? ;) Exchange does as Exchange does... They have no excuse for having a dependency on WINS or more accurately NetBIOS name resolution other than it still works so they didn't fix it. To be quite honest, I am not that worried about WINS. WINS is a simple name resolution system. I am more concerned about authenticatio/authorization and management of the environment APIs. WINS can be turned off right now if you are careful on how do things, it can be a bit painful in some circumstances, but it is possible. The other things such as NET calls and old SAM requirements are absolutely impossible to turn off. You have no options. At best Blackcomb is maybe 5 years out. 5 years is a loong time. Look at the difference between now and 2000 or 2000 and 1995. That is the time frame in which I am asking for the ability to optionally turn off legacy support not entirely remove it. If Exchange and other apps can not correct their dependencies in that sort of time frame, I don't know what the answer is for them because it means MS can't really move forward too awfully well. I understand big business pretty well and how it works, you know my history. I have had more than my share of conversations with Manufacturing Plant Managers[1] and various execs proclaiming "we make widgets not computers" and then using that as an excuse for nearly anything related to computers that they perceive may cause them to make one less widget a day. Companies that don't start to understand that the computers are what makes it so they can stay in business now and in the future are in for a bad time. If you want to look at something fun, look at major global manufacturing companies. The ones that are doing well and growing share like crazy are generally the ones that are fully jumping on board with updating and integrating their facilities with computers. The ones that are losing 20% a quarter are floundering around blaming their losses on everything that they don't feel is directly involved in making the widgets. Being slow and inflexible in the IT space is going to kill its share of big businesses in my opinion. They just can't compete with the others which are fast and flexible.
RE: [ActiveDir] BlackComb Super Forest Functional Mode
> It's not MS software that relies on old API's? How do you explain WINS requirements?? ;) Exchange does as Exchange does... They have no excuse for having a dependency on WINS or more accurately NetBIOS name resolution other than it still works so they didn't fix it. To be quite honest, I am not that worried about WINS. WINS is a simple name resolution system. I am more concerned about authenticatio/authorization and management of the environment APIs. WINS can be turned off right now if you are careful on how do things, it can be a bit painful in some circumstances, but it is possible. The other things such as NET calls and old SAM requirements are absolutely impossible to turn off. You have no options. At best Blackcomb is maybe 5 years out. 5 years is a loong time. Look at the difference between now and 2000 or 2000 and 1995. That is the time frame in which I am asking for the ability to optionally turn off legacy support not entirely remove it. If Exchange and other apps can not correct their dependencies in that sort of time frame, I don't know what the answer is for them because it means MS can't really move forward too awfully well. I understand big business pretty well and how it works, you know my history. I have had more than my share of conversations with Manufacturing Plant Managers[1] and various execs proclaiming "we make widgets not computers" and then using that as an excuse for nearly anything related to computers that they perceive may cause them to make one less widget a day. Companies that don't start to understand that the computers are what makes it so they can stay in business now and in the future are in for a bad time. If you want to look at something fun, look at major global manufacturing companies. The ones that are doing well and growing share like crazy are generally the ones that are fully jumping on board with updating and integrating their facilities with computers. The ones that are losing 20% a quarter are floundering around blaming their losses on everything that they don't feel is directly involved in making the widgets. Being slow and inflexible in the IT space is going to kill its share of big businesses in my opinion. They just can't compete with the others which are fast and flexible. joe [1] Each of which was a supreme ruler in their own scope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Each VM has it's own support and patching problem, true. But I see that as the price for the flexibility. It's not MS software that relies on old API's? How do you explain WINS requirements?? ;) Like I said Joe, I see some benefit. I also see a lot of things that have been moved from the old API's. I see the older API's being phased out, although I think there was a lag in the product cycle before that was truly decided as a direction that made sense for the business. That's why today you "can" get access to domain information via WINNT (ADSI) providers or LDAP providers. Some applications that rely on NTLM can be easily made to work in an environment. It's a phased approach, vs a cutover. I think that's the smart approach and the one to follow. I now think you're saying the same thing a different way. The only questions remaining are what that timeline looks like and what the benefits are. I don't see kerb going away either. I see the "fisher price" name that Microsoft put on it, as being a domain vs a realm. I agree that other apps that don't move to this model will eventually get left behind. Having just worked at a company struggling with OS2 migration and integration issues, I can tell you that it takes a while. If you force it, many companies will choose to ignore you and later blame you. Is that right? Is that good business? No to both, but a business is in place to make money and to do that, there is a give and take. You have to give and take, not just one or the other. There are a lot of implications to stretching faster than the market will bear. I think we've seen that with Novell, IBM, CA, and a host of other companies that tried to support products several revisions old while also supporting their new shiny products. It stretches the focus too wide and they get into a bean-counter rut where they decide to cut costs in the support area because it eats too much into profits and they have to make shareholders happy next week.etc. The old ways of deploying the technology must die. Agreed. The timelines have to be decided and the implications considered. For some that means hurry up, because we have business issues to solve. For others, it means "what? I just upgraded to Windows 2000 SP2!!?&q
RE: [ActiveDir] BlackComb Super Forest Functional Mode
If I recall correctly, we were talking about the scenarios that this would play in. We can deduce that we have the hardware to run at least 4 virtual instances of an OS on the same hardware in current software (R2). We can also deduce that one or several scenarios indicate that this would be useful because we often have a need for multiple domains (forests, trees, whatever) on the same hardware, in the same local network, but usually a separate server would be overkill. Why? I took that to be because the hardware has by far met the requirements asked. It's not often that we see DC's overly stressed on new hardware from what I've seen, unless of course you run Exchange right? Not that it couldn't happen, just that it's not common in the scenarios where I'd want to put multiple domains/trees/etc on the same hardware. It was mentioned that a scenario might be similar to that of LPARs where I put test, pre-prod, and production on the same hardware with multiple network taps. Great. Are there that many companies that have a network that can support such a centralized model effectively? Or is it that most would be better served if we decentralize AD deployment to allow for local resources to save on network costs or running fiber across an entire nation? Wouldn't it make sense to have an authentication and authorization server that can handle multiple NC/realms? If so, the question is if they should be totally separate i.e. their own instance of an OS or should they be in the same OS instance but be separated? You're saying there would be a performance hit. I'm thinking that hit would be tolerated and absorbed (up to a point) by the bigger/faster/cheaper hardware available. With x64 architecture, it's perfectly plausible to put that type of load and stress on a single piece of hardware. At some point, I'm thinking I'm going to run out of network resources before I run out of machine resources in these scenarios (pure speculation on my part, but seems reasonable that I would run out of network bandwidth prior to having hardware bottlenecks on that platform for authentication and authorization services; I haven't seen enough companies with tens of thousands of workstations in one location or that can tolerate it across a WAN in every situation). "I don't know what brought out that spout of abstract crap ..." Often it would be cheap bottled water with sparkly bubbles in it. So I've heard. I think your CS teacher should rethink the concept and perhaps add some boundaries to it. Sure there's a cost, but does it make sense to think it should be slow forever? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, October 11, 2005 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode re: "some virtualization and isolation of processes and threads ..." A CS teacher once told me that in general in computers whenever you hear the word "virtual", you can replace with "slow" ... - virtual memory (yeah, yeah I'm really thinking of paging, not VM, but I used a Mac first, so it stuck with me.) - virtual machine - virtual reality (though getting fastish these days) - But for the most part it is true. To actually virtualize threads, processes, (and in this case we're probably thinking the subcomponents in lsass: Kerb, NTLM, SAM, LSA, AD) you may not be willing to pay the perf cost. And subsequently the hardware cost to handle the same load. Usually you don't need hard virtualization just good architecture to achieve most of the benefits of good isolation. Also there is a cost to isolation (whether through virtualization or architecture), it almost always implies "a hop", some sort of link that has a certain liklihood to break. In many circumstances isolation actually decreases overall system stability (and diagnosability often decreases too) for the purpose of taking in some sort of more dynamic flexibility. I don't know what brought out that spout of abstract crap ... Cheers, -BrettSh [msft] On Tue, 11 Oct 2005, Al Mulnick wrote: > You know what would really be great? If Microsoft were to make it so > that the architecture didn't allow those quirky little things that > occur in the products when they are deployed together on the same > machines. Like Exchange not using any other DC if it's deployed on a > DC type of quirk. > > Some real virtualization and isolation of processes and threads so > that if something were to crash (heavens forbid) it couldn't make a > big mess of the rest of the platform. Across all product lines. > > Why? > > Because the real value Microsoft has over other products out there is > that their produ
RE: [ActiveDir] BlackComb Super Forest Functional Mode
re: "some virtualization and isolation of processes and threads ..." A CS teacher once told me that in general in computers whenever you hear the word "virtual", you can replace with "slow" ... - virtual memory (yeah, yeah I'm really thinking of paging, not VM, but I used a Mac first, so it stuck with me.) - virtual machine - virtual reality (though getting fastish these days) - But for the most part it is true. To actually virtualize threads, processes, (and in this case we're probably thinking the subcomponents in lsass: Kerb, NTLM, SAM, LSA, AD) you may not be willing to pay the perf cost. And subsequently the hardware cost to handle the same load. Usually you don't need hard virtualization just good architecture to achieve most of the benefits of good isolation. Also there is a cost to isolation (whether through virtualization or architecture), it almost always implies "a hop", some sort of link that has a certain liklihood to break. In many circumstances isolation actually decreases overall system stability (and diagnosability often decreases too) for the purpose of taking in some sort of more dynamic flexibility. I don't know what brought out that spout of abstract crap ... Cheers, -BrettSh [msft] On Tue, 11 Oct 2005, Al Mulnick wrote: > You know what would really be great? If Microsoft were to make it so that > the architecture didn't allow those quirky little things that occur in the > products when they are deployed together on the same machines. Like > Exchange not using any other DC if it's deployed on a DC type of quirk. > > Some real virtualization and isolation of processes and threads so that if > something were to crash (heavens forbid) it couldn't make a big mess of the > rest of the platform. Across all product lines. > > Why? > > Because the real value Microsoft has over other products out there is that > their products have the same look and feel and work together easily which > translates to lower integration/acquisition/deployment costs if I use their > products. If I try to "save" money by going with something else that I have > to customize in-house, I may not be able to do so as well, as easily or as > cost-effectively. > > Because eventually I have to pay the programmers, architects, and support > costs and since I'm not a tech company, I am not geared to do that. I can > either lower my quality, my expectations, or my costs, but likely not all > three if I roll my own large products. > > Seriously, getting rid of legacy baggage is fine and dandy as long as there > is a reason other than complaining. I notice that the *nix crowd has their > own problems. If I were to write something for a *nix platform, my first > choice is to figure out which manufacturer? Then which version. Then what > hardware platform in some cases. I don't have that with Microsoft products > to the same extent. To me, they sit somewhere between Macintosh/Mainframe > and *nix platforms. Mac/MF is very controlled in terms of revision and > hardware (from the manufacturer of course). *nix is more open if you > include the linux crowd which makes stability much more difficult. > Microsoft is x86/x64 based. Some choices, but also a lot of same old at the > OS level. > > If I were to write an app, it would likely be targeted at WindowsXP first. > Then I'd figure out a path to go to some of the intel based *nix distros. > Several companies are going the other direction as well, from *nix platforms > to Windows to follow the customers. But the reason I would take that > approach is to get the app to the widest possible audience first and then > chase the other customers. > > Kill the legacy. Ok. Timelines and how you get the app developer ecosystem > to come along or be there first are the questions to answer. > > Does that mean scrapping the domain model? Hmm... Not sure. Does it mean > scrapping the security model? Maybe. What about blurring lines between my > network and your network? Better do that else risk being left in the closet. > > > What about the desktops? Anything radical? Depends on above I think, as > long as the NOS concept stays intact. Should it? > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Monday, October 10, 2005 8:39 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > > > Again, I am speaking legacy baggage. If you were a UNIX developer, would you > rather stick to writing to old proprietary interfaces or using standards > based interfaces like LDAP and Kerberos, etc. Again, all of the in
Re: [ActiveDir] BlackComb Super Forest Functional Mode
IMHO, that's legacy app viewpoint where folks are still deploying Windows 2000 because of legacy apps. I'm full borg here. Why couldn't you 'opt in' if you wanted to when you had full borg. There are settings now... auth methods, smb signing, etc like that now that kills off backwards compatibility... why the difference if the client had a flip switch? I honestly don't think any established OS in this day an age with an established market share is going to put up an OS that cannot be gracefully migrated to or joined to talk to another OS. No one can afford to rip and replace and the reality is your beancounters will never let you rip out and replace. Look at the financial and banking institutions with NT's around --and btw can I have a listing of all of these firms that are still hesitating on ripping out NT legacy domains --so in particular if I do any sort of business with you guys on a personal basis so I can decide if I like the domain designs you guys are doing and move my money accordingly? ;-) BTW just heard that they are now charging for the DSclient hotfix for Win98. It's no longer free [hooray...kill off those 98s!] [EMAIL PROTECTED] wrote: Why would you want to have them several years earlier available? - a period of time would be required for testing and deployment. I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. - I disagree. Joe suggested that a newer client would be needed to support the new mode. This is fundamentally different to previous modes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Tuip Sent: 10 October 2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Why would you want to have them several years earlier available? I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. Once you have upgraded everything to BlackComb you could make the switch. Might even help moving people to the new OS quicker. :) Martin Tuip MVP Exchange -- Original Message -- From: <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Mon, 10 Oct 2005 16:45:03 +0100 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 Octo
RE: [ActiveDir] BlackComb Super Forest Functional Mode
You know what would really be great? If Microsoft were to make it so that the architecture didn't allow those quirky little things that occur in the products when they are deployed together on the same machines. Like Exchange not using any other DC if it's deployed on a DC type of quirk. Some real virtualization and isolation of processes and threads so that if something were to crash (heavens forbid) it couldn't make a big mess of the rest of the platform. Across all product lines. Why? Because the real value Microsoft has over other products out there is that their products have the same look and feel and work together easily which translates to lower integration/acquisition/deployment costs if I use their products. If I try to "save" money by going with something else that I have to customize in-house, I may not be able to do so as well, as easily or as cost-effectively. Because eventually I have to pay the programmers, architects, and support costs and since I'm not a tech company, I am not geared to do that. I can either lower my quality, my expectations, or my costs, but likely not all three if I roll my own large products. Seriously, getting rid of legacy baggage is fine and dandy as long as there is a reason other than complaining. I notice that the *nix crowd has their own problems. If I were to write something for a *nix platform, my first choice is to figure out which manufacturer? Then which version. Then what hardware platform in some cases. I don't have that with Microsoft products to the same extent. To me, they sit somewhere between Macintosh/Mainframe and *nix platforms. Mac/MF is very controlled in terms of revision and hardware (from the manufacturer of course). *nix is more open if you include the linux crowd which makes stability much more difficult. Microsoft is x86/x64 based. Some choices, but also a lot of same old at the OS level. If I were to write an app, it would likely be targeted at WindowsXP first. Then I'd figure out a path to go to some of the intel based *nix distros. Several companies are going the other direction as well, from *nix platforms to Windows to follow the customers. But the reason I would take that approach is to get the app to the widest possible audience first and then chase the other customers. Kill the legacy. Ok. Timelines and how you get the app developer ecosystem to come along or be there first are the questions to answer. Does that mean scrapping the domain model? Hmm... Not sure. Does it mean scrapping the security model? Maybe. What about blurring lines between my network and your network? Better do that else risk being left in the closet. What about the desktops? Anything radical? Depends on above I think, as long as the NOS concept stays intact. Should it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Again, I am speaking legacy baggage. If you were a UNIX developer, would you rather stick to writing to old proprietary interfaces or using standards based interfaces like LDAP and Kerberos, etc. Again, all of the integration going on now is working in those areas. Those areas will move fine into the new realms. It is the old NET based stuff that need to be burned out of the product. Exactly the stuff that all of the non-MS folks have bitched about year after year. Dumping the legacy gives us a chance to move forward and not be stuck with the idea that a DC is x and can't be anything but x. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It t
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Each VM has it's own support and patching problem, true. But I see that as the price for the flexibility. It's not MS software that relies on old API's? How do you explain WINS requirements?? ;) Like I said Joe, I see some benefit. I also see a lot of things that have been moved from the old API's. I see the older API's being phased out, although I think there was a lag in the product cycle before that was truly decided as a direction that made sense for the business. That's why today you "can" get access to domain information via WINNT (ADSI) providers or LDAP providers. Some applications that rely on NTLM can be easily made to work in an environment. It's a phased approach, vs a cutover. I think that's the smart approach and the one to follow. I now think you're saying the same thing a different way. The only questions remaining are what that timeline looks like and what the benefits are. I don't see kerb going away either. I see the "fisher price" name that Microsoft put on it, as being a domain vs a realm. I agree that other apps that don't move to this model will eventually get left behind. Having just worked at a company struggling with OS2 migration and integration issues, I can tell you that it takes a while. If you force it, many companies will choose to ignore you and later blame you. Is that right? Is that good business? No to both, but a business is in place to make money and to do that, there is a give and take. You have to give and take, not just one or the other. There are a lot of implications to stretching faster than the market will bear. I think we've seen that with Novell, IBM, CA, and a host of other companies that tried to support products several revisions old while also supporting their new shiny products. It stretches the focus too wide and they get into a bean-counter rut where they decide to cut costs in the support area because it eats too much into profits and they have to make shareholders happy next week.etc. The old ways of deploying the technology must die. Agreed. The timelines have to be decided and the implications considered. For some that means hurry up, because we have business issues to solve. For others, it means "what? I just upgraded to Windows 2000 SP2!!?" I'm interested to see if it's just new names and paint, or if it's truly revolutionary tools and products that come out of the next wave of products from Microsoft and their app developers. I think there's still plenty of room for improvement for the way products are packaged, documented, and supported. Plenty. I think the supporting tools and the strategy for what will be included and what will be left to third-party companies needs to be tuned on an ongoing basis. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Jumping to redhat doesn't give you a migration strategy, it is simply jump! What I am describing is a mode that lets you say when to jump. In the meanwhile, you can work towards it with the current environment. At some point you say, well everything should be using the new stuff, bam. Note I am not saying screw everything non-MS, I am saying screw everything that hasn't started moving from the old crap. The MACs and Samba packages that are using LDAP and Kerberos for instance would almost certainly be perfectly fine as I don't see MS moving from those plus they support multiple backend hierarchies, a domain model isn't required, a single domain on a DC isn't required. However if they are still using Auth/Authz routines that were old a long time ago, those need to die. Those old code paths need to die. This isn't just about being able to run multiple domains on a single DC, it is about revamping the whole domain concept and losing all of the legacy holdbacks we currently have. Often I hear things that people say MS should do and the reason MS can't do it is because it is tied to APIs that are well over a decade old. When you really get down to it, the stuff that is non-MS that depends on MS now wasn't written by MS, the chances are good that people are going to fix it because nothing has changed in the reasons why it was done in the first place. As for adding more and more servers and virtualized instances. I don't like the idea even if they are virtualized. Each one is its own support and patching problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Well, that's really my point. You can't really take away som
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Why would you want to have them several years earlier available? - a period of time would be required for testing and deployment. I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. - I disagree. Joe suggested that a newer client would be needed to support the new mode. This is fundamentally different to previous modes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Tuip Sent: 10 October 2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Why would you want to have them several years earlier available? I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. Once you have upgraded everything to BlackComb you could make the switch. Might even help moving people to the new OS quicker. :) Martin Tuip MVP Exchange -- Original Message -- From: <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Mon, 10 Oct 2005 16:45:03 +0100 >2 immediate comments: > > - Blackcomb clients would need to be available several years before >the blackcomb server. > - Impact on non-Windows clients would need to be assessed. [SAMBA, >nix, Mac etc] > > > >neil > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: 10 October 2005 15:32 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > >To move this in a slightly different direction. How would people feel >about a BlackComb Super Forest Functional Mode where not only are DCs >impacted but every machine touching the DCs are affected. I.E. MS >allows multiple domains on a single DC but not for any pre-BlackComb clients. >I.E. Complete break with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel about it. Once in this mode, no going back. Legacy clients >pre-Blackcomb have no clue how to use the domains, etc. > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir >and >it's authentication abilities. IIRC, multiple domains via LDAP only >work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm >not so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they need multiple instances of DC's? I realize that a best practice is >to have multiple servers that can provide some failure tolerant >behaviors, but I'm wondering what type of work a SMB does that requires >multiple full blown AD domain instances and therefore multiple servers >etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > >>From: <[EMAIL PROTECTED]> >>Reply-To: ActiveDir@mail.activedir.org >>To: >>Subject: RE: [ActiveDir] Active Directory wish list >>Date: Mon, 10 Oct 2005 08:52:25 +0100 >> >>Maybe you should read about eDIR/NDS... :) Novell did this back in '93. >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >>[MVP] >>Sent: 06 October 2005 01:51 >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>I'd be surprised if we see this in my lifetime, or at least before I >>retire. >> >>Ed Crowley MCSE+Internet MVP >>Freelance E-Mail Philosopher >>Protecting the world from PSTs and Bricked Backups!T >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Charlie >>Kaiser >>Sent: Wednesday, October 05, 2005 2:34 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>What I want is to be able to run multiple domains on one OS >>installation and segment the directories from each other. That way I >>don't need to run multiple licenses of the OS, nor do I need hardware >>that can power 4 VMs. >>I already run
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Again, I am speaking legacy baggage. If you were a UNIX developer, would you rather stick to writing to old proprietary interfaces or using standards based interfaces like LDAP and Kerberos, etc. Again, all of the integration going on now is working in those areas. Those areas will move fine into the new realms. It is the old NET based stuff that need to be burned out of the product. Exactly the stuff that all of the non-MS folks have bitched about year after year. Dumping the legacy gives us a chance to move forward and not be stuck with the idea that a DC is x and can't be anything but x. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It takes time to build the ecosystem, but adoption only happens when there is a compelling reason. Apps are that reason. [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he said that? Because they totally dissed the dev community prior to that. Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the first place? Because they have the absolute latest and greatest technology? Nope. Because they have the best technology? Nope (seen RMS lately? I rest that case) Because they have the most applications written for their platform? Yep. Can't swing a dead cat without hitting a MS application. Even open source writes apps that run on Windows because they want their apps adopted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > - Blackcomb clients would need to be available several years before > the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, > nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel abou
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Jumping to redhat doesn't give you a migration strategy, it is simply jump! What I am describing is a mode that lets you say when to jump. In the meanwhile, you can work towards it with the current environment. At some point you say, well everything should be using the new stuff, bam. Note I am not saying screw everything non-MS, I am saying screw everything that hasn't started moving from the old crap. The MACs and Samba packages that are using LDAP and Kerberos for instance would almost certainly be perfectly fine as I don't see MS moving from those plus they support multiple backend hierarchies, a domain model isn't required, a single domain on a DC isn't required. However if they are still using Auth/Authz routines that were old a long time ago, those need to die. Those old code paths need to die. This isn't just about being able to run multiple domains on a single DC, it is about revamping the whole domain concept and losing all of the legacy holdbacks we currently have. Often I hear things that people say MS should do and the reason MS can't do it is because it is tied to APIs that are well over a decade old. When you really get down to it, the stuff that is non-MS that depends on MS now wasn't written by MS, the chances are good that people are going to fix it because nothing has changed in the reasons why it was done in the first place. As for adding more and more servers and virtualized instances. I don't like the idea even if they are virtualized. Each one is its own support and patching problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Well, that's really my point. You can't really take away some of those "apps" that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy. I can be open minded and forward thinking. Let's just leave it at "provide same or better functionality" as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I m
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It takes time to build the ecosystem, but adoption only happens when there is a compelling reason. Apps are that reason. [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he said that? Because they totally dissed the dev community prior to that. Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the first place? Because they have the absolute latest and greatest technology? Nope. Because they have the best technology? Nope (seen RMS lately? I rest that case) Because they have the most applications written for their platform? Yep. Can't swing a dead cat without hitting a MS application. Even open source writes apps that run on Windows because they want their apps adopted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > - Blackcomb clients would need to be available several years before > the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, > nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just f
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Well, that's really my point. You can't really take away some of those "apps" that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy. I can be open minded and forward thinking. Let's just leave it at "provide same or better functionality" as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I may just not be seeing it the right way. I may be thinking in terms of today's architecture and that it is so tied to the registry (For the love of is that???) that it would not be truly separated in tomorrows implementation. That's likely a wrong assumption and I can easily get over that. But I don't see the effort paying off if I have to discard 10 years of legacy software applications and process trash to get to a point where I save a few dollars on hardware vs. using VM technology (software or hardware based doesn't matter to me in this conversation although I would prefer hardware to alleviate any cross-over ties to the OS in case of failure; totally autonomous and hardware separated [2]) [1] Buzz-word-bingo champ, cubicle farm #3, cubicle cluster #2 - 1998 [2] Right. So any gains in hardware ability have historically resulted in higher prices. That would likely negate the savings I might have had if I had gone with multiple smaller hardware devices or if I had used software VM [3] [3] It's almost circular logic at some point -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from
RE: [ActiveDir] BlackComb Super Forest Functional Mode
> - Blackcomb clients would need to be available several years before the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already ru
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. >From: "joe" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode >Date: Mon, 10 Oct 2005 10:32:26 -0400 > >To move this in a slightly different direction. How would people feel about >a BlackComb Super Forest Functional Mode where not only are DCs impacted >but >every machine touching the DCs are affected. I.E. MS allows multiple >domains >on a single DC but not for any pre-BlackComb clients. I.E. Complete break >with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel >about it. Once in this mode, no going back. Legacy clients pre-Blackcomb >have no clue how to use the domains, etc. > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir and >it's authentication abilities. IIRC, multiple domains via LDAP only work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm not >so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they >need multiple instances of DC's? I realize that a best practice is to have >multiple servers that can provide some failure tolerant behaviors, but I'm >wondering what type of work a SMB does that requires multiple full blown AD >domain instances and therefore multiple servers etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: > >Subject: RE: [Activ
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Yeah I didn't want to state going away completely from the domain model. My basic idea is to do something different than is allowed by current legacy systems and their support. Allowing multiple domains on a single DC sounds like an easy way for people to visualize it. It could, in fact, be something more along the partitioning done by Novell or something else entirely different. Either way, the switch turns off all Legacy to never allow it to work in that environment again. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 11:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > >
RE: [ActiveDir] BlackComb Super Forest Functional Mode
> or an entirely new model not yet conceived ... Perhaps something that doesn't require NT4 to W2K style migration headaches to keep people from moving to it the way that migration did... I'd hate to see a show of hands for who here is still trying to determine if they should "make that leap" off NT4... IMHO, at the rate the server infrastructure field is evolving, if Blackcomb looks like W2K under the covers with a lot of enhancements, MS is going to have a hard time getting people to move to it. Look at the heavy trends towards virtualization in only the past couple of years, and at the new face the Internet has with spam, viruses, and exploits in the past few years. Blackcomb is due in, what, 7 years? A lot can happen in 7 years. Maybe I'm alone in this opinion, but with as far as things have come, things like AD replication are too hard (for what they should be). And it's too easy to back yourself into a corner when designing your infrastructure, because to some extent you still have to design to the limitations and nuances of the OS (at least with Windows). I think Dean may have something here... perhaps us saying how AD domains should work is too short-sighted? How should it work? Either the guys at Microsoft are going to come up with something, or just modify the same old stuff, or maybe this list and forums like it with the brain trust that exists here can help suggest the directions. ?? just a few p for thought... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 10:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTE
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Why would you want to have them several years earlier available? I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. Once you have upgraded everything to BlackComb you could make the switch. Might even help moving people to the new OS quicker. :) Martin Tuip MVP Exchange -- Original Message -- From: <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Mon, 10 Oct 2005 16:45:03 +0100 >2 immediate comments: > > - Blackcomb clients would need to be available several years before the >blackcomb server. > - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, >Mac etc] > > > >neil > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: 10 October 2005 15:32 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > >To move this in a slightly different direction. How would people feel >about a BlackComb Super Forest Functional Mode where not only are DCs >impacted but every machine touching the DCs are affected. I.E. MS allows >multiple domains on a single DC but not for any pre-BlackComb clients. >I.E. Complete break with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel about it. Once in this mode, no going back. Legacy clients >pre-Blackcomb have no clue how to use the domains, etc. > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir >and >it's authentication abilities. IIRC, multiple domains via LDAP only >work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm >not so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they need multiple instances of DC's? I realize that a best practice is >to have multiple servers that can provide some failure tolerant >behaviors, but I'm wondering what type of work a SMB does that requires >multiple full blown AD domain instances and therefore multiple servers >etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > >>From: <[EMAIL PROTECTED]> >>Reply-To: ActiveDir@mail.activedir.org >>To: >>Subject: RE: [ActiveDir] Active Directory wish list >>Date: Mon, 10 Oct 2005 08:52:25 +0100 >> >>Maybe you should read about eDIR/NDS... :) Novell did this back in '93. >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >>[MVP] >>Sent: 06 October 2005 01:51 >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>I'd be surprised if we see this in my lifetime, or at least before I >>retire. >> >>Ed Crowley MCSE+Internet MVP >>Freelance E-Mail Philosopher >>Protecting the world from PSTs and Bricked Backups!T >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >>Sent: Wednesday, October 05, 2005 2:34 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>What I want is to be able to run multiple domains on one OS >>installation and segment the directories from each other. That way I >>don't need to run multiple licenses of the OS, nor do I need hardware >>that can power 4 VMs. >>I already run VMs using VMWare in my test lab; it works but I'd prefer >>to be able to run AD as a service and have it be smart enough to be >>able to segment itself without needing a separate OS... >> >>** >>Charlie Kaiser >>W2K3 MCSA/MCSE/Security, CCNA >>Systems Engineer >>Essex Credit / Brickwalk >>510 595 5083 >>** >> >> >> > -Original Message- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >> > [MVP] >> > Sent: Wednesday, October 05, 2005 10:07 AM >&g
Re: [ActiveDir] BlackComb Super Forest Functional Mode
I think that's something that needs to happen eventually; if exciting innovations are going to continue to occur, then they really can't be hamstrung by legacy support requirements. joe's suggestion of a "functional level"-type mechanism for this is quite a useful one: for those orgs that still need to support legacy functionality on their servers and clients, here you go, you've got that support. For those who are willing to make the break and cut all ties to legacy in order to get otherwise unavailable whizz-bang features, then good on you: make the choice and flip the switch. - Laura On 10/10/05, joe <[EMAIL PROTECTED]> wrote: > To move this in a slightly different direction. How would people feel about > a BlackComb Super Forest Functional Mode where not only are DCs impacted but > every machine touching the DCs are affected. I.E. MS allows multiple domains > on a single DC but not for any pre-BlackComb clients. I.E. Complete break > with legacy capability? > > Personally I wouldn't mind seeing something like that but how do others feel > about it. Once in this mode, no going back. Legacy clients pre-Blackcomb > have no clue how to use the domains, etc. > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:10 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Active Directory wish list > > While I generally agree this would be great, I have to ask about eDir and > it's authentication abilities. IIRC, multiple domains via LDAP only work > just fine. It's called ADAM in its latest incarnation. But for the > authentication[1] and other apps that support/work with AD to provide > identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a > multi-instance/single-server deployment. LDAP sure. The other apps, I'm not > so sure. > > > I'm curious, Charlie and Neil. What services do these SMB's offer that they > need multiple instances of DC's? I realize that a best practice is to have > multiple servers that can provide some failure tolerant behaviors, but I'm > wondering what type of work a SMB does that requires multiple full blown AD > domain instances and therefore multiple servers etc. Can you expand that? > > > [1] LDAP is not an authentication protocol; Kerberos is though. > > -ajm > CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: > >Subject: RE: [ActiveDir] Active Directory wish list > >Date: Mon, 10 Oct 2005 08:52:25 +0100 > > > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > >[MVP] > >Sent: 06 October 2005 01:51 > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >I'd be surprised if we see this in my lifetime, or at least before I > >retire. > > > >Ed Crowley MCSE+Internet MVP > >Freelance E-Mail Philosopher > >Protecting the world from PSTs and Bricked Backups!T > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser > >Sent: Wednesday, October 05, 2005 2:34 PM > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >What I want is to be able to run multiple domains on one OS > >installation and segment the directories from each other. That way I > >don't need to run multiple licenses of the OS, nor do I need hardware > >that can power 4 VMs. > >I already run VMs using VMWare in my test lab; it works but I'd prefer > >to be able to run AD as a service and have it be smart enough to be > >able to segment itself without needing a separate OS... > > > >** > >Charlie Kaiser > >W2K3 MCSA/MCSE/Security, CCNA > >Systems Engineer > >Essex Credit / Brickwalk > >510 595 5083 > >** > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > > [MVP] > > > Sent: Wednesday, October 05, 2005 10:07 AM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > You can. It's called Microsoft Virtual Server. > > > > > > Ed Crowley MCSE+Internet MVP > > > Freelance E-Mail Philosopher > > > Protecting the world from PSTs and Bricked Backups!T > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > > Kaiser > > > Sent: Tuesday, October 04, 2005 6:37 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > I'd also like to see the ability to run DCs for multiple domains on > > > the same server. SMBs with limited resources balk at having to buy > > > additional server hardware for redundancy on multiple domains, > > > especially when the AD load on the DCs is minimal. This feature > > > s
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. From: "joe" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Date: Mon, 10 Oct 2005 10:32:26 -0400 To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't ne
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to
RE: [ActiveDir] BlackComb Super Forest Functional Mode
2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like a
RE: [ActiveDir] BlackComb Super Forest Functional Mode
it would certainly be a good way to promote the sales for client inventory tools ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 10. Oktober 2005 16:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not be that hard to allow &
RE: [ActiveDir] BlackComb Super Forest Functional Mode
To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not be that hard to allow > > multiple domains similar to multiple websites/DBs on one server... > > > > I remember discussing this with Stuart Kwan at DEC a couple of years > > ago. I hope it makes it into the mix... > > > > ** > > Charlie Kaiser > > W2K3 MCSA/MCSE/Security, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ** > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > > Sent: Tuesday, October 04, 2005 4:25 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > Vista is the client OS. I don't believe they have named Longhorn > > > Serve