RE: [ActiveDir] Domain DFS Roots hosted on DC
Very true! However, this will change in R2.. Better delegation etc. #JORGE# From: [EMAIL PROTECTED] on behalf of Dan Holme Sent: Wed 8/3/2005 9:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC There's one much bigger issue that may or may not impact you, but is usually 'missed' by folks. That is the delegation of MAINTENANCE OF THE DFS ROOT. DFS Roots are really, technically and practically, a scope for delegation of administration, as well as a root of a namespace. One should have separate DFS roots whenever separate teams/people will be supporting those roots (i.e. adding/removing/maintaining links). To maintain a DFS root, you must be delegated permissions to the appropriate object in AD (under the SYSTEM node in ADUC) *and* you **MUST BE AN ADMINISTRATOR OF THE MACHINE ON WHICH THE DFS ROOT TARGET IS HOSTED** This is a SUPER BIGGIE GOTCHA in your situation, perhaps... because as soon as you host a DFS root target on a DC, you must have Administrators credentials on the DC, which means you 1) have to log on with domain administrator equivalence just to maintain your root (nasty!) and 2) you can only delegate maintenance of the root to folks who are trusted as domain administrators. Therefore, I always recommend that DFS root targets be hosted on member servers!! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, August 03, 2005 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC Correct Neil, I don't want to host data on the DC's, just use them to refer to the actual data hosted on fileservers. Thanks, Todd From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 7:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 03 August 2005 12:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain DFS Roots hosted on DC
Title: Message There’s one much bigger issue that may or may not impact you, but is usually ‘missed’ by folks. That is the delegation of MAINTENANCE OF THE DFS ROOT. DFS Roots are really, technically and practically, a scope for delegation of administration, as well as a root of a namespace. One should have separate DFS roots whenever separate teams/people will be supporting those roots (i.e. adding/removing/maintaining links). To maintain a DFS root, you must be delegated permissions to the appropriate object in AD (under the SYSTEM node in ADUC) *and* you **MUST BE AN ADMINISTRATOR OF THE MACHINE ON WHICH THE DFS ROOT TARGET IS HOSTED** This is a SUPER BIGGIE GOTCHA in your situation, perhaps… because as soon as you host a DFS root target on a DC, you must have Administrators credentials on the DC, which means you 1) have to log on with domain administrator equivalence just to maintain your root (nasty!) and 2) you can only delegate maintenance of the root to folks who are trusted as domain administrators. Therefore, I always recommend that DFS root targets be hosted on member servers!! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, August 03, 2005 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC Correct Neil, I don’t want to host data on the DC’s, just use them to refer to the actual data hosted on fileservers. Thanks, Todd From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 7:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 03 August 2005 12:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Domain DFS Roots hosted on DC
Title: Message Correct Neil, I don’t want to host data on the DC’s, just use them to refer to the actual data hosted on fileservers. Thanks, Todd From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 7:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 03 August 2005 12:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Domain DFS Roots hosted on DC
Title: Message I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)Sent: 03 August 2005 12:23To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
