PS C:\Documents and Settings\$joe.TEST> cd\
The term ‘cd\’ is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try again
.
At line:1 char:3
+ cd\ <<<<
Information about joeware mixed with wild and crazy opinions...
PS C:\Documents and Settings\$joe.TEST> cd\
The term ‘cd\’ is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try again
.
At line:1 char:3
+ cd\ <<<<
đ
That will be the last time I say that⌠I promise. Yes I hate the name TEC⌠There I said it⌠I HATE THE NAME. I put this name change right there with ADLDS instead of ADAM⌠But I will stop.
So this was the first Experts Conference put on by Quest since they bought NetPro. Who here has dealt with Quest in the past, specifically the Quest Sales Team members? Raise your hand. One fear that I had was along the lines of Quest turning what has always been an awesome technical conference and all around great get together of techies, nerds, and geeks who were friends into a big giant marketing junket.
I expect this was a common fear because the whole shebang started off with an opening video on the big screens that was generally about Quest and world domination, etc and had Gil stepping in and say whoa whoa wait a minute⌠That isnât what this is about. I loved that they made fun of that fear showing they recognized it and acknowledged it and wanted to put it to bed as fast as possible.
But the question remained, was it âfor realâ? Well I can say⌠It was. And that seriously surprised me. As I walked around D⌠TEC, not once was I accosted by a salesperson from Quest. No one jumped out from around a corner, no one tried to trap me, no one said, hey how about I give you a free pass to a Vegas show and you sit in a room as we try to sell you something for a couple of hours (at least no one at the conference did that â the Strip was another storyâŚ)
Now let me tell you, I have been talking to Quest sales folks for many years, probably seven or so? This is in the context as the lead tech resource for several very large companies while Quest was trying to sell them something. While the technical resources I have met with on the sales calls[1] have all been a pleasure to talk to[2], the sales guys were all a bit over the top if you know what I mean. I know that there had to be some serious wrangling somewhere inside of Quest before TEC came along to get the sales sharks to not be their normal piranha like selves. I donât know, maybe they didnât invite the sales people, I am not sure, but whatever they did was perfect. If I wanted to talk about products Quest had for sale there was a special room I could walk into with all of the other vendors and I could talk about whatever I wanted. But if I wanted to avoid them, I could do that as well.
I realize I just burned up a large chunk of the post so far but that was a big concern of mine when I decided to attend. Again, I have dealt with several members of the Quest Sales team in the past, they arenât a calm accepting bunch. Anyway, on to other topicsâŚ
Vegas!!! Or at least Henderson anyway⌠What can you say about that? I can say low 70âs and a boat load of sun beats out snow and freezing temperatures in Chicago. I think they learned their lesson and we wonât see Chicago or likely anywhere else cold again for TEC. I know many companies donât want to send their employees on Vegas boondoggles (why spend on that when they can send the Execs on Hawaiian boondoggles insteadâŚ) however the funny thing about Vegas and nerds is that they still show up at the sessions, they still sit and chat with the other nerds.
This isnât a bunch of realtors or insurance salespeople who go to Vegas for a conference and then never even know where the conference is at because they are drunk and falling over in the strip clubs the whole time. These are hard core nerds who would rather sit in a chat about replication issues than at a card table. They would rather try to understand Brett talking about the intricacies of JET/ESE than sit at a slot machine. They would rather listen to Dmitri talking about the various fields of Access Control Entry Structure than see the Blue Man Group banging on drums. Why? Because the info you can get at TEC isnât info you are going to get anywhere or anywhen else[3] and you can play cards, play slots, or see the Blue Man Group anytime. I donât care how many other conferences you go to, I donât care which ones they are, you will not get the quality of info concerning AD and Windows Identity that you do at TEC. You wonât get the friendly feeling, you wonât get the speakers and MVPs and Microsoft employees sitting around in bean bags chatting comfortably as peers with the attendees. Pamela Dingle wrote up a great experience post here – http://eternallyoptimistic.com/2009/03/26/tec-and-the-targeted-conference-value-proposition/ which I completely agree with as evidenced by my comment to her post.
Obviously, due to the financial conditions around the business world, the attendance was down but it was still great attendance. Microsoft wasnât able to send as many people but the Softies that did attend were some of the crème de la crème and the folks the DS MVPs really enjoy seeing at the MVP summits. You had Dean formerly of the Dean and joe Show, you had James McColl who âownsâ the DS Power Shell extensions, you had Nathan âMr. RODCâ Muggli, you had Dmitri Gavrilov who has touched so many parts of the AD and ADAM source that it is impossible for anyone to manage the directories without using something Dmitri worked on, you had Brett Shirley who is literally one of a few people who can read, let alone write the ESE code which is the underpinning Database for AD and Exchange as well as DHCP and WINS and so many things on the Vista or Windows 7 machine[4] you are reading this posting on that you would be shocked. Of course we had Stuart Kwan with his keynote and the challenges he issues every TEC. You may recall last yearâs challenge was to produce a movie poster that incorporated various MVPs and Microsoft folks about AD Forest Recovery⌠the response was
This year the challenge was to produce a song based on an Elvis song that had lyrics exploring our top requests for the next releases of product from Microsoft. These are the lyricsâŚ
(sung to the tune of Elvis Presleyâs âBlue Suede Shoesâ)
v.1 was the money
v.2 for the show
v.3 got you ready, now go go goSo donât you
Recycle my new OU
You can do anything
But can you RTM ILM 2?Can you give us some prune and
Can you give us some graft?
You better make us happy
So donât give us the shaft.
took a purdy name and you made it a mess
Leave it as ADAM, not LDSSo donât you
Recycle my new OU
You can do anything
But can you RTM ILM 2?Now that youâve got â an Identity Suite
Gimme some lovin on schema delete,
I need multi-domain on a single DC
Iâm talkinâ âbout writable not a GCSo donât you
Recycle my new OU
You can do anything
But can you RTM ILM 2?Who killed LDAP, and didnât tell me.
What the hellâs a web-service doinâ on a DC.
Give me a GUI, not command-line hell
I need a management solution, not Powerâ-WHAT?!?….
So donât you
Recycle my new OU
You can do anything
But can you RTM ILM 2?
Several folks got together at Midnight on Tuesday night to sing this in front of a camera, I canât be sure but I think alcohol played a role and I distinctly recall seeing Dean with a pink scarf wrapped around his head in it when I watched it. I think someone (Sean??) will post it some time in the near future so you can see this work of art as sung by the creators.
Because I love my buddy Dean I want to call out his session in particular. đ The Dean and James presentation was good, I wonât say it was as good as the Dean and joe Show but admittedly Dean was working with far more constrained material than we had to work with. Certainly I think James is a far more polished presenter than I am so that was good. Their presentation seemed to go over well but I am not sure everyone understood everything about the implementation and how far down the road the stuff they were talking about was. Hopefully everyone saw in some way shape or form the Joe Kaplan and Brandon Shell presentation on what you can do with Power Shell against Active Directory right now today. Also unfortunately no one asked the question I really wanted to hear asked and answered that I mentioned previously⌠The question about bytes on the wire when retrieving the description or even better userAccountControl or security descriptor of 50,000 or so users⌠Anyway the stuff that JoeK and Bwandon were showing off was good stuff and available right this second and uses LDAP which I consider a huge win over the stuff coming in Windows Server 2008 R2 (sorry Dennis, I still donât feel there is anything compelling in my environments). As JoeK said, the AD PS stuff is Vaporware and as Bwandon said, they arenât even delivering what Quest delivered two years ago. Its a strategic decisionâŚ
I also wanted to call out Brettâs sessions. I only got to see one of his sessions in its entirety but it was very good. Brett is fighting a couple of major issues with his presentations. The first is that he is really very smart and has forgotten more about ESE/JET than any of the rest of us will likely every know. It is difficult to slow down and speak to people who donât have seriously deep experience with a product if you live deeply in that product, at least IMO. Coupled with that is the second point which is that ESE/JET has pretty purposely been kept as a black box all of these years. It is literally shown as a little box at the bottom of AD architecture docs and you simply see âESEâ and nothing else. So when Brett started talking about ESE and really started getting into it, it was a topic that most people didnât even have a casual background on other than some occasional key words here and there like ISAM or B-Tree or Version Store. I admit that I was listening and often thinking âwow I donât have the slightest clue what he is talking aboutâ. I hope we see Brett again next year presenting again and hopefully more people will be more informed with what ESE is and the terms he is using. Also maybe he can come down just a little out of the deeper parts of the box and talk more specifically about the pieces of ESE/JET where we feel pain and that can be directly translated to ESE/JET components such as maybe the Version Store issues we had with Active Directory prior to LVR replication. I think a lot of people could use to hear more about the actual physical layout of AD in the database as well such as the relationships between DNTs, PDNTs, NCDNTs, etc. Brettâs presentation was my favorite and I wish it could have been about 4-5 hours because learning more about ESE/JET is something I would like to do.
Unfortunately I do have a complaint about TEC this year that I think heard enough times outside of myself that it should be mentioned here. The problem was around session scheduling. There was a lot of collisions in the schedule that I didnât think were very good. Obviously scheduling something like this has to be an incredible pain and very difficult at a core level but it needs more work. I think possibly something that would be good to do is to have everyone select the sessions they are interested in seeing and then put popular sessions up against less popular sessions. What we had this year was multiple well known personalities going up against each other in the same time slots and people complaining that they wanted to see both (or more) but obviously could only attend one. One that really irked me was Brett and Dmitri both presenting at the same time. I absolutely wanted to be in both sessions but obviously couldnât so tried to split my time between them which was wholly unsatisfactory. So I would have an hour and half period where I couldnât figure out which session I wanted to see because I wanted to see several and then I would have an hour and half that I didnât want to see any of the sessions. Again, I understand how difficult this problem could be to try and solve and make everyone happy but I think putting all of the well known folks in the same track at least may be a good start so you donât have to choose Guido or Dean, Brian Puhl or Brian Desmond, Dmitri or Brett, Joe Kaplan or Darren, etc.
I was talking with some folks at TEC on a couple of occasions and I started speaking out about comments that had popped up in my head at some point that TEC is almost the Microsoft MVP Summit Part Deux. I get a very similar feeling from it. Most of the folks reading this wonât really understand what that means because they arenât MVPs but trust me that this is a very good thing. The summit is open honest direct content sharing between Microsoft and the MVPs and feedback about what was shared â both ways. When the summit is before TEC, then the MVPs who present are bringing that information straight to TEC and presenting it to the non-MVPs which is great for both Microsoft and for the attendees. That allows the Microsoft folks to watch the MVPs and see how well their messages got through from the summit which I expect gives them the opportunity to tweak the messages they are trying to put out there as well as correct things that were misunderstood. But also, since you have so many MVPs and the same Microsoft people there, the same feeling of the MVP summit and the easy open communication between Microsoft and the summit attendees rolls over into TEC which I think has a tangible positive impact on the conference as a whole. People are in a better mood and more willing to talk and share and actually âcommunicateâ when they are comfortable and the Softies and the MVPs are very comfortable with each other and that translates to a better experience for everyone at TEC.
Thanks have to go out to Christine and Gil and Stella and everyone else that was involved with putting on such an important function. They need to pat themselves on the back and kick their feet up and let out a sigh of happiness. Bravo.
Well to wrap this post up, as always, I very much enjoyed TEC and while I may get âho humâ or âcanât possibly do itâ about going every year because of my obligations and other issues I am always end up being very glad that I come. I wish I could bring my entire Active Directory Staff I work with in my day job because I think there is something for all of them and it will just make them better at their jobs. It comes down to the fact that I love the people, plain and simple. Everyone is always extremely polite and respectful and for the most part interesting. There is such a wide variety of people using AD in such a wide variety of ways it is interesting to hear the various viewpoints. Donât let anyone tell you anything different⌠TEC is about the people. It is about the interconnections and the hallway discussions. As I tell people, as a general rule the learning just starts in the conference rooms, it really gets going in the hallways and after the official sessions when people really start talking about how what they saw in the sessions personally impacted them and how they worked around it. I had people asking me questions on stuff from the Dean and joe Show from 2006 and I believe they felt fully comfortable to do it and who knows how long they were thinking about doing that⌠What other conference out there now has such history and continuity that that could happen?
joe
[1] In fact the first time I met Darren Mar-Elia he was the CTO of Quest and had flown out to see me and some others at the Widget factory I used to work at and to this day I still consider Darren a good friend even though he has an unnatural tendency towards all things GPOâŚ
[2] And Darren isnât the only great technical type person I have spoken with from Quest, there are lots. That company has some serious brain power in it and some very good people that I am always happy to see.
[3] Unless you are a Microsoft MVP and you get to go to the Summit at Microsoft which is an invitation only NDA event.
[4] Search your machine for edb.chk files, every one of those is part of an ESE Database.
As some of you were witness at TEC 2009[1], I have put down my work on LDAP (since its a dead protocol and allâŚ) and decided to enter the exciting field of Cybernetics, Robotics, and Artificial Intelligence Constructs. I was secretly testing my latest secret beta of the Tracy-bot artificial intelligence construct while attending TEC 2009.
While the sheer presence of the Tracy-bot in the technical sessions with a bunch of Nerds, Geeks, and other technical folks was enough to cause some folks to guess that it was an artificial construct, others needed to see the Tracy-bot getting drinks and snacks for myself and my friends as well as refusing to take money to go gamble to fully understand it was an artificial device. Still others were just standing around completely unaware and/or confused by the fact that the Tracy-bot was not human.
For those of you who didnât realize that an artificial product was running around the conference, here is a picture of the secret beta product and possibly you will recall the artificial life formâs presence in several technical sessions at TEC 2009, including the Active Directory ESE (Extensible Storage Engine) session put on by none other than #2 of 6⌠Brett Shirley up to and including shouting out comments to have the presentation continue so Brett could show off his cool ESE Data Commit in Action Slide.
[Tracy-bot with Bwandon]
The Tracy-bot kernel is code complete. The product will not be released until there is a full Software Development Kit for complete customization via Perl scripting as well as many pluggable modules such as the Chess Expert Module, Dungeons and Dragons module, Face Book module, French Maid Module, Catholic School Girl Module, Lawn Mowing Module, Pole Dancing module, Back Scratching Module, as well as the very difficult to produce âEnjoying Watching Science Fiction Showsâ module. I have completed several modules but have been having issues with the Sci-Fi shows module as it is still producing crashes and system hangs in the kernel software that result in a snore like sound output as well as unintended hand gestures that result in channel changing.
Please note that neither a .NET Framework interface nor a Power Shell provider will ever be built or supported for the Tracy-bot. The goal is to make sure the Tracy-bot doesnât become bloated and non-performant and that requires careful programming with native code. The engine is based on the Windows Server 2008 R2 Server Core OS though a fully functional Microsoft Surface GUI not based on any .NET framework components nor Explorer has been produced and is going through intense acceptance testing. Virtual versions of the Tracy-bot are being considered for the Nintendo Wii and iPod Touch.
No requests for beta products will be accepted. This is a closed beta testing program. đ
joe
[1] Note that this is NOT my wrap-up on DEC/TEC/Whatever, simply a quick comment on what was going on as I have received some email on the subject and people are concerned that good non-NET based tools will no longer be produced.
So who is going to TEC? Excited yet? You should be, it will be fun. Personally, I can’t wait to hear Dmitri, Brett, and yes, even Dean, speak. Those guys are incredibly bright and just plain know a lot of stuff. The weather in Vegas is slated to be in the low 70’s and sunny. We missed the 80’s by a week unfortunately.
If you are sitting in the sessions and wondering what kind of questions you should be asking…
In the sessions on PowerShell and ADAC (or ADMUX if you prefer) ask why the PowerShell cmdlets aren’t using LDAP[1] which is already present on every single domain controller… But instead a brand new “Web” Service that runs on a Windows Server 2008 R2 Domain Controller. See
http://technet.microsoft.com/en-us/library/dd378937.aspx
http://technet.microsoft.com/en-us/library/dd391908.aspx
http://msdn.microsoft.com/en-us/library/dd303965(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/dd304395(PROT.10).aspx
No, this doesn’t mean you need to load IIS on the DCs. It is another binary. And in fact it really doesn’t have any HTTP involvement and doesn’t run over port 80, it is just XML. Just to get that easy question out of the way… But maybe questions along the amount of network traffic may be good ones to ask about since XML is such a ‘sparse’ protocol compared to LDAP. Maybe if we are lucky we could get a demo of (including network traffic comparison) of say dumping the email addresses for all users in a 50k user forest to a text file as done via LDAP and done through PowerShell using the AD Cmdlets. That is actually a test I have been wanting to do but haven’t had the opportunity to set up a 2008R2 DC to do the tests. If I could only just install the PowerShell AD cmdlets to test… đ Another interesting test of something that I just had to do at work yesterday in fact would be to dump the replication metadata value for the legacyExchangeDN attribute for all person objects in a 75k user forest[3]. I needed to see if the LEDN had gone through some mass change at some point so was interested in version numbers and originating write dates. I can’t say for sure what the network impact delta would be between these two types of requests but I could hazard a guess.
Don’t worry, one of the presenters of this info is my good friend Dean Wells formerly the Dean of the Dean and joe Show before he joined the dark side (<insert heavy breathing>I’m your father Lucas</heavy breathing>) and he actually enjoys audience participation versus just everyone sitting there dead silent. If you weren’t planning on attending that session… “What are you INSANE!”. You know Dean, he is easily, hands down, the best presenter I have ever seen. It may not be the most informative presentation of the whole conference (though it very well likely could be – I would say it would be but it isn’t the Dean and joe Show where we could pick any topics we wanted, the topic is constrained) but it will certainly be the most entertaining and energetic and fun presentation at the whole conference as Dean could present the phone book and have everyone trying to get him to do a second session[4]. If you can make him stutter or be unable to respond to a question, kudos to you because I just haven’t seen it happen. No fair asking him questions like “Do you still beat your maid that you snuck into the country illegally from Romania?” as that just isn’t nice and really, how do you answer that question without stuttering? No, err yes err… Err Romania?? Where’s that? Oh Maid?? I don’t have a maid! ;o)
Note that I am aware that Active Directory 4th Edition is now out on the book shelves and at Amazon. While I won’t be bringing any copies I think Brian may be bringing copies for purchase. I don’t believe he will have any to give out for free because unlike when AD3E came out, O’Reilly didn’t seem interested in giving copies out at DEC err darnit TEC[5]. I don’t mind signing the books however you probably really want Brian’s signature as he is the author for this version. He took what I did and extended it and chopped out a bunch of stuff that I wanted to chop out but wasn’t allowed to chop out.
So if you are going to TEC/DEC/Whatever… Have a safe flight/drive/train trip/whatever. If you aren’t going… I’m sorry that sucks. I know the company I work for wasn’t interested in paying my way and I didn’t want to speak to have NetPro/Quest pay to get me out there so I took it as a vacation time and am paying for it. On reflection, it probably is silly of me not to speak but in all honesty, I don’t much like to do it unless I have something specific I need to say and I never have anything I need to say at DEC. I just go to meet the people and talk to folks about the issues they encounter to give me ideas on ways I can try to help. If you folks who attend DEC/TEC/Whatever think that had value, tell every NetPro/Quest person you run into that and maybe they will bring me out there just to chat with people like I usually do. Especially do that if you have in the past told the NetPro/Quest people that you wanted to meet me or came because of me or my blog.
I think though if next year I am taking my vacation at this time and I am paying for it, I should take it in the an island paradise and if someone happens to be there that is into Active Directory stuff then I can chat with them there. đ
joe
[1] Don’t worry, the Quest cmdlets for AD still use it though. So they will work against the various versions of AD without the need of a K8R2 DC with the Web Service loaded.
[2] That may or may not be a sarcastic comment. đ
[3] adfind -gcb -f “&(objectcategory=person)(legacyexchangedn=*)” msDS-ReplAttributeMetaData;binary -mvfilter msDS-ReplAttributeMetaData=legacyexchangedn -csv
[4] Serously, my opinion of Dean’s speaking ability is that high. Trust me on this, I had to try and speak after him in the same presentation and generally I consider myself to be a humourous interesting person to chat with, just not after Dean has been up there prancing around in his glory. ;o)
[5] Had NetPro/Quest/Whatever not changed the name of the conference, who knows, O’Reilly might have gave out some free copies… Now instead they hear, free books for TEC? Why? Now DEC, that we would give out free books at… (Man I am on a roll today!)
Its St. Patrick’s day and you know what that means… Buy and deploy a Carbon Monoxide Sensor Day or change the batteries in your existing CO Detector.
Many, if not all of you will recall, last year I was poisoned by Carbon Monoxide. I am doing well now. I am strongly of the opinion that this did impact my overall health as this last year I have been sick more times than I have been since I was a little kid. Obviously it could be that I am getting older but I don’t think it is because I am in worse shape because I am in better shape than I have been in for years. Physically active, not drinking hardly any soda, eating overall better, attending running events (albeit as a spectator LOL) etc etc ad nauseum.
I have to say I am extremely pleased with the number of people I have heard from who have deployed Carbon Monoxide detectors since I started talking about the issues I encountered. I heard lots of stories of people who were in a similar position that I was with CO detectors that were 5, 7, 10, 12 years old and never knew they went bad as they would do the alarm tests just fine. The fact that you usually don’t or won’t know when a CO detector has gone bad is why I will buy a new one every year and put it in my house. The idea being that there will always be at least one detector in the house that absolutely should be working since it will be less than a year old.
Recently I heard of two issues with CO, one was a family that had installed a fireplace or something incorrectly back near the town I grew up in. The other was my own brother in law who was being poisoned by it at work. It put a few of his coworkers in the hospital I guess.
Carbon Monoxide is serious stuff. Take it very seriously. Its one of those things that once it starts getting you, you are less and less likely to do anything about it until you are dead. And then you totally won’t do anything about it…
One of the things I love about the MVP summit is getting together with really smart people and discussing various deployment architectures.
One of the topics of conversation during a get together at the Experience Music Project social event was a discussion about how to make a high visibility public web site based on Windows Servers in an Active Directory domain highly available.
First you need to discuss what highly available AD meansâŚ
Ability to logon due to a single DC or infrastructure failure is only one aspect of a highly available environment. What about being available through
While AD naturally has a fault tolerant distributed deployment model, that does nothing to help with those types of issues. In fact, depending on how it is all managed, a distributed deployment model could contribute to the possibility of these issues as well as the overall impact.
Security compromise… For the most part, *most* companies *probably* don’t have to worry about someone outright attacking their AD environment. However that doesn’t mean no one has to worry about it. In those companies where these concerns are real, security needs to be in the front seat for the high availability discussions… Think of the military, think of the government, think of the NSA, think of NASA, think of Microsoft, think of Apple, think of very large companies that are likely targets for corporate theft/espionage, think of companies using AD in a DMZ or similar for internet facing applications. The directory is in an exposed position and it is pretty much a certainty that there is someone who knows more about how to compromise things than the person running the AD knows at some point. Donât take that as an insult⌠In the battle of good versus evil in the security world, you as the good guy have to be on the ball and right 100% of the time, the bad guy only has to be right once. Due to the nature of AD, if you have compromised one DC, it is a short step to compromise all DCs in a forest.
"OS!"… Everyone needs to be concerned about "OS!" events. PERIOD. We are, I believe, all humans, humans make mistakes, failure to take that into account in the first place is just one more failure to add onto the list of items you are reviewing when performing the failure analysis. These types of mistakes made to the directory will quickly (you wanted low convergence times right?) replicate around your entire domain/forest. You accidently delete all users in an OU and soon they will be gone from all DCs.
Good updates going bad… I think many of us, especially those of us have been in this business a long while, have seen this happen. Something worked great in the lab and out in production something goes left instead of right and you are standing there going WTF[1]? And those without a production environment at all⌠Well they really are likely to have an issue. What do I mean when I say you donât have a production environment??? Let me quote something Don Hatcherl[2] said on ActiveDir.Org when someone said they just had a production environment and no lab environment…
I have to make a comment here, as I’ve heard this too many times. You do, in fact, have a lab environment. What you do not have is a production environment.
DonH
I have a great story about updates going bad when I was working for a Fortune 5 and Microsoft Consulting guys were testing Schema updates in the lab (yes we had an official lab) and everything looked great to them and the testing went months so you would think any issues in there, they would have found. Well it comes to production and ugh⌠we have mangled attribute names on several attributes. This is just one example of something that can go wrong. Fortunately that was pretty easy to fix but some other updates that go bad aren’t quite as easy to identify and fix. Anyone who ran into tcp chimney issues[3][4][5][6] with Windows Server 2003 SP2 can probably attest to that as it usually took some time to work out what was going on. That issue hit all DCs as well, but thankfully it wasnât damaging, not like say⌠applying a kiosk GPO at the domain level and locking all machines down to kiosk mode or mucking with the machine certs of every machine in the domain or changing other security settings. All of which will replicate with lightning speed to the whole environment.
If you aren’t protected from these types of issues, can you protect yourself enough to build something where high availability AD means taking care of these items as well? It depends. It depends on how available is highly available to you and your company. This answer will vary and the resulting work and architecture that you need to put into place to cover for this will also vary. Like security this is a sliding scale that you need to slide to your sweet spot â or at least the spot you can deal with. For most companies, there is going to be a "good enough" point where they stop worrying about it because the concerns over money and resources to account for the problem exceed their concerns about the problem.
Back to the public web siteâŚ
In this environment, all three of these issues are very realistic and likely… in fact, even expected. These absolutely would be on the table as issues every single day of the admin’s life that had to run it. This environment must be absolutely available all of the time. Down time runs in the thousands of dollars per minute or perhaps even thousands of dollars per second. The environment absolutely would be a target for hackers and couldn’t afford downtime due to administrative OS! or update failures.
The first thing a configuration like this needs, which really isnât about AD, is physical location redundancy. You do this by putting the web servers and domain controllers in multiple data centers. Say 4 data centers in North America, 4 data centers in Europe, 4 data centers in Asia. Regional failure/capacity planning says that you can lose a single data center and maintain standard performance, if you lose two in the same region, the site will still work but with reduced performance maybe costs you only a couple tens of thousands of dollars per hour which maybe is acceptable for short periods versus the cost of beefing up even more.
The next thing you need, which again isnât about AD, is web/app server redundancy. You can throw as many web/app servers into every data center as you feel is needed to maintain availability. Also with the cool virtualization failover and resource management scenarios with VMWARE like VMotion / VMWARE HA / VMWARE DRS you donât need quite as many web/app servers at any given moment to still have good redundancy.
Now we come to Active Directory. What is the best way to set AD up for this environment. The default thinking would be to set up a single domain forest with lots of DCs in each site. This might work out but I think it is wrong and you canât properly address the three issues previously mentioned. AD is not isolated and a single forest cannot be isolated no matter how you try to break things up â staggering replication, OU security separation, whatever - it is still all connected. Any security issues, changes, or mistakes that impact the whole forest impact every single data center. Obviously that would be silly to do after taking the time and money to break up the web site into different physical data centers in the first place. So what do we do? IMO⌠You have a single domain forest dedicated to *each* *individual* data center. No trusts, no interconnections, firewalled off from each other, completely free standing in each case. Updates only occur in one data center at a time and donât move on to another data center until everything is validated as working 100%. But the costs of separate forests⌠Oh my! Oh wait, you are paying for separate data centers, what is the small cost of the extra forests compared to that? Seriously.
Thoughts?
joe
[1] For those who don’t know this term… We shall say it is the NetBIOS name of the Windows Forest called "WindowsTestForest.loc". đ
[2] AD God
[3] http://msexchangeteam.com/archive/2007/07/18/446400.aspx
[4] http://blogs.msdn.com/jamesche/archive/2007/12/19/having-network-problems-on-win2003-sp2.aspx
[5] http://www.cisco.com/en/US/ts/fn/620/fn62761.html
[6] http://support.microsoft.com/kb/945977
A cowboy named Bud was overseeing his herd in a remote mountainous pasture in Idaho when suddenly a brand-new BMW advanced out of a dust cloud towards him.
The driver, a young man in a Brioni suit, Gucci shoes, RayBan sunglasses and YSL tie, leans out the window and asks the cowboy, ‘If I tell you exactly how many cows and calves you have in your herd, Will you give me a calf?’
Bud looks at the man, obviously a yuppie, then looks at his peace fully grazing herd and calmly answers, ‘Sure, Why not?’
The yuppie parks his car, whips out his Dell notebook computer, connects it to his Cingular RAZR V3 cell phone, and surfs to a NASA page on the Internet, where he calls up a GPS satellite to get an exact fix on his location which he then feeds to another NASA satellite that scans the area in an ultra-high-resolution photo. The young man then opens the digital photo in Adobe Photoshop and exports it to an image processing facility in Hamburg , Germany. Within seconds, he receives an email on his Palm Pilot that the image has been processed and the data stored. He then accesses an MS-SQL database through an ODBC connected Excel spreadsheet with email on his Blackberry and, after a few minutes, receives a response. Finally, he prints out a full-color, 150-page report on his hi-tech, miniaturized HP LaserJet printer and finally turns to the cowboy and says, ‘You have exactly 1,586 cows and calves.’
‘That’s right. Well, I guess you can take one of my calves,’ says Bud.
He watches the young man select one of the animals and looks on amused as the young man stuffs it into the trunk of his car.
Then Bud says to the young man, ‘Hey, if I can tell you exactly what your business is, will you give me back my calf?’
The young man thinks about it for a second and then says, ‘Okay, why not?’
‘You’re a Congressman for the U.S.Government’, says Bud.
‘Wow! That’s correct,’ says the yuppie, ‘but how did you guess that?’
‘No guessing required.’ answered the cowboy. ‘You showed up here even though nobody called you; you want to get paid for an answer I already knew, to a question I never asked. You tried to show me how much smarter than I you are; and you don’t know a thing about cows….this is a herd of sheep.
Now give me back my dog.
I just wanted to take a moment to send out a general thanks to the Active Directory Product Group at Microsoft. I always enjoy seeing the team as a whole but really enjoy the individual talk time with the PM’s and Devs even more. My favorite time for this summit was the open session where we got to sit and discuss the Recycle Bin feature stuff with Tim and Stephanie. Not because I think it is the only cool feature or anything, but because I really enjoyed the open discussion and it was nice to learn the technical details behind a feature that has been so long in coming.
Uday and Moon, your presence was missed. Also I will miss seeing a large portion of the DS Team at DEC/TEC… Unfortunately it seems only a few of the DS Team will be able to make it to DEC/TEC due to budget cutbacks at MSFT. This is unfortunate because I often hear from the attendees that they really appreciate the availability of the Microsoft DS Team resources at DEC to respond to questions and hear feedback. Since this is the only conference with solid real deep focus on the DS pieces this is the best conference for Microsoft to send those resources but someone at some level doesn’t seem to understand that.
It was odd having my good friend Dean over on the other side of the fence as a Microsoft employee but I think it was good and he did Microsoft proud. I had a lovely time visiting with him and his wife (hmmm good meatballs) and awesome son (Hello Lucas… volcano!!!).
Just a quick FYI for those who kept asking me… The fact that Dean is working on PowerShell a lot now is not going to sway my opinion on it. Again, sorry to all those who asked me that specific direct question… but no. Not even for Dean. đ I will or will not use PowerShell when it becomes compelling specifically for me to use. This isn’t to say it isn’t the right answer for others, but that is for each individual to decide. I doubt there is anything that can be presented or said in a single presentation that could get any serious folks to just jump whole hog, this will be something admins choose to do or not based on their own thoughts, needs, and preferences. I found it odd when asked by some of the PM’s if I was just all of a sudden going to change my mind on it because of a good presentation. Does anyone make up their mind on whether they will change directions based on a good presentation? Once I need to do something that isn’t truly feasible for me to do (by my definition, no one else’s) in perl or command line tools that I have or can write, I will maybe look in that direction. More on the PowerShell stuff and specifically the DS Team’s AD and ADAM cmdlets for PowerShell in a later blog post.
Also a general thanks to the overall MVP program for having the Global Summit. It is always useful to me and this year by moving the Executive presentations to the end it really made me feel like my time was used well.
joe
I’m sure that sounded like a good plan in the beginningâŚ
I’ve had lots of those…
Like when I tried to breed wiener dogs with cats to get wiener catsâŚ
Well you don’t get long skinny catsâŚ
You get one dead cat and a dog with lots of scratches.
– Randy (TV Sitcom â My Name is Earl)
The real Eleanor if you don’t know who she is…
The replacement? (http://www.thalondesign.com/files/smart.htm)
[joeware – never stop exploring… :) is proudly powered by WordPress.]