Kevin Remde's IT Pro Weblog
IT Pro Resources
TechNet EventsMicrosoft Security Response CenterTechNet IT Manager Community HubMicrosoft Virtual AcademyKevin’s Evaluation Download Center
IT Pro Evangelist Blogs
Blain Barton Blain Barton's Blog@BlainBar
Brian LewisMy Thoughts on IT...@BrianLewis_
Dan Stolts IT Pro Guru Blog@ITProGuru
Jennelle Crothers TechBunny@jkc137
Keith MayerIT Pros ROCK!@KeithMayer
Kevin Remde Full of I.T.@KevinRemde
Matt Hester Matthew Hester's WebLog@MatthewHester
Tommy PattersonVirtually Cloud 9@Tommy_Patterson
Yung Chou Yung Chou on Hybrid Cloud@YungChou
Here are the "Best Of" our questions and answers from today's TechNet Webcast: Best Practices for Designing the Active Directory Structure.
BIG thank you to Matt Hester, who answered the questions in the background during the webcast; and whose work this represents.
Thanks to all who attended!
Questions and Answers:
“What are the tradeoffs for naming your internal domain the same as the external or using a different internal name name.com vs name.local etc.?”
If you keep the same it makes life a little easier but maybe not as secure, take a look at this KB: http://technet2.microsoft.com/WindowsServer/en/library/0487c48b-c901-42fc-8507-a88e651a9d281033.mspx?mfr=true
“If the GC is the only one that can authenticate the user than what is the use of having additional DC?”
You use the GC's to help scale and control authentication. However DC's play many pivotal roles in your organization that support many other functions, take a look at this KB for other articles: http://support.microsoft.com/kb/223346
“How is the size of active directory database calculated?”
There are a lot of factors that go into sizing the AD database. Take a look at this article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_yxcl.mspx?mfr=true
“Can you talk a little bit about cost between site links?”
This is a great KB about this (even though it is windows 2000): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd06.mspx
“I have a simple system, Windows 2003 server R2 with one forest containing one domain. I have 2 DCs for redundancy, the same boxes also run DNS services, the domain controller that was setup first is running also print server and WSUS. The second DC is running file server. Is this too much for those boxes to handle? or is there some technical reason why I should not be doing this setup? I have not seen any slowdowns so far, the domain has been up for 4 months. Total number of desktops is ~25 and 3 printers.”
No real technical reason in the scenario you describe. It all comes down to workload and how many users; how much work the servers are doing. As long as the servers are still performing well, you should be okay.
“Can a user in one Domain (with an established trust relationship) be a member of the ‘Domain Admins’ group on another domain?”
Yes, as long as the trust relationship is properly established
“How do you make all DC's Global Catalog servers?”
There is a simple check box in the configuration of the Server’s NTDS Settings under the AD Sites and Services tool. Take a look at this KB: http://support.microsoft.com/kb/313994
“How you can enable Universal Group Membership Caching (UGMC)?”
Take a look at this KB http://technet2.microsoft.com/WindowsServer/en/library/08f11546-a6ed-4045-9d60-20a5fc1db11b1033.mspx?mfr=true
“Is it wise to make all DC a global catalog server? Isn't that a no no? What are the disadvantages?”
In a single domain forest there is no reason not to; and the benefit of sharing the load between DCs. But in a forest of two-or-more domains, it’s generally not good idea. It will generate too much replication traffic. Generally you want at least 2 per site. This KB is a good place to start:http://technet2.microsoft.com/WindowsServer/en/library/864aa721-fb1f-4ae5-8047-a70a85dd088f1033.mspx?mfr=true
“Root server has all the roles and if I have additional DC then should any FSMO role be transferred or not? Or is it required to transfer the role?”
Yes FSMO roles can be transferred, take a look at this KB on how http://support.microsoft.com/kb/324801
“Given the following, what design would you recommend?One company with locations across the US and Canada. Locations can either have end users or can be a datacenter site. All sites are managed by a single IT staff running 24x7. The only requirement is to ensure that only certain users/groups can login to servers at the designated datacenter sites.”
I don’t see anything in this description to suggest that separate domains or forests need to be used. One IT Staff, with no specific politics or WAN connectivity issues to require separate domains or forests, and the requirements of restricting access can be fulfilled by other means… so I think you’re fine here with just one Forest containing one domain.
I've been tagged! Eileen Brown got me! ...so I'm obliged to A) tell 5 things about myself that you probably don't know, and then B) tag 5 additional blogasphere friends.
Okay.. here are 5 things that you may not know about me:
Chris Haaker, Harold Wong, John Baker, Keith Combs, Matt Hester, and Vlad Mazek
You guys now have to tell us 5 facts about yourselves, and then tag 5 other people.
Isn't this fun?
Here are the "Best Of" our questions and answers from today's TechNet Webcast: Compliance and Records Management.
Thanks to all who attended! Happy Holidays!
PS - Here is my resource page for this webcast.
“When you refer to Document Information Panel, vis a vis doc metadata - are you referring to metadata exclusively for e-docs, or are you also including adding metadata for physical records?”
Well, in this case it would be electronic only. To manage physical records through MOSS would mean scanning or OCR to get them into an electronic form, and then yes, you could associate metadata or other content columns (and as a unique content type) through MOSS.
“I know Sharepoint 3 can be installed side-by-side on SBS2003 but can WOSS 2007 be scaled down and installed on a single server SBS2003 if it has enough RAM, CPU and Disk?”
If, as you say, it has enough processor, memory, and disk, then I don’t see why this wouldn’t work.
“Is this RM product DOD 5015.std certified?”
I don't know the specific certs, but I do know that the technologies that make up the Microsoft Office SharePoint 2007 foundation all have security technologies in place to lock them down; from SQL Server 2005 and it's native support for encrypted data; to web applications being able to support encrypted connections.. and all traffic in between.
So.. my answer is a qualified YES. (Qualified because, again, I don't know the specifics of that DOD cert you mentioned.)
"Does MOSS 2007 include a utility for crawling a domain and locating all the older file system document folders and preparing a document navigation plan and Sharepoint structure to organize all the thousands of random documents through an organization?"
Well.. not in as much as the documents automatically ending up in a document library. For that you would have to upload or import them in some way.
However, the new search functionality in MOSS 2007 lets you specify a file share as a content source, so that you can allow a crawl to index those file locations and in turn have those files be returned in the search results.
“Are you able to being working in Microsoft Office and then saving the document to SharePoint rather than starting in SharePoint to create new documents?”
Absolutely. You can navigate to your network locations, or if you know the URL of the document library, you can save it there directly. You can even check-out/check-in documents directly from Word, for example.. and modify the version information associated with it when you do. Very well integrated.
MERRY CHRISTMAS / HAPPY HOLIDAYS!
Today Microsoft announced that Exchange Server 2007 is DONE! Shipped! "Released to Manufacturing" (RTM).
Congratulations to the Exchange team. This is wonderful news for all of us who have been waiting for it and evangelizing what a wonderful upgrade this is going to be.
(And now I'm excited to install it on my own home server, too!)
"Cool Kevin! When can I get it?"
Watch this blog for more news about that as I learn it. I'll also let you TechNet Plus subscribers know when your evaluation copy of the released bits will be available for download.
Here are some resources relating to the webcast I presented on December 20, 2006, entitled “Best Practices for designing the Active Directory Structure"
I hope you find them useful.
Planning and Implementing Federated Forests in Windows Server2003http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/fedffin2.mspx
Autonomy vs. Isolationhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/e638db7d-ae87-45b2-beba-ec5815876ca2.mspx
Determining the Number of Forests Requiredhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/0c1cfacb-ff12-466f-81c6-9d29c7c2c427.mspx
Forest Design Modelshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/0e40afb5-4504-4990-b579-052abe6bc599.mspx
Reviewing the Domain Modelshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/7928a6f2-3a50-4a4a-a349-ef8523798061.mspx
Windows 2000 Domain Architecture: Design Alternativeshttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/w2kdomar.mspx
Single Domain Modelhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/0d2a5ac5-1b41-4b2f-8c02-ea9d2ee8e29f.mspx
Regional Domain Modelhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/2b92c3d9-e89a-43c0-a10d-f5f134c9db03.mspx
Using the Organizational Domain Forest Modelhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/782d4351-ba53-4576-9f8c-3d2b576816a3.mspx
Determining the Number of Domains Requiredhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d390f147-22bc-4ce3-8967-e65d969bc40b.mspx
Overview of Designing a Site Topologyhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/786fa311-b6ea-40c0-ad8d-8f09a441622e.mspx
Planning Forest Root Domain Controller Placementhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/beb34f73-cf1a-4146-9497-2e54ec59e614.mspx
Planning Regional Domain Controller Placementhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/05db0f72-0e18-453b-b294-49cfc8f9d6d2.mspx
Planning Global Catalog Server Placementhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/0e4d2466-68e8-40d8-8c72-099f8bc259ff.mspx
Planning Global Catalog Server Placementhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/edeba401-7f51-4717-91bd-ddb1dca8a327.mspx
Connecting Sites with Site Linkshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/2048f9f3-f272-4fba-afbf-63bde19e1837.mspx
Creating a Site Link Bridge Design to Control Active Directory Replication Flowhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d82e1b2f-d167-409b-a8c7-04364964e5e5.mspx
This session’s resource page:http://www.microsoft.com/technet/ADD-03
Live TechNet Eventshttp://www.technetevents.com
Microsoft Events page:http://www.microsoft.com/events
Here are some resources relating to the webcast I presented on December 22, 2006, entitled “Compliance and Records Management"
Preview - Microsoft Windows SharePoint Services 3.0http://www.microsoft.com/office/preview/technologies/sharepointtechnology/highlights.mspx
Preview - Microsoft Office SharePoint Server 2007http://www.microsoft.com/office/preview/servers/sharepointserver/overview.mspx
Microsoft Business Intelligencehttp://www.microsoft.com/office/preview/solutions/bi/guide.mspx
Microsoft SharePoint Products and Technologies Team Bloghttp://blogs.msdn.com/sharepoint/archive/2006/01/09/510812.aspx
Microsoft Records Management Team Bloghttp://blogs.msdn.com/recman/
This session’s resource page:http://www.microsoft.com/technet/DSK-108
As many of you know, or will know by reading this, Windows Vista (and future OS's and Apps from Microsoft) requires Activation; and a new functionality that is very good, and very important to understand, is how the new "Activation 2.0" affects volume licenses of Windows Vista Business versions (Standard and Enterprise).
CLICK HERE For more information about it.
Seriously - If you're an IT Pro who manages the licensing and deployment of your desktops, you're going to need to understand this stuff. It's not rocket science, but there are many questions that can arise. In fact, I was e-mailed a couple of them just today.
"I was reading an article in Windows IT Pro about KMS and it mentions you need have 25 licenses of Vista or 5 Windows server licenses. Does that mean if I install Vista for only a handful of users initially that I can’t use KMS? Or do I need to get 25 users up and running to use KMS? 25 users are half of my desktop licenses and I’d rather upgrade a smaller number of systems initially."
Yes, KMS (the Key Management Service) is only available to use if you're maintaining 25 or more activations. The KMS service makes itself known in DNS (a special SRV record), and business clients automatically find this server when they start up if they need activation. After the KMS sees the first 25, it then starts activating clients (including those first 25). But not before.
So.. because clients have a 30 day grace period to get activated, you basically have that long to bring up at least 25 clients.
The alternative to KMS activation is MAK (Multiple Activation Key) activation, which activates to Microsoft rather than to a local KMS service. If you have the KMS key, you also have the MAK key. (You get one of each from the same Volume License key source.)
Chris also says...
"Also, the article mentioned I need a 'Longhorn' server to use KMS or I could use an add-on for Windows 2003, which isn’t out yet. Am I understanding this correctly, or am I missing something?"
You understand correctly. Support for the KMS isn't available yet in Windows Server 2003 or earlier. You can install it on a Windows Vista machine, or on Longhorn (which is only in beta now). But yes, you should expect to see an update for Windows Server 2003 sometime in the first quarter of 2007.
Any other questions?