A Plumber's Confessions

Active Directory Application Mode (ADAM) -- Just Say Maybe

dougl — Wed, 06 Oct 2004 18:18:00 GMT

Last year Microsoft released another great tool for Plumbers to keep in their toolbox: Active Directory Application Mode (ADAM).

The "sweet spot" for ADAM is as LDAP-based storage for your custom applications -- applications that would otherwise request schema extensions to AD. There will be times when ADAM is the perfect tool for the job. (For more information on ADAM, you can read the introductory white paper.)

However, if you find yourself saying, "This is great! I'm going to use this because setting up a domain controller is just too hard," then I'd like to challenge your thinking. If your job is primarily authentication, your tool should be Active Directory domain controllers.

Support for the extranet authentication scenario (mentioned in ADAM white paper) is nice. But only if you are really committed to using LDAP simple binds for authentication and don't need any of the other authentication features built into Active Directory. This is often the case if you're using a web-sso product like those from OpenNetwork, Oblix, or Netegrity.

Some of the authentication features that you'll be missing are:

Kerberos (Remember, ldap binds send your password in the clear.)
Delegation (Whether or not you choose to support this in your infrastructure will affect the architecture of all your applications. You have included the dev teams in making these decisions, right?)
Windows integrated authentication with IIS (including digest).
Certificate-based authentication (including the use of SmartCards).

Also, you may find that AD as a solution is better supported...

Fast backup and restore (Although... ADAM does support VSS and a similar technique should be theoretically possible.)
More robust tools for health monitoring.
Active Directory Users and Computers. That's right -- we don't ship a simple GUI for managing users in ADAM.

When using Active Directory, developers will have the choice of which authentication scheme is most appropriate for their application. Most (all?) of Microsoft's own server applications will continue to be written to use Windows principals (AD users) and rely on a richer authentication method than an LDAP simple bind.

So, if you were building an authentication service, why wouldn't you want to use the option that is the most full-featured and best supported?

In the future, I'll address some of the objections to using Active Directory for the extranet access management scenario and try to debunk the myth that managing ADAM for that role would be easier.

Active Directory Webcast Week

dougl — Thu, 23 Sep 2004 22:34:00 GMT

Next week (beginning September 27) is Active Directory Webcast Week. From the events web site:

Do you want to learn more about Active Directory? IT professionals and IT managers – mark your calendars for webcasts covering Active Directory from A to Z. Microsoft Active Directory experts will provide you with a comprehensive tour of the technology, whether you are looking for information on Active Directory fundamentals, starting an Active Directory migration project, or seeking some advice for optimizing your existing deployment.

In case you miss them, they will also be available on-demand.

Plus... there are prizes.

See:

Active Directory: Learn the Basics and Master Advanced Concepts
http://www.microsoft.com/seminar/events/series/adaug.mspx

Microsoft Identity Integration Server cumulative hotfix available

dougl — Tue, 13 Jul 2004 15:00:00 GMT

The latest in a regular series of hotfix rollup packages is available for MIIS. I really like the way this group is fixing bugs and updating MAs to work with new versions of the connected directories.

These fixes look especially important for deployments with Oracle or Notes management agents. However, if you haven't deployed the previous updates, you should also look at the issues that have been resolved earlier. Here's a link to the article:

842531 - How to obtain the latest Microsoft Identity Integration Services 2003 cumulative hotfix package
http://support.microsoft.com/?id=842531

At the time I wrote this, however, the download link in above article pointed to an earlier hotfix. Here's where you can download it:

Download details: Update for Microsoft Identity Integration Server 2003 (KB842531)
http://www.microsoft.com/downloads/details.aspx?FamilyID=fa9dbb67-4654-4c94-b073-aa59676130af&DisplayLang=en

Self-Defeating Prophecy

dougl — Tue, 29 Jun 2004 21:41:00 GMT

I had Chinese food for lunch. This was my fortune:

You will receive an unexpected gift.

If I do indeed receive a gift, won't it now be expected?

Designing your Active Directory deployment in under a minute

dougl — Thu, 24 Jun 2004 06:16:00 GMT

Dana Epp came down from the Great White North to attend the Microsoft Security Summit in Seattle. He seems to have enjoyed himself. I'm glad.

In the afternoon sessions Dana saw a presentation by Steve Riley. Steve is a very dynamic speaker and, if you have the chance, you should go hear him.

I didn't see Steve's presentation, and Active Directory design doesn't seem to be on the slides, but apparently Steve showed you how to reach a design in 30 seconds. Here's how Dana wrote it up:

“I have been wrestling with Active Directory stuff as of late, and I enjoyed Steve's 30 second AD structure. Some organizations take weeks, months even years as they try to organize an Active Directory structure that fits in with the politics of the organization. Steve gives us a quick way to deal with it:

Forests and Domains = Physical geography
Organizational Units = Administrative Model
Security and Distribution = Organizational Chart”

In general, I think that's good advice. I'd only like to add a few more seconds onto your planning process and ask you to consider a couple other items...

Forests = security boundaries

More companies will now choose multi-forest deployments because of better understanding of the security issues. It's important that features like cross-forest trusts and tools like the Identity Integration Feature Pack make managing multi-forest deployments much easier.

(Multiple domains may still useful if you have severely restricted connectivity to some of your sites. AD replication is pretty efficient, though, and bandwidth is always getting cheaper so this is less of a concern everyday.)

Organizational Units = group policy application points

Using OUs for the role-based application of policy is a pretty good practice. You'll need to balance this with your use of OUs to delegate administration. You may naturally discover that your computers fall into one OU design useful for security group policy and your users fall into a different OU design useful for delegated administration.

There you go. Everything you need to know to design your Active Directory deployment -- if not in 30 seconds for sure in less than a minute! (Of course, if all else fails, you could always engage me to help.)

Updated Active Directory Branch Office Guide

dougl — Thu, 24 Jun 2004 04:54:00 GMT

If you're deploying Active Directory in a branch office environment (one or more central data centers and more than 100 branch offices with domain controllers), make sure to read the updated branch office guide. Version 1.1 has just been posted and contains some updated procedures and tools.

Here's a link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9353a4f6-a8a8-40bb-9fa7-3a95c9540112&displaylang=en

Actually, even if you don't have a branch office deployment, you might find some useful things in the guide. Updated versions of dcdiag and repadmin are included as are scripts for an image-based deployment of domain controllers using ADS. Links to AD Management Pack for MOM and FRS monitoring tools are always helpful, too.

TIP: Sharing Message Box Text

dougl — Fri, 18 Jun 2004 03:29:00 GMT

Ever seen a message box that you wanted to remember or share? What did you do?

If you're like most, you probably hit Alt-PrtScrn (or worse, just PrtScrn) to copy an image of the dialog to the clipboard. Then, you pasted that image into an e-mail and sent it to a large distribution list.

Invariably, someone on the list let you know exactly how much space in the message store your innocent bitmap took. Instead of getting the answer that you desperately sought, you were only derided for being wasteful with the company's resources.

Well, have I got a tip for you!

When you see the dialog box, instead of copying an image to the clipboard, you can copy the text by simply pressing Ctrl-C. That's right--the standard keyboard shortcut for Copy will cause something like this to be placed on the clipboard:

---------------------------
Notepad
---------------------------
The text in the Untitled file has changed.

Do you want to save the changes?
---------------------------
Yes No Cancel
---------------------------

Now you can paste this into an e-mail without fear of ridicule. (It also makes it easier to paste that text into a knowledge base search so you can find out what's going on.)

Enjoy!

Cutover vs. Migration

dougl — Thu, 17 Jun 2004 06:16:00 GMT

I had lunch with a friend today. He paid for it so he could ask my advice on a project he's undertaking. I'd have given him my advice without the lunch but it's hard to turn down an offer like that.

Phil's a one-man IT shop at a business with under a hundred desktops and he's completely changing their messaging system. As the appetizers came, we began to formulate an implementation plan.

It wasn't long before I realized that we had two different approaches in mind for the transition. I'll call them the “cutover” and the “migration.”

To complete the transition, changes at both the server and the client would be needed. And, since small companies don't often invest in automation tools for managing the desktop, a visit to each client was going to be necessary.

The cutover approach involved going in on Saturday when no one was around, ripping out the old mail system, building the new system, and moving all the clients to the new system by visiting each desktop. If everything went well, we'd end the day with a great sense of accomplishment.

The migration approach was all about doing everything needed to install the new system in parallel with the old. Test the new system while working out new processes with some carefully selected pilot users. Then, when confident in the new system, methodically (leisurely?) convert users over to it. Finally, when everybody's converted, decommision the old system.

It will take a little extra work to keep the two systems operating in parallel. But, the migration work can be done at any time without impacting users. This means Phil won't have to work Saturday and he'll have more time to work out the kinks in the new system.

I prefer the migration approach for its advantages in spite of the extra planning, additional effort and longer transition time. I think all projects should consider if this is a viable option.

Although this migration was a relatively small project, I should mention that I've seen the same concerns in projects much bigger when you'd think a cutover would be impossible. One large online banking migration chose the cutover approach and posted a “We'll be back at...” sign on their website Saturday morning while their dev team worked three shifts over the weekend. They were successful but there was a lot of risk in the approach and a lot of stress that weekend.

In the end, though, it was clear to me that cutover approach appealed to Phil's strong work ethic and his desire to get this project over with. I must reconsider my position and ensure that it's not rooted purely in selfish protection of the weekend (or even worse, sloth). What do you think?

(In case you're interested, by the time we completed our entrees, we had settled on a compromise between the two approaches and I'll be lending Phil a hand on an upcoming Saturday.)

How is an IT infrastructure like your plumbing?

dougl — Wed, 16 Jun 2004 04:57:00 GMT

Let me count the ways...

People expect the system to just work.
The system's complexity is hidden from most users.
A well-designed system enables all sorts of solutions to be delivered.
Various surges in usage can tax the system.
People will use the system in unintended ways.
The system's interconnections with other systems make it more powerful.
Routine maintenance required.
On call professionals will repair the system when needed.

And that's why--though I primarily work on IT infrastructure--I feel like a plumber.