Skip to main content

The Future of Active Directory (February 22, 2006)

Published: February 22, 2006

The Future of Active Directory (February 22, 2006)

Please note:portions of this chat have been edited for clarity.

Participants:
Michael Stephenson, Director of Product Management for Identity and Access
Stuart Kwan, Director of Program Management, Identity and Access
David Cross, Director of Program Management, Windows Security Access Control
Levon Esibov, Group Program Manager, Directory Services
Michael Atalla, Group Product Manager, Identity and Access
Piyush Lumba, Senior Product Manger, Windows Rights Management Server

Resources:
Web: http://www.microsoft.com/ActiveDirectory
Newsgroup: http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.windows.server.active_directory

Dave Bishop [MS] (Moderator):
Hello everyone! Welcome to today’s executive chat. Please join Michael Stephenson, Stuart Kwan, Levon Esibov, and other top Microsoft experts to discuss the future of Active Directory and its evolution from a NOS directory service to the core identity and access infrastructure for organizations of all sizes. Discover what's new in Active Directory in Longhorn Server and what's planned for future releases. Your questions, comments and feedback are welcome at any time during the chat. We’ll get started in about 10 minutes. In the meantime, if our guests would like to start asking questions, feel free to.

Introductions:

Dave Bishop [MS] (Moderator):
Hello again. We’re about to begin. During today’s executive chat on the future of Active Directory, we are pleased to have Michael Stephenson, Stuart Kwan, Levon Esibov, and other key members of the Active Directory team. Please feel free to begin asking your questions and checking the “ask the experts” box before sending. Thanks. . I will have our expert guests introduce themselves now…

Michael Stephenson (MS Expert):
Hi there. My name is Michael Stephenson - just Michael in the chat - and I’m the director of product management for Identity and Access. My team is responsible for the planning and marketing of Active Directory and MIIS. I have been with Microsoft gonging on 9 years and have held many different positions in the Windows Server and IT infrastructure organization. I look forward to chatting with you today on the future of Active Directory.

Stuart Kwan (MS Expert):
Good morning, my name is Stuart Kwan and I have been working on Active Directory since 1996. Thank you for joining us this morning!

Levon Esibov (MS Expert):
Hi, I'm the Group Program Manager for the Directory Services team. My team is responsible for design and implementation of the Directory Services products.

Piyush Lumba (MS Expert):
My name is Piyush Lumba. I am a senior product manager for the Windows Rights Management Services (RMS) product group. RMS is an AD-enabled information protection technology/solution that embeds digital access policies in emails and documents and encrypts the content itself. I manage field marketing for the RMS product group

David Cross (MS Expert):
Hello, I am David Cross. I am the Director of Program Management for the Windows Security Access Control team and my team is responsible for the design and implementation of many of the core security functions in the Windows operating system such as PKI, cryptography, Authentication, Authorization and Audit.

Micahel Atalla (MS Expert):
This is Michael Atalla. I am Group Product Manager for Identity & Access at Microsoft. My team is responsible for product management and strategic planning for the core security features of including PKI, crypto, Authentication, Authorization, and Audit in addition to the newly announced Certificate Lifecycle Manager Beta 1.

Dave Bishop [MS] (Moderator):
Thank you to our Experts for your introductions! Let’s go ahead and start the chat.

Start of chat:

David Cross (MS Expert):
Q:
When will AES be supported as encryption algorithm in Kerberos
A: Windows Vista and Longhorn Server betas currently support AES as an algorithm default for Kerberos. Obviously for interoperability purposes for down-level systems and non-Windows systems, previous algorithms will be supported. We look forward to your feedback on this new work and our implementation.

Levon Esibov (MS Expert):
Q:
can we expect links in a future version of AD, that means, can one object appear at more than one place in the tree?
A: We are not planning on supporting this feature in Longhorn Server, but I'm very interested in understanding importance of this feature for your scenario. If you can provide more data on which problem you are planning on fixing with this feature that would help us in our post-Longhorn planning.

Stuart Kwan (MS Expert):
Q:
How will MIIS and AD evolve? Will functionality from MIIS make into the core AD product?
A: The functionality of the metadirectory is in fact, already available today with your Windows Server license. The Identity Integration Feature Pack (IIFP) is available for download from Microsoft.com and you can use it to manage Active Directory and ADAM today. The IIFP is different from MIIS in that it can only connect to AD, and does not have the full range of management agents to connect to heterogeneous systems. When we ship the next version of MIIS, code-named "Gemini", we will be renaming the IIFP to be called "Active Directory Metadirectory Services" and it will have all of the new features of Gemini, for example integrated workflow using Windows Workflow Foundation. We aspire for AD MS to then become the process-driven management platform for all of the AD server roles.

David Cross (MS Expert):
Q:
What is the roadmap for dynamic ACLs and/or dynamic authN/AuthZ based on user properties. For example several of my customers who come from backgrounds of developing against LDAP directories are eager to use arbitrary user properties in AuthZ (out of space
A: Microsoft supports dynamic ACLs and authorization functionality through Authorization Manager and MIIS today. For example, with both (AZMan) and MIIS you can create dynamic groups based on attributes of a user object in Active Directory which is an access control mechanism in applications, file resources, etc. A good start might be the following article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManRoles.asp?_r=1

Michael Stephenson (MS Expert):
Q:
Can someone discuss the INFOCARD and it's relation to AD and external roles, outside of the immediate organization ?
A: InfoCard is a code name for a new user experience that enables them to securely and privately exchange identity information with sites. Users will have several different identities which can be visualized through the InfoCard experience. These identities can be self-issued, that where a users makes statements or claims about themselves or what we call managed - where a trusted 3rd party makes claims about the user (eg governments, banks, businesses, etc). In a future version of Active Directory - post the Longhorn Server release - new capabilities will be added for issuing and managing InfoCards.

Levon Esibov (MS Expert):
Q:
I have a Windows 2003 server with Exchange 2003 sp2 on it. While it is already a domain controller I want to switch it to a Global Catalog server. How will this impact Exchange?
A: Some operations of Exchange are performed against GC and by making your DC a GC you will make Exchange use local GC for such operations and will reduce dependency on connectivity to remote GCs. At the same time making a DC a GC may increase a load on your server and for this reason I recommend conducting such conversion and testing it in your lab prior to making conversion in production environment.

Michael Stephenson (MS Expert):
Q:
Are there any plans to review the current pricing of MIIS?
A: There are no current plans to change the pricing of MIIS. However, we continue to evaluate alternative pricing structures.

David Cross (MS Expert):
Q:
Any more information about PKINIT updates, would it be possible to use the same smartcard or even certificate to authenticate to multiple users within a forest or in different forests How is the mapping between certificate and user done if not by UPN
A: We have made significant enhancements and extensibility in the certificate mapping and smartcard logon capabilities (PKINIT) in Windows Vista and Longhorn Server betas. For example, user account mapping for PKINIT will support multiple alternate certificate mapping capabilities including distinguished name match, public key hash, etc. I believe these enhancements and flexibility with no longer being tied to a UPN in the certificate will meet your needs in this area going forward. We plan on publishing a Authentication enhancements whitepaper in the Beta 2 timeframe of Windows Vista that will detail these enhancements in much greater depth.

Stuart Kwan (MS Expert):
Q:
What is the future of directory sync with other directories such as Edir, Oracle's Dir?
A: MIIS 2003 has connectors to the most common directories and databases, and can connect to arbitrary systems using flat file formats like CSV, or by building a custom management agent using the Management Agent SDK. Today, MIIS can connect directly to Novell eDirectory 8.6.2 and 8.7.x, and although we do not have an MA for Oracle Internet Directory, we do have a connector for the Oracle 8i and 9i database.

Micahel Atalla (MS Expert):
Q:
I am curious about future directions for ADAM, ADFS, AzMan, and similar satellite technologies.
A: ADAM, ADFS, AzMan and other technologies such as Rights Management Services and Certificate Services are available today and will continue to be available as individual services of Active Directory in Longhorn Server. Our long term vision, beyond Longhorn Server, is to continue to more tightly integrate these technologies across Microsoft's enterprise server products and more tightly integrate them into Active Directory to provide you a simplified deployment and management experience.

David Cross (MS Expert):
Q:
Will it be a supported scenario to run bitkeeper full disk encryption based on a TPM module on a DC in Longhorn server.
A: Yes, absolutely. BitLocker is intended for both client protection and server protection scenarios.

Stuart Kwan (MS Expert):
Q:
What can we expect in terms of read only DCs? Will the read only porting span to the SYSVOL?
A: Read-only DC is an upcoming feature of Longhorn Server Active Directory. Yes, the SYSVOL on the RODC will be read-only.

Levon Esibov (MS Expert):
Q:
As far as Active Directory Federated Services go, can you talk about the security of AD and how the directory will be safe in my DMZ?
A: Further increasing the security bar of the AD is one of the highest priorities for us in Longhorn. The two new capabilities in AD that you are going to see in Longhorn are "Read-Only Domain Controller" and "Active Directory on Server Core".

Levon Esibov (MS Expert):
Q:
I have a Windows 2003 server with Exchange 2003 sp2 on it. While it is already a domain controller I want to switch it to a Global Catalog server. How will this impact Exchange?
A: Adding to my previous answer:

Stuart Kwan (MS Expert):
Q:
Do you plan to have any specific wizards and so-forth for easily integrating/consolidating an old directory (NT4, other 2000 and 2003) into one of the new directories? (we have a lot of cleanup to do)
A: Late last year we shipped the Active Directory Migration Tool v3, available as a download from Microsoft.com, which can be used for migration from NT4 and also to restructure Windows 2000 and Windows Server 2003 domains and forests. Check out http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en.

Michael Stephenson (MS Expert):
Q:
Will ADFS in 2003 R2 talk to non-IIS servers?
A: ADFS in R2 uses the open WS-Federation Protocol and the SAML 1.1 token format to exchange identity information. IIS in R2 provides native support for ADFS. Partners such as Quest, Centrify, and PingID have products and/or agents that can run on non-IIS servers and work with ADFS. This will enable Web SSO and federated Web SSO across IIS and non-IIS Web applications.

Levon Esibov (MS Expert):
With Read Only Domain Controller administrator can control the list of users whose passwords are replicated to the Read-Only DC (thus protecting passwords of administrators and other sensitive accounts that may never need to log-in to that Read-Only DC). Also in case Read Only DC is compromised the modifications made by an attacker to the Read Only DC will never replicate to the rest of the AD forest.

Micahel Atalla (MS Expert):
Q:
I have not had a chance to look at what’s new in Longhorn Ad. Can you give a brief overview of "What's New"
A: Active Directory in Longhorn includes a fairly comprehensive set of new functionality, tighter integration across Active Directory services, and improved user experiences. An example of new functionality is the inclusion of an OSCP Responder in Active Directory Certificate Services and an example of tighter integration is that of Active Directory Rights Management Services with Active Directory Federation Services to enable businesses to protect their sensitive information across forest boundaries with their business partners and customers. Please feel free to ask any specific questions you might have in this area or stay tuned to http://www.microsoft.com/ad for updates.

Stuart Kwan (MS Expert):
Q:
What about directory grafting tools similar to Novell eDirectory tools?
A: See ADMT v3.0. :-) There are also a wide range of tools available from third parties like Quest for managing your Active Directory - see http://www.microsoft.com/windowsserver2003/partners/adall.mspx.

Michael Stephenson (MS Expert):
Q:
Is "Active Directory on Server Core" the server that has no GUI?
A: The domain controller role of Active will run on Core in Longhorn Server.

Levon Esibov (MS Expert):
Q:
As far as Active Directory Federated Services go, can you talk about the security of AD and how the directory will be safe in my DMZ?
A: Adding to previous answer:In Longhorn Server Domain Controllers will be able to run on Server Core. Server Core contains absolute minimum binaries that are required for running mission critical Server Roles (including Domain Controllers). Thus Server Core reduces the attack surface and reduces the number of patches you need to apply to a Server Core (in comparison with Full Server).

Stuart Kwan (MS Expert):
Q:
Will LongHorn's AD allow forests to be merged, or to prune/graft domains?
A: We current do not have plans to add forest merge or domain prune and graft features in Longhorn Server Active Directory. ADMT v3.0 is the tool for AD restructuring in the Longhorn timeframe.

Levon Esibov (MS Expert):
Q:
Levon: We are about to redesign our complete AD structure, including the use of an application directory partition, our own schema classes and attributes and so on; doing this, we for example have objects which are representing a street address. It would be great to have one of these object appear as a child object below a few other objects - for example users, instead of having to use linked attributes
A: so what operation will be simplified/enabled by having these objects appear as children of a few diff objects instead of having linked attributes? Is the main purpose to make them appear in some tool as children of diff objects for usability purpose (examples?) or ...

Micahel Atalla (MS Expert):
Q:
Along the lines of FSMO roles: Will there be auto-failover functionality in future AD revisions?
A: An example of why this is a potentially dangerous feature to introduce follows. Imagine a network failure occurs to the port your Schema Master is attached. The infrastructure will not be able to differentiate between this network failure and a machine failure. The auto-failover would occur, transferring the role to another DC and modifying the schema to reflect this change. Network reconnection would then put you in a situation of having two authoritative schema masters in your forest with different versions of the schema. We will continue to investigate ways to make management of FSMO roles more flexible in the future and appreciate ongoing feedback from you in this area.

Michael Stephenson (MS Expert):
Q:
Will longhorn be shipping with WINFS included? is so Will this Effect Active Directory at all?
A: WinFS will not be shipping with Longhorn Server and therefore will not have any impact on Active Directory.

Stuart Kwan (MS Expert):
Q:
Thanks Stuart. I would think that if you want to be the core directory services in the organization that you will have to provide out-of-the-box directory integration into other non-Microsoft directories (NIS, Oracle Directory, etc.)? Is this coming?
A: Connectors for non-Microsoft systems will continue to be available with your MIIS license. So... no, it's not coming.

David Cross (MS Expert):
Q:
is there any plans to improve compatibility with MIT Kerberos Servers?
A: We regularly test interoperability with MIT Kerberos and we actually recently held an open interoperability and testing event with the IETF Kerberos working group in September of 2005. We believe we have full interoperability and proven public testing results in this area and would welcome any feedback where you feel additional support is necessary.

Levon Esibov (MS Expert):
Q:
Levon I agree but, this is a small company and don’t have any extra servers to test on. How long does it take to publish when I make the switch?
A: It depends on the size of the directory but for the small company it should be a matter of seconds.

Micahel Atalla (MS Expert):
Q:
Do you foresee publishing guidance, along the line of prescriptive architecture, highlighting the use of various Microsoft directory services and identity technologies?
A: Yes, Mark, we hope to continue to improve existing guidance and integrate that guidance as we continue to invest in integration across the various services of Active Directory and technologies such as MIIS and Certificate Lifecycle Manager. For example, today you can find guidance on deployment and architecture of AD in the 'Planning and Deployment' section of http://www.microsoft.com/ad. Additionally, a great deal of guidance around deplyment and architecture of Certificate Services at http://www.microsoft.com/pki in the "Step-by-Step Guides" section. We are working to improve and centralize this guidance to simplify your efforts to deploy these identity and access technologies in a consolidated and comprehensive fashion.

David Cross (MS Expert):
Q:
Will AD object ownership continue to vest (only alternative) with the creator owner or creator group ?? A long standing issue . . .
A: In Windows Vista, we have introduced a change in the ACL model called Owner Access Restriction (OAR) that allows for the traditional discretionary access control model of Windows to be overridden for specific ACLed resources. This allows improved security in situations where the owner of the object (who may have created the object) should not have the ability to manage the permissions on the object. I hope that answers your question.

Stuart Kwan (MS Expert):
Q:
What move is being to make the FSMO roles multiple. By this I mean having more than one schema master (master/backup) and other roles?
A: By definition, the Floating Single Master Operation (FSMO) roles are single master. Schema updates, forest naming updates, the PDC role, RID master operations, and infrastructure master operations must take place using a single master strategy to maintain the integrity of the forest. We do not have any plans to make these single master. However, if you are suggesting we make "backup" a formal role, this is something we can look into.

Levon Esibov (MS Expert):
Q:
Given the success of the Exchange Best Practices Analyzer (and more recent similar offerings from the Exchange product team), are there any plans for something similar for AD and MIIS?
A: We are considering this. I assume I can take your question as a vote of support for providing similar offering for AD and MIIS.

Stuart Kwan (MS Expert):
Q:
Will GPOs still be located in the sysvol in the for of .ini files? Any chance of seeing those settings/parameters directly in AD?
A: In Longhorn Server, Group Policy files are still stored in the SYSVOL. Note that significant enhancements are coming to FRS in Longhorn which will improve the performance and robustness of SYSVOL replication.

Micahel Atalla (MS Expert):
Q:
Is there any new interesting integration with MSMOM (current or future) versions that you would like to tell us about?
A: Yes...we are committed to delivering a management pack for MOM for each server role in Active Directory including Domain Services, Federation Services, Rights Management Services, Certificate Services, Lightweight Directory Services, and Metadirectory Services.

Stuart Kwan (MS Expert):
Q:
Follow-up to Q35: More particularly, I am curious about guidance that includes the interplay between the various directory and identity technologies.
A: Clarification - do you mean LDAP APIs for building applications, or do you mean standalone GUI or cmd line LDAP tools to browse/navigate/search the directory?

Stuart Kwan (MS Expert):
Q:
Are you planning to add to the LDAP toolset? I always get nagged from my dev staff that there aren't enough tools for this.
A: Clarification - do you mean LDAP APIs for building applications, or do you mean standalone GUI or cmd line LDAP tools to browse/navigate/search the directory?

Michael_MS (Expert):
Q: Is there any work being done with MIIS to somehow "play nice" with Novell's IDM services?
A: Today, MIIS provides management agents for both Novell eDirectory and NDS. We plan to continue to support identity management across AD environments and Novell environments through MIIS as long as there is customer demand.

Levon Esibov (MS Expert):
Q:
What are the updates to the tools used to manage ad in Longhorn? Specifically those used to monitor it's health.
A: We are currently working on some usability enhancement in AD tools, including we are considering providing capability in Users and Computers to enable editing any attribute values as one can do it today through ADIS Edit. Regarding Monitoring AD, we are ensuring that MOM 2005 and future version of MOM support Longhorn AD.

Stuart Kwan (MS Expert):
Q:
Is Monad being integrated a the primary tool for scripting and configuration?
A: Monad-based tools for managing AD will not be available in Longhorn Server but it is something we are closely investigating for a future release.

Dave Bishop [MS] (Moderator):
Q:
To Dave Bishop (MS Moderator) I have to drop off, will the transcript from the Expert answers be available for download or online viewing later? Thank you
A: Yes the chat will be posted on the Technet chats web site in a few days. I hope it was helpful!

Micahel Atalla (MS Expert):
Q:
Could you briefly explain "Active Directory Certificate Services" - what changes will be made to Windows Certificate Services to place it under AD, and how will this affect standalone certificate services?
A: Active Directory Certificate Services will include a number of new features intended to provide a more comprehensive digital certificate platform for Windows environments including, but not limited to the addition of an OSCP Responder, and network device enrollment services. In Longhorn Server, this will not affect your ability to deploy/operate a stand-alone Certificate Authority with AD Certificate Services. Over time, we will provide more comprehensive services in AD-CS designed to provide even more streamlined PKI experiences in Windows environments but have no plans to eliminate support for the stand-alone CA.

Levon Esibov (MS Expert):
Q:
Feedback: I'd love to see an AD Best Practices Analyzer
A: Thanks for the feedback. As I earlier said, we'll be looking into this.

Levon Esibov (MS Expert):
Q:
Feedback: I'd love to see an AD Best Practices Analyzer - Ditto that!
A: Got it :-)

Dave Bishop [MS] (Moderator):
Q:
Feedback: I would love to see an AD Best Practices Analyzer as well.
A: We appreciate the feedback, and will definitely look into what it would take to produce a document like that. Thank you!

Stuart Kwan (MS Expert):
Q:
Stuart [Q33 followup]: Command line tools to browse/navigate/search for the most part. They compare it to tools available for NDS and they say it's weak.
A: What, they don't absolutely love LDP.EXE in the support tools? :-) (All the developers I know completely adore it.) The tools we provide today are ADSIEDIT (a GUI) and LDP (a GUI with the feel of a cmd line tool) plus a range of DS*.exe command line tools. Yes, we are continuing to invest in building tools for managing AD, although many of these efforts will not appear until after Longhorn Server.

Dave Bishop [MS] (Moderator):
Q:
Dave thank you. It is and very interesting, therefore my question. See ya all next time.
A: You're welcome. Thanks for attending. We hope it was helpful!

David Cross (MS Expert):
Q:
Is the 300MB limit of event logs going to change in Longhorn? We are pressed with the current limitation.
A: In Windows Vista and Longhorn Server we have improved our design and architecture and removed this limitation.

Levon Esibov (MS Expert):
Q:
I'm sorry I didn't see anything after "adding to my previous answer"
A: I added description of Read Only Domain Controller and running DC on Server Core. If you didn't find it please let me know.

Dave Bishop [MS] (Moderator):
Everyone, before you leave today's chat, please be sure to answer the questions in the survey. Your feedback is very much appreciated, and will be used to improve future chat sessions.

Micahel Atalla (MS Expert):
Q:
Follow-up to Q35: More particularly, I am curious about guidance that includes the interplay between the various directory and identity technologies.
A: I understand. Most of the newer guidance that you'll see around technologies like Certificate Services and Federation Services will extensively outline how these services interact and should be deployed relative to Active Directory Domain Services (domain controller server role). Over time we will provide more guidance aimed in this direction which more effectively highlights this interplay. Much of this is quite scenario specific, so our ability to tailor comprehensive guidance across all directory and identity technologies will be limited, but our goal is to put as much of this prescriptive guidance on the table for you to leverage in your environments and will develop guidance, prioritized, based on feedback from customers such as yourselves. Feedback on the scenarios you are dealing with is welcome on an ongoing basis.

David Cross (MS Expert):
Q:
Will AD object ownership continue to vest (only alternative) with the creator owner or creator group ?? A long standing issue . . .
A: In Windows Vista, we have introduced a change in the ACL model called Owner Access Restriction (OAR) that allows for the traditional discretionary access control model of Windows to be overridden for specific ACLed resources. This allows improved security in situations where the owner of the object (who may have created the object) should not have the ability to manage the permissions on the object. I hope that answers your question.

David Cross (MS Expert):
Q:
Will the function to store the users certificate and private key in a attribute on the AD user object be available in Vista, estimated increase in DIT size if this is done
A: Actually, we have added the ability to store certificates and private keys in Active Directory with Windows Server 2003 SP1. Continued support and enhancement will be available in Windows Vista and Longhorn Server. For more information, please see: http://technet2.microsoft.com/WindowsServer/en/Library/ef08bb73-716a-4476-95ba-882714c26b991033.mspx

Levon Esibov (MS Expert):
Q:
Levon: Its a bit difficult for me to describe our environment in just a few short lines. So at the moment I'm satisfied with your answer, that links are not supported.
A: Thanks!

Micahel Atalla (MS Expert):
Q:
Re: Q37 (AD Certificate Services) - I'd hate to see the stand-alone CA go, if only for the reason that it's absolutely essential for the enterprise root CA to be "locked away in a closet". Thanks to Atalla for the clarification.
A: No problem...and understood. We are realistic about the requirements our customers have for digital certificate services based on the stand-alone CA particularly relative to having the root CA locked up in a closet. We do think that Certificate Services deployed with Active Directory provides a more comprehensive solution, particularly as we get closer to the release of Microsoft Certificate Lifecycle Manager, now in beta. This combination is the best platform for the multitude of digital certificate based services such as smart card login, IPSec, SSL-VPN, etc. Thanks for the feedback.

Micahel Atalla (MS Expert):
Q:
Clarification to Q41: I mean AD/DC it’s use and relationship to AD/AM, AD/FS etc. Scenarios, examples of their purpose and interaction in some prescriptive way. I encounter much confusion with these newer technologies and development and infrastructure use.
A: This is great feedback...we will include this feedback in our planning for the next wave of guidance. I understand the confusion you are highlighting and the request/requirement.

David Cross (MS Expert):
Q:
Q60 follow up: I’m aware about the solution in SP1, doesn’t feel completely production ready, schema extension process as one example.
A: The overall solution is production ready and we are working on making available in down-level client platforms as well. The schema extension documentation is really our only way to "release" the schema extension requirements since schema extensions are not added to service packs. I know that it may seem as not as polished as other components, it really is fully supported and production quality from an implementation perspective. If you have suggestions on how we could improve the availability of the information, we are open to feedback.

Levon Esibov (MS Expert):
Q:
Perhaps it's not concerning tightly to the topic, but will you improve AD backup features, for example separated System State backup?
A: We are not planning to separate System State backup in Longhorn Server, but we are looking at this post Longhorn.

Levon Esibov (MS Expert):
Q:
Levon, I found it thank you. I think it would be more prudent to run this at night do you agree.
A: I agree.

Stuart Kwan (MS Expert):
Q:
currently AD uses the text strings such as the CN for group membership, SID naming, etc. this means when an account is deleted, there are leftovers all over the directory, Exchange users that don't exist are still delegated to, etc. what plans are ...
A: In AD we do maintain referential integrity for linked attributes, such as group memberships. If you delete a user, their membership is automatically removed from global groups and universal and domain local groups in the same domain. The infrastructure master FSMO will also clean up references to that user in groups in other domains in the same forest. Beyond that forest, you would need a sync mechanism such as MIIS or the IIFP to clean up references to deleted users. Since SIDs are not linked attributes, we do not maintain referential integrity on them, and if for example a user is removed from an ACL it does leave a dangling reference in that ACL.

David Cross (MS Expert):
Q:
In response to Q60: is it wise to store private keys in AD, which is commonly considered to be a rather public data store? Will these be encrypted automatically?
A: Absolutely. The data is always encrypted using DPAPI which prevents against brute force attacks on the attributes themselves and in addition, Windows Server 2003 SP1 usupports the ability of "private" attributes which cannot be read or queried by users other than the owner. Hence, the design prevents against data exposure and attacks that you may be concerned about.

Stuart Kwan (MS Expert):
Q:
What is the guidance now for software developers integrating with AD? Do they get their own forest? Do they use ADAM?
A: "It depends." My advice to developers is that they give their customers as much flexibility as possible as to where directory data is stored, in other words give customer the ability to choose at deployment time if the data will be stored in AD or in an app-specific ADAM.

Dave Bishop [MS] (Moderator):
Q:
thx for all your answers!
A: Thanks for being here! I hope it was helpful for you!

Micahel Atalla (MS Expert):
Q:
Where should we direct feedback?
A: There are a few ways to provide feedback...one of them is this forum...you are providing that feedback to the right people, right now. Additionally, you can have a broader discussion on this topic by visiting the newsgroups at:
http://www.microsoft.com/communities/newsgroups/default.mspx. A specific newsgroup you might want to visit is microsoft.public.windows.server.active_directory.

Levon Esibov (MS Expert):
Q:
Will there be better tools/changes, etc for delegating control to techs, etc for particular OU's... Also would like to see the AD best Practices Analyzer
A: No, we didn't improve tools in the area of delegation of administration in Longhorn, but we consider this to be an important area and will continue investments into this post longhorn.

Michael_MS (Expert):
Q:
Will there be support from within the GUI for restoring deleted objects?
A: There are no current plans to support this feature. We will take this feedback into consideration.

Stuart Kwan (MS Expert):
Q:
Are you moving away from the SYSVOL in terms of GPO parameters storage?
A: In Longhorn Server, GPOs are still stored in the SYSVOL. Recall that client workstations explicitly look for these files in the SYSVOL, so removing the SYSVOL would break these clients.

David Cross (MS Expert):
Q:
Last Q60 follow up from me; any estimation how much data will be added when storing a certificate and private key in AD?
A: It depends on the number of certificates, size of keys, how long the user has existed in the directory, etc. We will have an upcoming whitepaper that provides great detail in this area. In general, for a given user, it should be no greater than 100K additional storage. However, this will vary based on usage. I hope the upcoming whitepaper will help you with planning.

Dave Bishop [MS] (Moderator):
Q:
thx for all your answers!
A: We have less than a minute to go... so that's all the questions we can take.

Levon Esibov (MS Expert):
Q:
I want to thank Levon and all for the help. Is there any other place you can recommend on the migration of the Dc to a GC with exchange on the server???
A: I don't think there is a documentation for this specific scenario, but you would find info on converting DC to GC in Active Directory Operations Guide available at http://technet2.microsoft.com/WindowsServer/en/Library/9c6e4dd4-3877-4100-a8e2-5c60c5e19bb01033.mspx

Stuart Kwan (MS Expert):
Q:
Q67 Followup - I actually meant an IT company supporting internal developers (like Microsoft)
A: Oh, in that case I'd ask the following questions: is the data interesting to multiple applications or just to a single application? Does it need to be replicated broadly and made available across the entire network? e.g. the app consuming the data is installed on client workstations. Or is the data very application specific, and only needs to be available in a small number of fixed locations? e.g. the app consuming the data is a server-based app. In the former case I would consider AD (AD DS), in the latter case ADAM (aka AD LDS). But in the end, you can always default to ADAM.

Michael_MS (Expert):
Q:
When will AD have the ability to host multiple domain partitions on a single DC? (not a GC)
A: While there are no plans to host multiple domain partitions on a single DC, there are ways today to host multiple DCs on a single server. For example, you can use Virtual Server to host separate virtual instances of DCs on a single server.

Stuart Kwan (MS Expert):
Thanks everyone for joining us today!

Dave Bishop [MS] (Moderator):
Well that wraps things up for our Executive Chat on the future of Active Directory this morning. I want to thank all of our users for joining us, and of course, thanks to our experts for being here to answer questions. Have a great day everyone!