It was impossible that Microsoft wanted to make AD in Windows Server 2008 a universal prescription for all problems. On the contrary, the Active Directory was overstaffing in the structure, unreliable and particularly unhelpful, and poor in performance. For example, the deployment of the vast majority of the AD could be compared to a car, and what the enterprise wanted to get from AD is a radio in the car. So, when the enterprise wanted to listen to the radio, they had to spend a lot of money in car and a lot of time in keeping the car running.
So, when AD was regarded as a radio, is it perfect??
1. Relying too heavily on DNS. It is known that AD was built on DNS.
A strong and reliable DNS instance is bed stone of AD.DNS enabled AD manage a huge and complicated networking environment. It is common knowledge that AD can only be deployed on DNS of Windows, which integrated many non-standard definitions and records of DNS, while DNS in windows is a service of which the reliability and loading capability are poor. However, on the internet, no ISP used Windows DNS. Once Windows DNS go wrong, all of Active directory will break down. For example, the update of DNS records failed, and many of S zones transfer failed, and DNS need relocating, all of which would make AD in excessive risks. In another word, a large building is based on a fragile foundation.
2. Too complicated LDAP protocol. LDAP in AD was known as a simple protocol. In fact, it was very complicated and uneasy to understand. Microsoft hopes in AD environment, the users do not contact directly with the protocol. Because of the complexity of LDAP, once it went wrong, there would be no error report and Emulation Module and debug for users. TO resolve this problem, the Microsoft had to supply a LDAP debug, which was located in the install directory of CD. Even so, almost no SA could be good at this “freak” debug.
3. Little value of Group Policy (GP). GP is the most popular function in AD.GPO could be used by the users to control the client cluster, which is the wish of Microsoft. However, such has not been the case. Firstly, most of the GP functions need the modification of Client Registry and, few need running script, which make the real-time, capacity of resisting disturbance of GP terrible. What is worse, when the deployment of GP was completed, the administrator didn’t know whether a policy had been in operation in each computer. Once it went wrong, the administrator had to analysis the problems in clients with the simple tools like GPRESULT. Besides, there are terrible design flaws in the function of GPO.
4. The completely enclosed database. In the official materials of MCSE, the Active Directory database and SYVOL were often mentioned. The SA know AD is the key point of the database, many kinds of information in AD. But what are stored in the database can not be known, and manipulated in a SQL Statement .So, what a nightmare to backup and restore AD. Would you backup AD? Sorry, Microsoft couldn’t help you. The only way is to use NTBCAKUP .Would you restore the database? Would like to do regular incremental synchronous data? Sorry, the NTBACKUP could not help you, either. What you could do only is to restore AD and other system information of Windows together, whether they are good or bad. Would you like to improve the reliability of this AD? You do have two DC to make it.