Blog Share: Understand the Difference Between a Password Reset and Password Change in Active Directory

It’s time for something different.  As my time to write has been heavily limited in recent time, I figured that I might share articles that have peaked my interest.  Here is the first post in my new “Share” series.


Active Directory has all its ins and outs.  The problem sometimes comes in understanding the differences between items that look alike.  Here is one that often gets overlooked.  Password resets vs password changes.  Is there a difference?  Yes there is.  And it is something that should be understood.


I hope you like this article.  It is short and to the point, but it is a solid article.  And no, this isn’t a plug for WebAD products, as I have never used them.

Understand the Difference Between a Password Reset and Password Change in Active Directory


Microsoft Managment Summit Begins! #mms2013

MMS is an event that happens annually and is a place like no other for Systems Managment people.  Figure at least half the systems Managment professionals in the word are going to be here in Vegas this week.  I will share what I see as time goes on over the week.
Sadly, these won’t be the normal thought out posts I have.  No, instead these will be more in the reporting concept.  My apologies for this temporary change.
Keynote thoughts:
There are two many systems management products targeting to many separate technologies.  Need to simplify.  This is a valid issue that is seen everyday.  The Microsoft idea is that this needs to stop.  Their offering is System Center to do it all.  In all reality, this is a real issue that needs to be looked at.
BYOD [Bring Your Own Device] is going to be the norm and no longer the exception.  This is something Microsoft is pushing, but unlike some I think they are just trying to be ahead of the curve.
Can some of your demos… the keynote was killed because Mandalay Bay lost internet access.  In this case, Microsoft didn’t and this is turning into a small disaster over it. However, in the end you can try doing a massive presentation with just a cell phone hot spot.
Odd facts stated at the keynote:
Skype does 2 million minutes a day.
20% of all enterprises use Office 365. (Wow!  I had no idea.)
50% of workers in their twenties view BYOD as a right, not a privilege.
Stay tuned!

Certification Update: MCTS and MCITP are ending, have you taken those last tests?

As many of you know, the Microsoft Certified IT Professional / MCITP and Microsoft Certified Technology Specialist / MCTS programs are ending.  This has been inferred by many of us, but the reality is that Microsoft has stated this flat out.  However, they never really made a big deal about it.  And this is going to catch many people flat footed.  Remember though that these certifications, once earned are good for life. The program is expiring but the certs are not.

The MCTS / MCITP program has a simple premise: you received a certification specific to exactly what you knew.  This was most evident in the differences between a Microsoft Certified IT Professional / MCITP: Enterprise Desktop Support Technician on Windows 7 and a Microsoft Certified IT Professional / MCITP: Enterprise Desktop Administrator on Windows 7.  They sounded the same but in reality were completely different certifications.

Here was the problem.  There were too many certifications.  They just get out of control.  For example, I am a consultant.  So, I need certifications a variety of topics.  My resume has fifteen MCTS titles on it.  It also has four MCITP.  Isn’t that a bit much?

In the old days (yes, even IT has old days, and older days), there was just the MCSE and MCP.  You could do something (nothing specific was listed) or could do everything (totally a misnomer).  Today Microsoft if trying to find a happy medium; I wish them luck, but I am not sure it is going to work as well as they think.

I have one MCSA and one MCSE from the new program.  I will say that the MCSE was hard.  And the old Microsoft test taking techniques don’t work quite as well as you would think.  It actually impressed me.  My only concern is that they are pulling away some of the advantages they used to have with the MCTS / MCITP programs.  For example: Windows 7 support does not equal deployment.  On the MCSA it does.

I am going to say let’s all give it a try.  However, if you want that last MCITP or are prepping for an MCTS… get it before they are gone.  I have included a limited list of when many of these are expiring; make sure you don’t plan your lives by it though: Microsoft may change it.


Some of the expiration schedule:

Expires: Thursday, January 31, 2013

– Microsoft Certified Technology Specialist / MCTS: Microsoft Office Communications Server 2007, Configuration Exam 70-638

– Microsoft Certified Technology Specialist / MCTS: Microsoft Office SharePoint Server 2007, Configuration Exam 70-630

– Microsoft Certified Technology Specialist / MCTS: Microsoft Office Visio 2007, Application Development Exam 70-545

– Microsoft Certified IT Professional / MCITP: Enterprise Project Management with Microsoft Office Project Server 2007


Expires: Friday, February 01, 2013

– Microsoft Certified Technology Specialist / MCTS: Enterprise Project Management with Microsoft Office Project Server 2007 Exam 70-633


Expires: Saturday, February 02, 2013

– Microsoft Certified Technology Specialist / MCTS: Microsoft Office Project Server 2007, Configuration Exam 70-639


Expires: Wednesday, July 31, 2013

– Microsoft Certified Technology Specialist / MCTS: Microsoft SQL Server 2008, Database Development Exam 70-433

– Microsoft Certified Technology Specialist / MCTS: Microsoft System Center Configuration Manager 2007, Configuration Exam 70-401

– Microsoft Certified Technology Specialist / MCTS: System Center Data Protection Manager 2007, Configuration Exam 70-658

– Microsoft Certified Technology Specialist / MCTS: Windows Server 2008 R2, Server Virtualization Exam 70-659

– Microsoft Certified Technology Specialist / MCTS: Windows Server 2008 R2, Desktop Virtualization Exam 70-669

– Microsoft Certified Technology Specialist / MCTS: Microsoft .NET Framework 4, Windows Applications Development Exam 70-511

– Microsoft Certified Technology Specialist / MCTS: Windows Vista, Configuration Exam 70-620

– Microsoft Certified Technology Specialist / MCTS: Microsoft Windows Embedded CE 6.0, Development Exam 70-571

– Microsoft Certified Technology Specialist / MCTS: Windows Server 2008 Applications Infrastructure, Configuration Exam 70-643

– Microsoft Certified IT Professional / MCITP: Consumer Support Technician on Windows Vista

– Microsoft Certified IT Professional / MCITP: Enterprise Support Technician on Windows Vista

– Microsoft Certified IT Professional / MCITP: Enterprise Administrator on Windows Server 2008

– Microsoft Certified IT Professional / MCITP: Virtualization Administrator on Windows Server 2008 R2

– Microsoft Certified IT Professional / MCITP: Database Administrator 2008

– Microsoft Certified IT Professional / MCITP: Database Developer 2008

– Microsoft Certified IT Professional / MCITP: Business Intelligence Developer 2008

– Microsoft Certified IT Professional / MCITP: Lync Server Administrator 2010


Expires: Friday, January 31, 2014

– Microsoft Certified IT Professional / MCITP: Enterprise Desktop Support Technician on Windows 7

– Microsoft Certified IT Professional / MCITP: Enterprise Desktop Administrator on Windows 7

– Microsoft Certified IT Professional / MCITP: Server Administrator on Windows Server 2008

Quick Comment: Active Directory 2012 USN Rollback Protection. Finally safe virtualization?

So something that doesn’t seem to be getting much press is that Windows Server 2012 brings safe virtualization and protection from USN rollbacks.  Yes, it does.  All the docs say it, but Hyper-V 3.0 and PowerShell V3 get all the press.

Windows Server tried to detect USN rollbacks, but this error… which can kill a domain was really a real danger: and regularly occurred.  The more common ways a USN rollback might not be detected are: a virtual hard disk may be selected on more than one machine or more commonly, a snapshot of a VM is restored and it has an USN that has increased past the last USN that the other domain controller has received.

So while the first scenario might lead to domain controllers not replicating changes… and make things unstable and unpredictable, and kill your forest; the second can be really bad.  Lets just say bad.  Best case is an Event ID 1988 in Event Viewer for a lingering object.  Sometimes though you have corrupt data and wipe out the domain.

So, what mas my mantra again? Oh yeah. Let’s make the new modeus operendi: just say no to “blowing up” your Active Directory.  So give Windows Server 2012 a spin and let’s hear some attempts to kill it.

An excerpt from Microsoft discusses the new feature.  Don’t forget to follow the link and read the whole thing.

Excerpt from

“Virtual environments present unique challenges to distributed workloads that depend upon a logical clock-based replication scheme. AD DS replication, for example, uses a monotonically increasing value (known as a USN or Update Sequence Number) assigned to transactions on each domain controller. Each domain controller’s database instance is also given an identity, known as an InvocationID. The InvocationID of a domain controller and its USN together serve as a unique identifier associated with every write-transaction performed on each domain controller and must be unique within the forest.

AD DS replication uses InvocationID and USNs on each domain controller to determine what changes need to be replicated to other domain controllers. If a domain controller is rolled back in time outside of the domain controller’s awareness and a USN is reused for an entirely different transaction, replication will not converge because other domain controllers will believe they have already received the updates associated with the re-used USN under the context of that InvocationID.

For example, the following illustration shows the sequence of events that occurs in Windows Server 2008 R2 and earlier operating systems when USN rollback is detected on VDC2, the destination domain controller that is running on a virtual machine. In this illustration, the detection of USN rollback occurs on VDC2 when a replication partner detects that VDC2 has sent an up-to-dateness USN value that was seen previously by the replication partner, which indicates that VDC2’s database has rolled back in time improperly.

A virtual machine (VM) makes it easy for hypervisor administrators to roll back a domain controller’s USNs (its logical clock) by, for example, applying a snapshot outside of the domain controller’s awareness. For more information about USN and USN rollback, including another illustration to demonstrate undetected instances of USN rollback, see USN and USN Rollback.

Beginning with Windows Server 2012, AD DS virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID can detect and employ necessary safety measures to protect the AD DS environment if the virtual machine is rolled back in time by the application of a VM snapshot. The VM-GenerationID design uses a hypervisor-vendor independent mechanism to expose this identifier in the address space of the guest virtual machine, so the safe virtualization experience is consistently available of any hypervisor that supports VM-GenerationID. This identifier can be sampled by services and applications running inside the virtual machine to detect if a virtual machine has been rolled back in time.”

Certification Spotlight Series: MCSE: Private Cloud … how does it rate? Just buzzwords or real value?

So, you’re looking at the next generation of IT certifications are you?  You want a cert with all the new buzz words.  Right?  Let’s sit down and take a look at the point of the spear for these new Microsoft certifications.  The new MCSE: Private Cloud. Microsoft Certified Solutions Expert.  Yep, one of the new ones.

Part of the allure of this test is that it has the new buzzword phrase: private cloud.  Does it really deserve it?  In all honesty, it does somewhat.  However it is way more than just private cloud though.  This covers private cloud, systems management, disaster recovery, operating system deployments, etc.  So, this cert can grab onto a lot of buzzwords.  And those buzzwords can mean a lot.  They can mean interviews, promotions, sales or even introductions.  They cannot be emphasized enough.

The only thing that is really off on this certification is the MCSE in its tittle.  The MCSE is by far, the most recognized industry certification in the world.  They are attempting to bring it back because the MCITP just didn’t get the reputation the MCSE had.  Additionally they are trying to modernize it.  Remember, in the United States of America, that the MCSE, which stood for Microsoft Certified Systems Engineer was awesome.  “Systems Engineer” and “Senior Systems Engineer” are traditional titles.  In some parts of the world, “Engineer” is a protected term.  As such, Microsoft tried the MCITP… but what was the title to with that?  “IT Professional?”  What does that mean?  Microsoft is fighting back, so now you have the “Solutions Expert.”  Microsoft is showing that they are in tune with the industry.  I guess we can all live with it, right?

Oh, but there is a catch.  The new MCSE requires a recertification cycle.  Something Microsoft has threatened but never before pulled off.  Every three years you have to recertify.  I wonder what the tests will be for it.

So what is the audience profile?  “With Windows Server 2008 and System Center 2012, and soon with Windows Server 2012 and System Center 2012 SP1, you can build your Microsoft private cloud solution and gain the automation and flexibility you need for your IT infrastructure, now and in the future. Do you have experience with these technologies? Are you ready to begin the journey to cloud computing with a Microsoft private cloud implementation? Become Private Cloud certified and prove your knowledge and skills in managing and implementing Microsoft private cloud computing technologies.”  Hmmm…. Not much of a profile.  However, you begin to see that this is heavily about buzz.  Really, it is a System Center admin who has engineer experience and virtualization experience who wants to spread their wings.  Honestly, I would expect most people who go for it to have five to ten years of experience.

For my reviews I will be rating certification on a 1-10 scale.  Ten will be the highest, with one the lowest. So, on a ten scale, with MCM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), A+, CCENT at the low end as a 1.  Well, I hope you weren’t waiting for me to rate those six certs… they just were rated as my baseline.

How would I rate these?  First off remember that this certification takes anywhere from five certification tests to seven certification tests to earn.  That is massive.  As such I would rate the real value here as around a 7.  However, with the current buzz, and the plain visibility of those buzz words, the perceived value is through the roof.  As such the perceived visibility here is going to be at least a 9, yes, a 9. I know this is incredibly high.  However, I can’t think of a certification outside my 10 point certs (CCIE, MCM) that even compare to the salivation that occurs with those buzzwords.  So, I think the perceived value will drop, but for now: grab the value.

What do you think?  And what certification would you like me to take a look at and grade next time?

Certification Spotlight: Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration; what the heck does that cert mean?

So, when you are looking at hiring or being hired in you will always hear about certifications, but you want a good one.  Great, let’s talk about some!

Which next? Well, let’s hit one of the odd-ball specialty certifications by Microsoft.  The test is 070-0158. Sounds really engaging doesn’t it? Microsoft test 070-0158 or even 70-158 as some people will write it.  OK, no, the test number just sounds lame… but what does it get you? How about adding “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration” to you resume?  Um, er, what does that mean?  I mean seriously, does anyone care or understand?  And is it a title or what?

So first let’s talk about what an MCTS is.  Microsoft Certified Technology Specialist (MCTS) certifications are designed to validate candidates’ skills at using, planning, deploying and troubleshooting a specific Microsoft technology. They are also sometimes also used as stepping blocks for the Microsoft Certified IT Professional (MCITP) or Microsoft Certified Professional Developer (MCPD) certification.  With an MCITP or MCTS, it is generally considered to add the MCTS to the end of your name when emailing or signing things electronically.  Such as Joe Black, MCTS.  Often you can list specifics in email signatures afterwards… but in general I don’t.

Now let’s get back to the certification at hand: “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration”. What is this one?  This is a certification for the product listed, Forefront Identity Manager 2010.  And as such this is an exotic one for people who deal with making Active Directory talk to other LDAP based services utilizing FIM. So the next question is: who is this for?  What does Microsoft say?

“Typical candidates for this exam are Identity Specialists who deploy and manage Forefront Identity Manager (FIM) 2010 in an enterprise environment consisting of more than 5,000 identities with a dynamic lifecycle. These organizations may be geographically and/or organizationally dispersed and may require compliance with extensive regulations. The environment may include multiple applications that consume identities and/or multiple disconnected data sources.”

Don’t you love how Microsoft even has to put in parentheses what the acronyms’ are?  However, more to the point… it really does say what this cert says you can do.  What it doesn’t say is how good you have to be to pass the cert and if the cert is worth anything.  In general with an MCTS the level of proficiency is based in more than a year of actual use of the product with heavy troubleshooting skills. So what this means is that you really know how to implement, troubleshoot… and even explain a product.  Oddly this last one is almost as important as implementation skills on this one.  FIM is just not a heavily used product.  It is however an extremely valuable product because it makes other applications and even environments communicate by translating in a metaverse (yep, real term).

So how does this stand up to other certifications?  An MCTS has a low time in use requirement; however it also is very specialized.  What makes this one different is that it is on an obscure technology that is normally used by people with over ten years in the industry.  So while a low level certification, this actually signifies something that normally sits with and above even an Enterprise Administrator’s MCITP. So on a ten scale, with MCM, MCSM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), Configuration and CCENT at the low end as a 1, how would I rate it?  Alone I would rate it a 5.  It connected to MCITP: Enterprise Administrator, I rate it a 7.  It is a major name and brings out a lot of conversation.  It is also shows significant skills and determination, as well as longevity in the field.

One caveat as always: remember when discussing certs.  Certs do not equal experience.  Certs validate experience.

What do you think?  And what certification would you like me to take a look at and grade next week?

Active Directory: Have you backed up your Domain Name System (DNS) today?

Have you ever backed up your Domain Name System (DNS) records independent of the traditional system state backup of your domain controllers? No?  So, if you lose DNS you are doing a full Active Directory restore? Yep.  Oh, OK.

Um, why?  Isn’t that kind of extreme?  Let’s make this a little simpler, OK?

As Active Directory is one hundred percent dependent on the Domain Name System (DNS), it is critical that you back up your DNS servers on a regular basis. The most common method is to do a system state backup.  Although this technique does work, it is all-or-nothing. This means that if you are having DNS problems, what do you do?  You restore the system state which includes the Registry, Active Directory database, etc.  Additionally, there is not a file to review in case one IP and name combination is lost.  It is simply all or nothing.

How about a better way for those times when you don’t want to blow up the current domain?

Backing up an Active Directory integrated zone is just a little more complicated that the tradition DNS backup.  It is simple.  Do it.  It is worth it.  Really.

How?  These simple steps.  Export the zone and backup the export file.  Yep, that is it.  Use the command following to do it.

dnscmd /ZoneExport FQDN_of_zonename  backup\Zone_export_file

dnscmd /ZoneExport AD.lab  backup\AD.lab.dns.bak

dnscmd WS12-DC01 /ZoneExport AD.lab  backup\AD.lab.dns.bak

The first line is the syntax.  The next command will export the zone for AD.lab on the local server to a file called AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder. The second command exports the same zone from the DNS server WS12-DC01 to a file named AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder on the server named WS12-DC01. Be aware though that the backup command will not over-write any previous backup of the same name.

Oh, you want to know how to restore?  Well, it will restore you whole DNS for that zone so be careful.  Traditionally you do this after the zone is gone. Check the tech tip for the steps for a basic restore.

Well, first off validate that you have a current system state backup and a backup of the zone.  The system state is in case of corruption.  Remember, your backup procedures should include testing any processes in the lab before doing so in live production.  Now delete the current corrupt zone.  Now restore the zone.

Now we go through these commands.

XCOPY %SystemRoot%\System32\Dns\Backup\AD.lab.dns.bak %SystemRoot%\System32\Dns\AD.lab.dns.bak

DNSCMD /zoneadd AD.lab  /primary /file AD.lab.dns.bak /load

DNSCMD /zoneresettype AD.lab  /dsprimary

DNSCMD /config AD.lab /allowupdate 2

The first command loads the zone as a primary zone.  The second converts the zone to Active Directory integrated DNS.  The last enables secure updates.  Oh, and you are now done.  If you had specialized security… time to rebuild that as well.  if you need it.

Hard?  Nope.  How about you backup the DNS in your domain now?  It just takes a minute to export it.  So let’s export and backup your DNS.  One more step to towards working towards the new modeus operendi: just say no to “blowing up” your Active Directory.

Active Directory: Built a mirror lab before?

By Robert Meyers

Do you have a lab?  Specifically, do you have an Active Directory lab? Do you need a lab?  Hint: the answer is yes.  The modus operandi for the industry has been simple: salvage your old equipment and build an ad hoc lab.  Times have changed and that now begs the question: is that really good enough?  Nope.  It wasn’t back in the day, and it certainly isn’t today.

So let’s get down to business and look at what you need for your lab.  One thing any IT professional will agree is that building a lab is an essential part of preparing for a variety of tasks such as an Active Directory transition, an Active Directory migration, Novell Migration, schema changes and the list goes on.  Anything that changes your current settings in Active Directory beyond a single account should always hit the lab first.  The lab is there so you can do a dry run, practice and validate any process.  It is a lab environment.  If it blows up, you get the experience gained from rebuilding it.

So a lab should closely mirror the production environment (in every way that is feasible). While it is not feasible to completely mirror production’s many application servers and enterprise computing platforms, it should be as close as possible and account for the business critical applications, at least include a small sampling of those servers.  It should also have workstations if you use workstations.

Without a close replica of the production environment organizations cannot successfully plan for potential show stopping events from infrastructure changes.  Think of the results from a schema extension preventing a domain upgrade (I have seen these).  Think of a time configuration error that is allowing domain controllers to lose synchronization (these are common).  Think of a large PowerShell script import of thousands of groups being imported to the wrong OU (stopped this before).

Any process that has an impact on your current Active Directory environment should be tested.

An implementation of a new lab cannot account for the “history” or breadth of the production environment. This includes some of the following examples: schema extensions over time, upgrades of operating systems, administrative changes in functionality, and current policies in effect, and anything you don’t see in a DCDIAG. Everyone agrees that implementing a lab environment using the concept of “mirroring”, or as close to a mirrored environment as possible is crucial to a successful implementation of an upgraded or migrated environment.

There are many strategies for implementing a lab environment but they all have their own caveats to plan for in order to avoid disaster. The best mirror methodology is to introduce a new domain controller in a production domain, replicate all data, remove the domain controller and place it in the lab environment, and then perform metadata cleanup on both the production and lab environments.  This gets you a copy of the real environment. In the production environment the metadata cleanup would remove existence the newly promoted DC to avoid replication failures. In the lab environment the metadata cleanup would involve removing all existence of the missing domain controller in the forest.  The cleanup consist of seizing FSMO roles, NTDSUTIL being used to clean up the metadata and then going through and manually pruning each side from the other.

There is a major risk for this best of breed lab.  The lab environment must be guaranteed to never touch the production environment. If this were to occur, two separate domain controllers would attempt to assume the FSMO roles and would cause all sorts of issues… think best possibility would be USN rollback and dire replication issues.   As such, while a lab environment is essential, there are many preventative tasks that must be performed to ensure the lab environment never is in contact with the production environment. This should be locked down by all available security measures. A very critical security concern is if the lab environment is a virtualized environment. Domain controllers are only as secure as the server in which they run on.

I always recommend using a dedicated Hyper-V V3, VMware vCenter Lab Manager or VMware ESXi environment. Please note that this security is essential, as if a VHD or VMDK files end up in production they can potentially cause a true full scale outages and additionally security risks.

Scared yet?  Should be. Well this best of breed, is the best of breed but it needs to be done methodically.

Going to give it a try? Good!

Now everyone, let’s work together to make the new IT modeus operendi: just say no to “blowing up” your Active Directory.

Active Directory: Wait, you relocate the data stores, moving the NTDS Database, Sysvol and Logs from default? Why?

When you start building domain controllers, one of the simple ideas people bring up is that you always leave the Active Directory data (NTDS database, Sysvol and logs; also known as directory data) where the default in the windows directory.  The idea is they are tucked away and difficult to stumble across accidentally and start playing around with them.  Others simply say: it is where they belong.

I have been at this for so long that I hadn’t really thought about it till I received an email asking why I relocated the data stores in my blog post: A Visual Step by Step: Windows Server 2012, Active Directory 2012, time to build your first forest!

Well, it is probably obvious by now, that I disagree with the popular sentiment.

One of the problems is that most people confuse the Active Directory Domain Services role (making the server a Domain Controller) with the server. The reality is that the Active Directory Domain Services role is simply that: a role.  It is a role that when doing work in your lab, or troubleshooting and restoring your enterprise systems you need to be able to easily backup or even copy everything related to Active Directory.  Why hide it in the Windows directory with thousands of other files and folders?

When you isolate these folders and files into a single root level directory (I like C:\ADDS) you gain one directory to manage.  So it is one directory to manage.  One directory to isolate from antivirus; yes, you have to avoid the NTDS Database, Sysvol and Logs from anti-virus scanning (if you even put anti-virus on your domain controllers… another topic to discuss at a later date). It also allows you to easily copy everything to do with Active Directory with the right click of a mouse or a simple backup command (to get everything).  This is awesome when troubleshooting things like Journal Wrap or doing restoration of login scripts or even Active Directory itself.  It is a life saver for a quick directory restore operation.

The idea here is to make your management of Active Directory simpler.  Now comes some neat things you can do if you have additional physical volumes to move these files to.

In a large environment, placing the directory data (Sysvol, NTDS, Logs) on its own NTFS partition reduces disk I/O.  This can reduce some chances of error, such as FRS just not keeping up with changes.  Additionally, reducing disk I/O allows the Active Directory Domain Services server more efficiently as well.  This can be vital for an enterprise PDC Emulator.  More efficient, better I/O adds to the number of client requests that can be processed. From a performance point of view you could use three separate disk arrays. One disk array for your boot partition, one disk array for your Active Directory database and the Shared System Volume (SYSVOL) folder and one disk array for your Active Directory log files.

However remember, Active Directory is based on a database.  As such, if you want the absolute best performance possible… separate all three parts of the directory data onto three separate drives.  Granted, this is only done when an enterprise needs extreme responsiveness.  However, this starts to get to be a management headache, as you now have to backup three separate drives. Lets just keep it simple if we can, ok?

What are the negatives? If this is going to be a Domain Controller that is not going to be managed by trained staff… don’t do this.  Some administrators won’t realize that they should look for the directory data.  However, this is a situation where training can fix this.  Additionally, sometimes you may want to use simple step by steps found online… and will need the administrator to adjust the commands on the fly.

Is it doable with the negatives?  Yes.  Do I consider the advantages more valuable than the risks from the negatives? Absolutely.  It keeps things simple for backups, restores and troubleshooting.  You can isolate your directory data and make your life simpler.