RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
I made the DC of the domain toto.titi.com a GC and the directReports attribute of usertiti has been immediately correctly set ! Magic !!! Thank you all for your help ! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Solange Desseignes Envoyé : vendredi 11 juin 2004 09:50 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
True, I typed without thinking (or rather reading closely...) I just saw PAS and typed away a canned answer... I must go on a break and clear my head g /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 12:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
glad you got it working - how I love this magic, although at times it is difficult to explain to folks how certain things in AD really work... now all that's left to do is to rename those domains ;-)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes Sent: Freitag, 11. Juni 2004 10:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain I made the DC of the domain toto.titi.com a GC and the directReports attribute of usertiti has been immediately correctly set ! Magic !!! Thank you all for your help ! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Solange Desseignes Envoyé : vendredi 11 juin 2004 09:50 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal
Re: [ActiveDir] Replication of linked attributes between domain and sub-domain
The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the titi.com domain to see the usertiti user and I connect the DC of the toto.titi.com domain to see the usertoto user. Is it so because toto.titi.com is a sub-domain of titi.com ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the titi.com domain to see the usertiti user and I connect the DC of the toto.titi.com domain to see the usertoto user. Is it so because toto.titi.com is a sub-domain of titi.com ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Post in hasterepent at leisure I've said member (more than once) below when I should have said manager. -- Original Message -- Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 05:48:33 -0400 Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the titi.com domain to see the usertiti user and I connect the DC of the toto.titi.com domain to see the usertoto user. Is it so because toto.titi.com is a sub-domain of titi.com ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
you may not be using a GC query, but the directReports backlink is still read from the same linktable on a DC when it is also a GC. in your scenario, the DC used to lookup the titi.com user must have been a GC and the other one a normal DC. This has nothing to do with the domain hierarchy. See my previous post on this topic for more details. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the titi.com domain to see the usertiti user and I connect the DC of the toto.titi.com domain to see the usertoto user. Is it so because toto.titi.com is a sub-domain of titi.com ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Tony, as just mentioned in my other post, this is not an IM topic, as this is about visibility of backlinks (which are not influenced by the IM). Backlinks are only visible on DCs, which host the naming context of the object with the forward link (i.e. for directReports this would be those, which host the NC for the user's who are being managed) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Donnerstag, 10. Juni 2004 13:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Post in hasterepent at leisure I've said member (more than once) below when I should have said manager. -- Original Message -- Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 05:48:33 -0400 Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the titi.com domain to see the usertiti user and I connect the DC of the toto.titi.com domain to see the usertoto user. Is it so because toto.titi.com is a sub-domain of titi.com ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager of usertoto and usertoto as manager of usertiti. When I look a the usertoto and usertiti entries in the directories, I have: - the manager attribute of usertiti is correctly set at usertoto, - the directReports attribute of usertiti is correctly set at usertoto, - the manager attribute of usertoto is correctly set at usertiti, - but, the directReports attribute of usertoto is not correctly set at usertiti ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org
