RE: [ActiveDir] AD synchronization

[Don Murawski (Lenox)]

Title: Message

Thanks for Reponses..   -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 1:14 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Got it, thanks. Hey Don, has this discussion helped at all???   Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: Roger Seielstad To: '[EMAIL PROTECTED]' Sent: Wednesday, March 26, 2003 12:31 PM Subject: RE: [ActiveDir] AD synchronization Because the Global Catalog data is already present in the .DIT file for the domain for which the server is a DC. Its in effect single instance storage - its not going to duplicate the data that's already there.     -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization OK, that makes sense and is consistent with everything else. That actually goes back to another conversation a few weeks ago when someone was asking about the true advantages/disadvantages of a dedicated forest root vs. single domain. The single domain would have a smaller GC (only one to manage).   One thing it doesn't answer is why the size of the dit file doesn't change if a system is not a GC. In one case, a system was temporarily made a GC and then "demoted" again to just a DC. However there are other DCs that were never GCs at any time. Every one of them is approximately 250MB (within 2 MB in either direction depending on the DC).   Marc Zukerman Senior Network Engineer Greenwich Technology Partners   ----- Original Message ----- From: Sullivan, Kevin To: [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 10:17 AM Subject: RE: [ActiveDir] AD synchronization Since you are one domain the sizes should be the same. The GC contains the partial attribute set from all domains in the forest. Since you only have one domain you don't have anything additional added. Also, yes the GC is a subset of all attributes for the domains which the DC is not a member. So again, since you are a single domain nothing is added. Also the NTDS.dit contains all naming contexts, Domain, Configuration, Schema... so within the dit for the DC there will be domain naming contexts for all domains in the forest. Other than the domain which the DC is representing the DC only have partial information for all objects in the other domains.   Even though only some of the users are on Exchange 2000, the definition of the user objects come from the schema which define exchange attributes. There are no values for the attributes but the user objects have those attributes present (Speaking of mail enabled users).   In a multiple domain forest the GCs will be larger because they have all of their own info as well as some info from all other domains...   Hth,   Kevin Sullivan Sales Engineer Aelita Software   -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization   Now that's interesting Roger. I never thought to check it, but at my current client, the ntds.dit file does NOT change between GCs and DCs. For a directory of roughly 8500 objects we are at 250MB for all domain controllers, whether or not they are a DC. This environment is a single domain with Exchange 2000 (although only a very small subset of the users have Exchange - that's the project we're doing).   Also, I've always assumed that the GC was smaller than the DC because it is merely a subset. A large one, but a subset nonetheless.   Anyone with comments?   Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: Roger Seielstad To: '[EMAIL PROTECTED]' Sent: Wednesday, March 26, 2003 7:30 AM Subject: RE: [ActiveDir] AD synchronization   That's a tough one. Its going to depend on the number of domains and the number of objects in each domain.   We're using an empty root with a single 'production' domain below it, probably 2500 objects in the production domain.   Looking at two root DCs, one which is and one which isn't a GC, the sizes of NTDS.DIT are significantly different: With GC: 79MB Without: 27MB   So, roughly speaking, that's about 50MB for a GC replication of around 2500 objects. Of course, your mileage will vary quite a bit.  So, in my case, a full GC replication is going to be about 50MB to 12 servers, which my WAN can handle without issue - most WAN's could probably handle that.   Roger -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 7:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD synchronization How "big" is the GC synch compared to the full AD synch? -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Yes. Any schema modification requires a full directory synchronization. Since the schema is forest-wide, this means it affects all whether there is a dedicated forest root or not. In addition, the first Exchange 2000 system forces a global catalog full synchronization. When I questioned the Microsoft developer at MEC '99 why it was necessary to replicate the GC completely, I didn't get a satisfactory answer as to why. If anyone out there can tell me, I'd love to know why. We all determined it would be best to handle the forestprep and initial server installation off hours and from the Schema FSMO for any environment that was sizeable.   Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: Don Murawski (Lenox) To: '[EMAIL PROTECTED]' Sent: Tuesday, March 25, 2003 2:09 PM Subject: RE: [ActiveDir] AD synchronization   Does Forest prep cause a full synchronization? We have an empty root domain that contains the schema master.   -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD synchronization Even so, I wouldn't chance it. If you have any corruptions to the schema when it gets updated, it is much more difficult to deal with that at 2:00pm on a Wednesday. I'd shoot for Friday night to be safe.   Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: Kevin Miller To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 11:57 AM Subject: RE: [ActiveDir] AD synchronization   How big is the AD implementation and how big are the pipes? I ran forest prep here in the middle of that day with 30 DC's and 10,000 AD objects not a problem at all. 768 CIR lines between servers.   -- Kevinm WLKMMAS, Exchange MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Zukerman Sent: Tuesday, March 25, 2003 8:42 AM To: [EMAIL PROTECTED]   If you have not run forestprep yet, it will update the schema. This will force a full synchronication of the directory and global catalog. This may be a concern.   Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: Don Murawski (Lenox) To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 10:42 AM Subject: [ActiveDir] AD synchronization   We are bring up one E2k server  this weekend,  the exchange group is concerned the AD synchronization will impact Active Directory to a point that service is crippled. What are the major impacts?   Thanks,   Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax:     (404) 949-6710 Cell:     (678) 549-1264

<<attachment: image001.gif>>