Actually, why would it be minimized? The password change is happening on every domain controller, and as suck looks like a discreet change to the PDCE - meaning its gonna kill the PDCE.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 10:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Gil, > > > Making the same change on multiple DCs is bone-headed > As anyone who has had to clean up or troubleshoot the > appearance of CNF: > objects can attest to.... > > And, yes - I concur that the password changes are all > propagated via the > PDCE and the replication traffic would be minimized because of such. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Wednesday, July 30, 2003 8:43 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > Making the same change on multiple DCs is bone-headed, but I > don't think it > will generate much additional replication traffic. Aren't the password > changes forwarded to the PDC FSMO role owner for the domain and then > replicated from there? If that's true, then the redundant > changes coming > into the PDCE should be dropped (generally, changing an > attribute to its > current value has no effect). So the additional password > changes will each > generate a message to the PDCE, but otherwise not much else. > > Or am I missing something? > > -gil > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 1:22 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > That strikes me as a way to cause replication storms in a > flash, depending > on how the application is written. Say you have 10 DC's, and this app > changes the password on all 10 dc's. That's at least 81 different > replication messages, since each DC will recongnize that as a > different > change. > > Seems to me to be both overkill and unnecessary. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 3:23 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > We're looking at a product to manage passwords - it enforces > > common password policy and keeps passwords in sync across > > multiple platforms (mainframe, AD, NDS, Unix, etc.), as well > > as provides self-service password change/reset via a browser > > interface. > > > > One of its features on AD is that it's nominally site-aware - > > it can determine a browser's location based on IP address and > > change the AD password on a DC in that site. So far, so > > good. Now the tricky part - it can also be configured to > > ALWAYS change the password on one or more DCs that you > > specify on the config, in addition to the one it selects. > > The idea is to specify DCs near resources at headquarters > > that people access from branch offices. This is supposed to > > ensure that people can access the resources immediately > > rather than waiting for the new password to replicate. > > > > Net result is that the same password change is applied > > directly at multiple DCs in different sites at the same time. > > My question is, what is the impact on the DCs and > > replication traffic ? What are the caveats of such a scenario ? > > > > One other thing - the helpdesk can use the web interface to > > assist callers who choose not to use self-service. In that > > case, the helpdesk can see a list of all DCs and select the > > one(s) they wish to send the change to. This can be > > disabled, but is the default if you enable 'site-awareness'. > > This bothers me a bit, since there's nothing to prevent a > > helpdesk person from selecting 'em all. Your thoughts ? > > > > Dave > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
