Roger, Apparently, I need to clarify what I meant. In relation to the product that was proposed, the normal password replication would be minimized to immediate connected partners - so, IMHO, this wouldn't be a storm but a bit of a burst (squall???)
Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, July 31, 2003 5:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Actually, why would it be minimized? The password change is happening on every domain controller, and as suck looks like a discreet change to the PDCE - meaning its gonna kill the PDCE. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 10:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Gil, > > > Making the same change on multiple DCs is bone-headed > As anyone who has had to clean up or troubleshoot the appearance of > CNF: > objects can attest to.... > > And, yes - I concur that the password changes are all propagated via > the PDCE and the replication traffic would be minimized because of > such. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Wednesday, July 30, 2003 8:43 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > Making the same change on multiple DCs is bone-headed, but I don't > think it will generate much additional replication traffic. Aren't the > password changes forwarded to the PDC FSMO role owner for the domain > and then replicated from there? If that's true, then the redundant > changes coming into the PDCE should be dropped (generally, changing an > attribute to its current value has no effect). So the additional > password changes will each generate a message to the PDCE, but > otherwise not much else. > > Or am I missing something? > > -gil > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 1:22 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > That strikes me as a way to cause replication storms in a flash, > depending on how the application is written. Say you have 10 DC's, and > this app changes the password on all 10 dc's. That's at least 81 > different replication messages, since each DC will recongnize that as > a different change. > > Seems to me to be both overkill and unnecessary. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 3:23 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > We're looking at a product to manage passwords - it enforces common > > password policy and keeps passwords in sync across multiple > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > self-service password change/reset via a browser interface. > > > > One of its features on AD is that it's nominally site-aware - it can > > determine a browser's location based on IP address and change the AD > > password on a DC in that site. So far, so good. Now the tricky > > part - it can also be configured to ALWAYS change the password on > > one or more DCs that you specify on the config, in addition to the > > one it selects. > > The idea is to specify DCs near resources at headquarters that > > people access from branch offices. This is supposed to ensure that > > people can access the resources immediately rather than waiting for > > the new password to replicate. > > > > Net result is that the same password change is applied directly at > > multiple DCs in different sites at the same time. > > My question is, what is the impact on the DCs and replication > > traffic ? What are the caveats of such a scenario ? > > > > One other thing - the helpdesk can use the web interface to assist > > callers who choose not to use self-service. In that case, the > > helpdesk can see a list of all DCs and select the > > one(s) they wish to send the change to. This can be disabled, but > > is the default if you enable 'site-awareness'. > > This bothers me a bit, since there's nothing to prevent a helpdesk > > person from selecting 'em all. Your thoughts ? > > > > Dave > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
