Yes replication is USN based. However if you make a change to an attribute normally that is the same exact value, AD tricks you and responds to the request like it made the change but doesn't really update anything. I haven't tested that with the password fields but would expect that it works the same.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, July 31, 2003 6:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Isn't replication USN based only - meaning that the value of the attribute isn't relevant, just the fact that it was changed, as indicated by the USN incrementing? I have to go back and look up the password propagation pattern (PPP?) again. For some reason, I recall it being standard replication with the exception of the nearly instantaneous replication to the PDCE. Now that I think about it, this product is going to tax the heck out of the PDCE... -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 9:43 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Making the same change on multiple DCs is bone-headed, but I > don't think it > will generate much additional replication traffic. Aren't the password > changes forwarded to the PDC FSMO role owner for the domain and then > replicated from there? If that's true, then the redundant > changes coming > into the PDCE should be dropped (generally, changing an > attribute to its > current value has no effect). So the additional password > changes will each > generate a message to the PDCE, but otherwise not much else. > > Or am I missing something? > > -gil > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 1:22 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > That strikes me as a way to cause replication storms in a > flash, depending > on how the application is written. Say you have 10 DC's, and this app > changes the password on all 10 dc's. That's at least 81 different > replication messages, since each DC will recongnize that as a > different > change. > > Seems to me to be both overkill and unnecessary. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 3:23 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > We're looking at a product to manage passwords - it enforces common > > password policy and keeps passwords in sync across multiple > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > self-service password change/reset via a browser interface. > > > > One of its features on AD is that it's nominally site-aware - it can > > determine a browser's location based on IP address and change the AD > > password on a DC in that site. So far, so good. Now the tricky > > part - it can also be configured to ALWAYS change the password on > > one or more DCs that you specify on the config, in addition to the > > one it selects. > > The idea is to specify DCs near resources at headquarters > > that people access from branch offices. This is supposed to > > ensure that people can access the resources immediately > > rather than waiting for the new password to replicate. > > > > Net result is that the same password change is applied directly at > > multiple DCs in different sites at the same time. My question is, > > what is the impact on the DCs and replication traffic ? What are > > the caveats of such a scenario ? > > > > One other thing - the helpdesk can use the web interface to assist > > callers who choose not to use self-service. In that case, the > > helpdesk can see a list of all DCs and select the > > one(s) they wish to send the change to. This can be > > disabled, but is the default if you enable 'site-awareness'. > > This bothers me a bit, since there's nothing to prevent a > > helpdesk person from selecting 'em all. Your thoughts ? > > > > Dave > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
