I guess I'm trying to figure out why replication would be limited to just the connected partners. Wouldn't the change on each DC cause the USN to be incremented for that DC's replica? In that case, every other DC would see it as a change which needs to be acquired during replication?
I guess there would be some consolidation at the site bridgeheads, but even then, there should still be 1 change per DC being replicated to N-1 domain controllers. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 10:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Roger, > > Apparently, I need to clarify what I meant. In relation to > the product that > was proposed, the normal password replication would be minimized to > immediate connected partners - so, IMHO, this wouldn't be a > storm but a bit > of a burst (squall???) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, July 31, 2003 5:59 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > Actually, why would it be minimized? The password change is > happening on > every domain controller, and as suck looks like a discreet > change to the > PDCE - meaning its gonna kill the PDCE. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 10:12 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > Gil, > > > > > Making the same change on multiple DCs is bone-headed > > As anyone who has had to clean up or troubleshoot the appearance of > > CNF: > > objects can attest to.... > > > > And, yes - I concur that the password changes are all > propagated via > > the PDCE and the replication traffic would be minimized because of > > such. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Wednesday, July 30, 2003 8:43 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > Making the same change on multiple DCs is bone-headed, but I don't > > think it will generate much additional replication traffic. > Aren't the > > password changes forwarded to the PDC FSMO role owner for > the domain > > and then replicated from there? If that's true, then the redundant > > changes coming into the PDCE should be dropped (generally, > changing an > > attribute to its current value has no effect). So the additional > > password changes will each generate a message to the PDCE, but > > otherwise not much else. > > > > Or am I missing something? > > > > -gil > > > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 1:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > That strikes me as a way to cause replication storms in a flash, > > depending on how the application is written. Say you have > 10 DC's, and > > this app changes the password on all 10 dc's. That's at least 81 > > different replication messages, since each DC will > recongnize that as > > a different change. > > > > Seems to me to be both overkill and unnecessary. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, July 30, 2003 3:23 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > > > > We're looking at a product to manage passwords - it > enforces common > > > password policy and keeps passwords in sync across multiple > > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > > self-service password change/reset via a browser interface. > > > > > > One of its features on AD is that it's nominally > site-aware - it can > > > determine a browser's location based on IP address and > change the AD > > > password on a DC in that site. So far, so good. Now the tricky > > > part - it can also be configured to ALWAYS change the password on > > > one or more DCs that you specify on the config, in > addition to the > > > one it selects. > > > The idea is to specify DCs near resources at headquarters that > > > people access from branch offices. This is supposed to > ensure that > > > people can access the resources immediately rather than > waiting for > > > the new password to replicate. > > > > > > Net result is that the same password change is applied > directly at > > > multiple DCs in different sites at the same time. > > > My question is, what is the impact on the DCs and replication > > > traffic ? What are the caveats of such a scenario ? > > > > > > One other thing - the helpdesk can use the web interface > to assist > > > callers who choose not to use self-service. In that case, the > > > helpdesk can see a list of all DCs and select the > > > one(s) they wish to send the change to. This can be > disabled, but > > > is the default if you enable 'site-awareness'. > > > This bothers me a bit, since there's nothing to prevent a > helpdesk > > > person from selecting 'em all. Your thoughts ? > > > > > > Dave > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
