Dean, what did you mean by the last line, indicated here?
> The IM process itself does not create phantoms, if it were
> exclusively responsible for that task, all group modifications
> referencing non-local-domain members would require origination
> against the IM -- this is not the case.
> Phantoms are created locally by each DC
-> > (beneath the awareness of the directory itself).
Cheers,
BrettSh
On Tue, 16 Aug 2005, Francis Ouellet wrote:
> Dean and all;
>
> This has been a great topic so far. It seems that the IM
> infrastructure role isn't quite grasped by everybody and can be a
> little confusing (me being first confused!)
>
> Can I suggest that we gather all of the information from this thread
> and publish it as a community article on the MS KB we can later refer
> to?
>
> I'm willing to whip up the article if everyone agrees; I can then post
> back to the list a draft (or publish it somewhere) for technical
> review.
>
> Thanks,
> Francis
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: August 16, 2005 3:44 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> Sounds good to me Robert. For the sake of clarification and a little more
> detail, see below -
>
> The IM process itself does not create phantoms, if it were exclusively
> responsible for that task, all group modifications referencing
> non-local-domain members would require origination against the IM -- this is
> not the case. Phantoms are created locally by each DC (beneath the awareness
> of the directory itself).
>
> The well-known role of the IM is to identify the validity of local phantoms
> using the process that we've just recently described to death. In addition,
> a lesser known function of the IM is that of improving its own phantoms and
> replicating those improvements to the remaining DCs within its own domain.
> This is achieved by a 'sorta' replication proxy -- my earlier post describing
> an ADFIND.EXE syntax outlines a means of finding the objects used by this
> aspect of the IM's behavior (that's assuming you're interested of course).
>
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams
> (RRE)
> Sent: Tuesday, August 16, 2005 3:15 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> I like your explanation...please allow me to comment on a snippet just to be
> sure we're on the same page:
>
> <DEJI>
> IF the IM does not create phantoms, then the DCs that are not GCs do not have
> a way to reference those objects that exist in the OTHER Domain. These DCs
> who are not GCs rely on the IM to provide this facility, but since the IM has
> stopped creating phantoms because it is also acting as a GC, then the
> facility does not exist for the non-GC DCs to use.
> </DEJI>
>
> The DCs that are NOT GCs still can reference the object since it's replicated
> in after the phantom is created, however if your GC is on the IM
> ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not
> ever update the objects when they are renamed since there aren't any phantoms
> to update on the GC.
>
> And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC
> can and will create the phantom when necessary (or will it be the IM or PDC
> which actually 'creates' the phantom??) but it's the IMs job to update
> them...I think from the IM's perspective that it really doesn't care how they
> are created, its job is to just keep them accurate. That part I'm not 100%
> clear on so I hope someone straightens it out for me / us.
>
> Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of
> these things if possible?
>
> Thanks!
>
> Rob
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Tuesday, August 16, 2005 2:48 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> Your conclusion sounds good to me. When I talk about this IM/GC thingy, this
> is how I present it (to non- or semi-technical CxOs):
>
> In a multi-Domain environment:
> Each domain needs to know something about objects in the other domain.
>
> A GC in one domain knows something about objects in other domains in a
> multi-domain environment.
>
> An IM provides references to objects in OTHER domains by creating phantoms of
> those objects. These phantoms are used by other DCs in the IM's domain (who
> are not GCs) when they need to reference those objects that exist in the
> OTHER domain. These phantoms are NOT used by GCs because they already have a
> way to reference these objects.
>
> Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already
> knows about those objects that exist in the OTHER domain.
>
> IF the IM does not create phantoms, then the DCs that are not GCs do not have
> a way to reference those objects that exist in the OTHER Domain. These DCs
> who are not GCs rely on the IM to provide this facility, but since the IM has
> stopped creating phantoms because it is also acting as a GC, then the
> facility does not exist for the non-GC DCs to use.
>
> Now, IF all DCs in that domain are GCs, they will have knowledge of the
> objects in the OTHER domain and will know how to reference them WITHOUT
> relying on the existence of phantoms. In other word, they don't need the IM.
>
> In a single domain environment:
> There is no reason to be aware of ANY external object, because there is only
> one domain. Knowledge of the objects in this domain is shared equally by all
> the DCs in this domain. Nobody needs an IM. So, it does not matter where the
> IM resides because nobody uses it since there is no EXTERNAL object to
> reference.
>
>
> Sincerely,
>
> D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE)
> Sent: Tue 8/16/2005 10:48 AM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
>
>
> The part that is throwing me for a loop is that they both seem to be saying
> the same thing...if all DC's in a multi-domain forest are GC's then it
> doesn't matter where the IM goes since there aren't any phantoms created and
> thus there aren't any phantoms to keep track of. Phantoms are created (Dean,
> Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have
> knowledge of the object. I don't know about an object since it's not in my
> database, but in the database of another DC somewhere. So when you ask me to
> reference those objects on the other DC's (i.e. adding users from other
> domains to groups in yours) I need some way to reference them. I will create
> phantoms to reference these objects since they don't really exist in my
> database. Well, the problem with having the GC on the IM is that if I'm a GC
> then I will have a copy of the object (read-only, but still a copy), so there
> will be no need for me to create a phantom thus the problem where my
> references to your objects gets all outta whack. If you have only one
> domain, again we will have no reason to create these freaking phantoms
> (phantom sounds evil anyway) so the IM will be sitting there doing nothing
> all day (how lazy!). If everyone is a GC regardless of the # of domains then
> I again won't create a phantom (unless it's for a FSP or something along
> those lines not really relating to this discussion) since I have the object
> handy locally.
>
> Please chime in if there is something to add / correct..imagine if the KB
> article was as jumbled up as the above paragraph. I can almost hear the
> phone ringing now...
>
> Have a good one guys!
>
> Rob
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Tuesday, August 16, 2005 1:23 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> I love this particular discussion. I can never quite follow the reasoning
> why about the IM/GC issue... but learn a little more about it each time.
>
> :m:dsm:cci:mvp
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
> Sent: Tuesday, August 16, 2005 12:12 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> Deji,
>
> Thank you for pointing out my mistake. You are correct. DC5 holds all
> 3 roles, not all 5 roles. It's the details, I know. I can just hear joe
> now, "SEE, SEE, This is what I'm always talking about!
>
> Rocky
> ____________________________________
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Tuesday, August 16, 2005 12:01 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
>
> I read it to be that he has 2 domains. He fat-fingered the number of FSMO
> roles in the child. But the conclusion is still the same - when all DCs are
> GCs in a given domain, IM and GC can co-exist.
>
>
> Sincerely,
>
> D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy
> Sent: Tue 8/16/2005 8:39 AM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
>
>
> Rob,
>
> My understanding is that he has two domains in the forest: empty root and a
> production child domain. Though the forest root domain is empty, but it still
> has 2 domains.
>
> <quote>
>
> We have:
>
> Forest Root Domain (Empty)
>
> DC1 (Holds all 5 roles) (the DC offline for 26 hours)
>
> DC2
>
> One Domain in the Forest
>
> DC4
>
> DC5 (Holds all 5 Roles)
>
> DC6
>
> </quote>
>
> Now looking again at this layout makes me a bit confused as child domains can
> hold only 3 FSMOs. Rocky, can you explain what you actually have there ?
> "single-domain forest" or "empty root domain + child domain" ?
>
> Guy
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams
> (RRE)
> Sent: Tuesday, August 16, 2005 6:25 PM
> To: [email protected]
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> Actually, if it's a Single Domain Forest then the Infrastructure Master
>
> has no phantoms to keep track of and thus, can be sent anywhere or left
>
> alone as a paper weight.
>
> So while I agree with Jose that it is perfectly fine to move it, doing
>
> so won't really matter until you have phantoms for the infrastructure
>
> master to keep an eye on.
>
> Just my $0.02
>
> Have a great day!
>
> Rob
>
> -----Original Message-----
>
> From: [EMAIL PROTECTED]
>
> [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
>
> Sent: Tuesday, August 16, 2005 11:17 AM
>
> To: [email protected]
>
> Subject: RE: [ActiveDir] Question on Replication Topology
>
> You are correct. However if you have two DC's it doesn't hurt to offload
>
> the infrastructure master role to the DC that dose not have the other 4
>
> roles, even if it's in a single domain forest.
>
> Jose :-)
>
> -----Original Message-----
>
> From: [EMAIL PROTECTED]
>
> [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy
>
> Sent: Tuesday, August 16, 2005 8:09 AM
>
> To: [email protected]
>
> Subject: RE: [ActiveDir] Question on Replication Topology
>
>
> Am I missing something or having Infrastructure Master running on GC is
>
> an issue in multi-domain forest ?
>
> Guy
>
> -----Original Message-----
>
> From: [EMAIL PROTECTED]
>
> [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
>
> Sent: Monday, August 15, 2005 9:28 PM
>
> To: [email protected]
>
> Subject: [ActiveDir] Question on Replication Topology
>
> Dear List Members (Whom I have a hard time figuring out how you all have
>
> so much time to help us "not quite up to speed, but severely overtasked
>
> Administrators");
>
> After a power failure took a Forest Root DC offline over the weekend
>
> (for 26 hours), I came in today to find my replication "in question".
>
> Repadmin /Showreps does not show any errors however, it shows
>
> inconsistent Replication partners. Here is my question;
>
> We have:
>
> Forest Root Domain (Empty)
>
> DC1 (Holds all 5 roles) (the DC offline for 26 hours)
>
> DC2
>
> One Domain in the Forest
>
> DC4
>
> DC5 (Holds all 5 Roles)
>
> DC6
>
> Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is
>
> a DNS server.
>
> I was positive that I had the Forest Root and Domain at Windows Server
>
> 2003 Forest Functional Level but now when I go to AD Domains and Trusts
>
> and click the Forest Root Domain and right click Properties I get:
>
> Domain Functional Level = Windows 2000 mixed
>
> Forest Functional Level = Windows 2000
>
> When I go to AD Domains and Trusts and click the Domain and right click
>
> Properties I get:
>
> Domain Functional Level = Windows Server 2003
>
> Forest Functional Level = Windows 2000
>
> I must have miscalculated, but that's not my question.
>
> In my AD Sites and Services, I have connection objects that have
>
> automatically been generated for each DC but they are inconsistent. ie:
>
> DC1 goes to DC2 and DC6
>
> DC2 goes to DC1 and DC5
>
> DC4 goes to DC5 and DC6
>
> DC5 goes to DC4 and DC6
>
> DC6 goes to DC1 and DC4 and DC5
>
> The question is, "Shouldn't they all have automatically generated
>
> connection objects to everybody else and if they don't, is it just a
>
> matter of me adding the manual new connection object?" Or am I seeing a
>
> properly configured Sites and Services. If not, is part of my problem
>
> that I have not got the Forest Root at FFL?
>
> Thanks in advance people for any assistance. This list is so valuable,
>
> it's not funny. (Seriously!)
>
> ______________________________
>
> Rocky Habeeb
>
> Microsoft Systems Administrator
>
> James W. Sewall Company
>
> 136 Center Street
>
> Old Town, Maine 04468
>
> 207.827.4456
>
> [EMAIL PROTECTED]
>
> www.jws.com
>
> ______________________________
>
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
> List archive:
>
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
> List archive:
>
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
> List archive:
>
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
