Yeah, that's what I thought you might mean ... that's not true. The process of injecting a phantom is carried out by the directory service itself. It's in the AD's dblayer code, barely above ESE, but it is still a behavior of the the DS not ESE.
ESE has no idea what it is doing when a phantom is inserted, it's just 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase (=LinkID/2)) is how AD decided to use ESE to represent references for itself. Did that make sense? Cheers, -BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > ... that the process of injecting the phantom isn't a behavioral requirement > imposed or carried out by the directory service itself. It is a requirement > imposed by the underlying database and is necessary because of the mechanism > used by ESE to provide uniform representation of object references (i.e. > link pairs). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 4:24 AM > To: [email protected] > Subject: RE: [ActiveDir] Question on Replication Topology > > > Dean, what did you mean by the last line, indicated here? > > > The IM process itself does not create phantoms, if it were > > exclusively responsible for that task, all group modifications > > referencing non-local-domain members would require origination > > against the IM -- this is not the case. > > Phantoms are created locally by each DC > -> > (beneath the awareness of the directory itself). > > > Cheers, > BrettSh > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > Dean and all; > > > > This has been a great topic so far. It seems that the IM > > infrastructure role isn't quite grasped by everybody and can be a > > little confusing (me being first confused!) > > > > Can I suggest that we gather all of the information from this thread > > and publish it as a community article on the MS KB we can later refer > > to? > > > > I'm willing to whip up the article if everyone agrees; I can then post > > back to the list a draft (or publish it somewhere) for technical > > review. > > > > Thanks, > > Francis > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > > Sent: August 16, 2005 3:44 PM > > To: Send - AD mailing list > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Sounds good to me Robert. For the sake of clarification and a little > > more detail, see below - > > > > The IM process itself does not create phantoms, if it were exclusively > responsible for that task, all group modifications referencing > non-local-domain members would require origination against the IM -- this is > not the case. Phantoms are created locally by each DC (beneath the > awareness of the directory itself). > > > > The well-known role of the IM is to identify the validity of local > phantoms using the process that we've just recently described to death. In > addition, a lesser known function of the IM is that of improving its own > phantoms and replicating those improvements to the remaining DCs within its > own domain. > > This is achieved by a 'sorta' replication proxy -- my earlier post > describing an ADFIND.EXE syntax outlines a means of finding the objects used > by this aspect of the IM's behavior (that's assuming you're interested of > course). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Williams > > (RRE) > > Sent: Tuesday, August 16, 2005 3:15 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > I like your explanation...please allow me to comment on a snippet just to > be sure we're on the same page: > > > > <DEJI> > > IF the IM does not create phantoms, then the DCs that are not GCs do not > have a way to reference those objects that exist in the OTHER Domain. These > DCs who are not GCs rely on the IM to provide this facility, but since the > IM has stopped creating phantoms because it is also acting as a GC, then the > facility does not exist for the non-GC DCs to use. > > </DEJI> > > > > The DCs that are NOT GCs still can reference the object since it's > > replicated in after the phantom is created, however if your GC is on > > the IM > > ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will > not ever update the objects when they are renamed since there aren't any > phantoms to update on the GC. > > > > And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC > can and will create the phantom when necessary (or will it be the IM or PDC > which actually 'creates' the phantom??) but it's the IMs job to update > them...I think from the IM's perspective that it really doesn't care how > they are created, its job is to just keep them accurate. That part I'm not > 100% clear on so I hope someone straightens it out for me / us. > > > > Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some > of these things if possible? > > > > Thanks! > > > > Rob > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 2:48 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Your conclusion sounds good to me. When I talk about this IM/GC thingy, > this is how I present it (to non- or semi-technical CxOs): > > > > In a multi-Domain environment: > > Each domain needs to know something about objects in the other domain. > > > > A GC in one domain knows something about objects in other domains in a > multi-domain environment. > > > > An IM provides references to objects in OTHER domains by creating phantoms > of those objects. These phantoms are used by other DCs in the IM's domain > (who are not GCs) when they need to reference those objects that exist in > the OTHER domain. These phantoms are NOT used by GCs because they already > have a way to reference these objects. > > > > Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it > already knows about those objects that exist in the OTHER domain. > > > > IF the IM does not create phantoms, then the DCs that are not GCs do not > have a way to reference those objects that exist in the OTHER Domain. These > DCs who are not GCs rely on the IM to provide this facility, but since the > IM has stopped creating phantoms because it is also acting as a GC, then the > facility does not exist for the non-GC DCs to use. > > > > Now, IF all DCs in that domain are GCs, they will have knowledge of the > objects in the OTHER domain and will know how to reference them WITHOUT > relying on the existence of phantoms. In other word, they don't need the IM. > > > > In a single domain environment: > > There is no reason to be aware of ANY external object, because there is > only one domain. Knowledge of the objects in this domain is shared equally > by all the DCs in this domain. Nobody needs an IM. So, it does not matter > where the IM resides because nobody uses it since there is no EXTERNAL > object to reference. > > > > > > Sincerely, > > > > D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Robert Williams > > (RRE) > > Sent: Tue 8/16/2005 10:48 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > The part that is throwing me for a loop is that they both seem to be > saying the same thing...if all DC's in a multi-domain forest are GC's then > it doesn't matter where the IM goes since there aren't any phantoms created > and thus there aren't any phantoms to keep track of. Phantoms are created > (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't > have knowledge of the object. I don't know about an object since it's not > in my database, but in the database of another DC somewhere. So when you > ask me to reference those objects on the other DC's (i.e. adding users from > other domains to groups in yours) I need some way to reference them. I will > create phantoms to reference these objects since they don't really exist in > my database. Well, the problem with having the GC on the IM is that if I'm > a GC then I will have a copy of the object (read-only, but still a copy), so > there will be no need for me to create a phantom thus the problem where my > references to your objects gets all outta whack. If you have only one > domain, again we will have no reason to create these freaking phantoms > (phantom sounds evil anyway) so the IM will be sitting there doing nothing > all day (how lazy!). If everyone is a GC regardless of the # of domains > then I again won't create a phantom (unless it's for a FSP or something > along those lines not really relating to this discussion) since I have the > object handy locally. > > > > Please chime in if there is something to add / correct..imagine if the KB > article was as jumbled up as the above paragraph. I can almost hear the > phone ringing now... > > > > Have a good one guys! > > > > Rob > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 1:23 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > I love this particular discussion. I can never quite follow the reasoning > why about the IM/GC issue... but learn a little more about it each time. > > > > :m:dsm:cci:mvp > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb > > Sent: Tuesday, August 16, 2005 12:12 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Deji, > > > > Thank you for pointing out my mistake. You are correct. DC5 holds > > all > > 3 roles, not all 5 roles. It's the details, I know. I can just hear joe > now, "SEE, SEE, This is what I'm always talking about! > > > > Rocky > > ____________________________________ > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 12:01 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > I read it to be that he has 2 domains. He fat-fingered the number of FSMO > roles in the child. But the conclusion is still the same - when all DCs are > GCs in a given domain, IM and GC can co-exist. > > > > > > Sincerely, > > > > D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy > > Sent: Tue 8/16/2005 8:39 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > Rob, > > > > My understanding is that he has two domains in the forest: empty root and > a production child domain. Though the forest root domain is empty, but it > still has 2 domains. > > > > <quote> > > > > We have: > > > > Forest Root Domain (Empty) > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > DC2 > > > > One Domain in the Forest > > > > DC4 > > > > DC5 (Holds all 5 Roles) > > > > DC6 > > > > </quote> > > > > Now looking again at this layout makes me a bit confused as child domains > can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? > > "single-domain forest" or "empty root domain + child domain" ? > > > > Guy > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Williams > > (RRE) > > Sent: Tuesday, August 16, 2005 6:25 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Actually, if it's a Single Domain Forest then the Infrastructure > > Master > > > > has no phantoms to keep track of and thus, can be sent anywhere or > > left > > > > alone as a paper weight. > > > > So while I agree with Jose that it is perfectly fine to move it, doing > > > > so won't really matter until you have phantoms for the infrastructure > > > > master to keep an eye on. > > > > Just my $0.02 > > > > Have a great day! > > > > Rob > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, > > Jose > > > > Sent: Tuesday, August 16, 2005 11:17 AM > > > > To: [email protected] > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > You are correct. However if you have two DC's it doesn't hurt to > > offload > > > > the infrastructure master role to the DC that dose not have the other > > 4 > > > > roles, even if it's in a single domain forest. > > > > Jose :-) > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, > > Guy > > > > Sent: Tuesday, August 16, 2005 8:09 AM > > > > To: [email protected] > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Am I missing something or having Infrastructure Master running on GC > > is > > > > an issue in multi-domain forest ? > > > > Guy > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb > > > > Sent: Monday, August 15, 2005 9:28 PM > > > > To: [email protected] > > > > Subject: [ActiveDir] Question on Replication Topology > > > > Dear List Members (Whom I have a hard time figuring out how you all > > have > > > > so much time to help us "not quite up to speed, but severely > > overtasked > > > > Administrators"); > > > > After a power failure took a Forest Root DC offline over the weekend > > > > (for 26 hours), I came in today to find my replication "in question". > > > > Repadmin /Showreps does not show any errors however, it shows > > > > inconsistent Replication partners. Here is my question; > > > > We have: > > > > Forest Root Domain (Empty) > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > DC2 > > > > One Domain in the Forest > > > > DC4 > > > > DC5 (Holds all 5 Roles) > > > > DC6 > > > > Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone > > is > > > > a DNS server. > > > > I was positive that I had the Forest Root and Domain at Windows Server > > > > 2003 Forest Functional Level but now when I go to AD Domains and > > Trusts > > > > and click the Forest Root Domain and right click Properties I get: > > > > Domain Functional Level = Windows 2000 mixed > > > > Forest Functional Level = Windows 2000 > > > > When I go to AD Domains and Trusts and click the Domain and right > > click > > > > Properties I get: > > > > Domain Functional Level = Windows Server 2003 > > > > Forest Functional Level = Windows 2000 > > > > I must have miscalculated, but that's not my question. > > > > In my AD Sites and Services, I have connection objects that have > > > > automatically been generated for each DC but they are inconsistent. ie: > > > > DC1 goes to DC2 and DC6 > > > > DC2 goes to DC1 and DC5 > > > > DC4 goes to DC5 and DC6 > > > > DC5 goes to DC4 and DC6 > > > > DC6 goes to DC1 and DC4 and DC5 > > > > The question is, "Shouldn't they all have automatically generated > > > > connection objects to everybody else and if they don't, is it just a > > > > matter of me adding the manual new connection object?" Or am I seeing > > a > > > > properly configured Sites and Services. If not, is part of my problem > > > > that I have not got the Forest Root at FFL? > > > > Thanks in advance people for any assistance. This list is so > > valuable, > > > > it's not funny. (Seriously!) > > > > ______________________________ > > > > Rocky Habeeb > > > > Microsoft Systems Administrator > > > > James W. Sewall Company > > > > 136 Center Street > > > > Old Town, Maine 04468 > > > > 207.827.4456 > > > > [EMAIL PROTECTED] > > > > www.jws.com > > > > ______________________________ > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
