We haven't even touched on the link table or the means by which the link-pairs are associated or even defined ... though I've a feeling we will be now!
-- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 8:43 AM To: [email protected] Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Oh and I wasn't very clear, the link pair in the link table isn't the actual phantom ... the phantom is one referential phantom record, and zero or more structural phantoms records in the datatable ... the fact that AD wants to add a DN reference between two objects to the table is what makes the phantom necessary, and AD creates the phantomn if it doesn't exist. Cheers again, -B On Wed, 17 Aug 2005, Brett Shirley wrote: > Yeah, that's what I thought you might mean ... that's not true. > > The process of injecting a phantom is carried out by the directory > service itself. It's in the AD's dblayer code, barely above ESE, but > it is still a behavior of the the DS not ESE. > > ESE has no idea what it is doing when a phantom is inserted, it's just > 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" > (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase > (=LinkID/2)) is how AD decided to use ESE to represent references for > itself. > > Did that make sense? > > Cheers, > -BrettSh > > On Wed, 17 Aug 2005, Dean Wells wrote: > > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory service itself. > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. > > link pairs). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett > > Shirley > > Sent: Wednesday, August 17, 2005 4:24 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Dean, what did you mean by the last line, indicated here? > > > > > The IM process itself does not create phantoms, if it were > > > exclusively responsible for that task, all group modifications > > > referencing non-local-domain members would require origination > > > against the IM -- this is not the case. > > > Phantoms are created locally by each DC > > -> > (beneath the awareness of the directory itself). > > > > > > Cheers, > > BrettSh > > > > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > > > Dean and all; > > > > > > This has been a great topic so far. It seems that the IM > > > infrastructure role isn't quite grasped by everybody and can be a > > > little confusing (me being first confused!) > > > > > > Can I suggest that we gather all of the information from this > > > thread and publish it as a community article on the MS KB we can > > > later refer to? > > > > > > I'm willing to whip up the article if everyone agrees; I can then > > > post back to the list a draft (or publish it somewhere) for > > > technical review. > > > > > > Thanks, > > > Francis > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean > > > Wells > > > Sent: August 16, 2005 3:44 PM > > > To: Send - AD mailing list > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Sounds good to me Robert. For the sake of clarification and a > > > little more detail, see below - > > > > > > The IM process itself does not create phantoms, if it were > > > exclusively > > responsible for that task, all group modifications referencing > > non-local-domain members would require origination against the IM -- > > this is not the case. Phantoms are created locally by each DC > > (beneath the awareness of the directory itself). > > > > > > The well-known role of the IM is to identify the validity of local > > phantoms using the process that we've just recently described to > > death. In addition, a lesser known function of the IM is that of > > improving its own phantoms and replicating those improvements to the > > remaining DCs within its own domain. > > > This is achieved by a 'sorta' replication proxy -- my earlier post > > describing an ADFIND.EXE syntax outlines a means of finding the > > objects used by this aspect of the IM's behavior (that's assuming > > you're interested of course). > > > > > > -- > > > Dean Wells > > > MSEtechnology > > > * Email: [EMAIL PROTECTED] > > > http://msetechnology.com > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > > Williams > > > (RRE) > > > Sent: Tuesday, August 16, 2005 3:15 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > I like your explanation...please allow me to comment on a snippet > > > just to > > be sure we're on the same page: > > > > > > <DEJI> > > > IF the IM does not create phantoms, then the DCs that are not GCs > > > do not > > have a way to reference those objects that exist in the OTHER > > Domain. These DCs who are not GCs rely on the IM to provide this > > facility, but since the IM has stopped creating phantoms because it > > is also acting as a GC, then the facility does not exist for the non-GC DCs to use. > > > </DEJI> > > > > > > The DCs that are NOT GCs still can reference the object since it's > > > replicated in after the phantom is created, however if your GC is > > > on the IM > > > ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are > > > GCs will > > not ever update the objects when they are renamed since there aren't > > any phantoms to update on the GC. > > > > > > And Dean, Brett, or Eric will hopefully correct me if I'm wrong > > > but any DC > > can and will create the phantom when necessary (or will it be the IM > > or PDC which actually 'creates' the phantom??) but it's the IMs job > > to update them...I think from the IM's perspective that it really > > doesn't care how they are created, its job is to just keep them > > accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. > > > > > > Dean, Brett, or Eric...it's getting kinda deep here, can you > > > clarify some > > of these things if possible? > > > > > > Thanks! > > > > > > Rob > > > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Tuesday, August 16, 2005 2:48 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Your conclusion sounds good to me. When I talk about this IM/GC > > > thingy, > > this is how I present it (to non- or semi-technical CxOs): > > > > > > In a multi-Domain environment: > > > Each domain needs to know something about objects in the other domain. > > > > > > A GC in one domain knows something about objects in other domains > > > in a > > multi-domain environment. > > > > > > An IM provides references to objects in OTHER domains by creating > > > phantoms > > of those objects. These phantoms are used by other DCs in the IM's > > domain (who are not GCs) when they need to reference those objects > > that exist in the OTHER domain. These phantoms are NOT used by GCs > > because they already have a way to reference these objects. > > > > > > Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE > > > it > > already knows about those objects that exist in the OTHER domain. > > > > > > IF the IM does not create phantoms, then the DCs that are not GCs > > > do not > > have a way to reference those objects that exist in the OTHER > > Domain. These DCs who are not GCs rely on the IM to provide this > > facility, but since the IM has stopped creating phantoms because it > > is also acting as a GC, then the facility does not exist for the non-GC DCs to use. > > > > > > Now, IF all DCs in that domain are GCs, they will have knowledge > > > of the > > objects in the OTHER domain and will know how to reference them > > WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. > > > > > > In a single domain environment: > > > There is no reason to be aware of ANY external object, because > > > there is > > only one domain. Knowledge of the objects in this domain is shared > > equally by all the DCs in this domain. Nobody needs an IM. So, it > > does not matter where the IM resides because nobody uses it since > > there is no EXTERNAL object to reference. > > > > > > > > > Sincerely, > > > > > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory > > > Services www.readymaids.com - we know IT www.akomolafe.com Do you > > > now realize that Today is the Tomorrow you were worried about > > > Yesterday? -anon > > > > > > ________________________________ > > > > > > From: [EMAIL PROTECTED] on behalf of Robert > > > Williams > > > (RRE) > > > Sent: Tue 8/16/2005 10:48 AM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > > > > > The part that is throwing me for a loop is that they both seem to > > > be > > saying the same thing...if all DC's in a multi-domain forest are > > GC's then it doesn't matter where the IM goes since there aren't any > > phantoms created and thus there aren't any phantoms to keep track > > of. Phantoms are created (Dean, Brett, Eric...correct me if I'm > > mistaken) when we (we are DC's) don't have knowledge of the object. > > I don't know about an object since it's not in my database, but in > > the database of another DC somewhere. So when you ask me to > > reference those objects on the other DC's (i.e. adding users from > > other domains to groups in yours) I need some way to reference them. > > I will create phantoms to reference these objects since they don't > > really exist in my database. Well, the problem with having the GC > > on the IM is that if I'm a GC then I will have a copy of the object > > (read-only, but still a copy), so there will be no need for me to > > create a phantom thus the problem where my references to your > > objects gets all outta whack. If you have only one domain, again we > > will have no reason to create these freaking phantoms (phantom > > sounds evil anyway) so the IM will be sitting there doing nothing > > all day (how lazy!). If everyone is a GC regardless of the # of > > domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. > > > > > > Please chime in if there is something to add / correct..imagine if > > > the KB > > article was as jumbled up as the above paragraph. I can almost hear > > the phone ringing now... > > > > > > Have a good one guys! > > > > > > Rob > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Tuesday, August 16, 2005 1:23 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > I love this particular discussion. I can never quite follow the > > > reasoning > > why about the IM/GC issue... but learn a little more about it each time. > > > > > > :m:dsm:cci:mvp > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky > > > Habeeb > > > Sent: Tuesday, August 16, 2005 12:12 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Deji, > > > > > > Thank you for pointing out my mistake. You are correct. DC5 > > > holds all > > > 3 roles, not all 5 roles. It's the details, I know. I can just > > > hear joe > > now, "SEE, SEE, This is what I'm always talking about! > > > > > > Rocky > > > ____________________________________ > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Tuesday, August 16, 2005 12:01 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > > I read it to be that he has 2 domains. He fat-fingered the number > > > of FSMO > > roles in the child. But the conclusion is still the same - when all > > DCs are GCs in a given domain, IM and GC can co-exist. > > > > > > > > > Sincerely, > > > > > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory > > > Services www.readymaids.com - we know IT www.akomolafe.com Do you > > > now realize that Today is the Tomorrow you were worried about > > > Yesterday? -anon > > > > > > ________________________________ > > > > > > From: [EMAIL PROTECTED] on behalf of Teverovsky, > > > Guy > > > Sent: Tue 8/16/2005 8:39 AM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > > > > > Rob, > > > > > > My understanding is that he has two domains in the forest: empty > > > root and > > a production child domain. Though the forest root domain is empty, > > but it still has 2 domains. > > > > > > <quote> > > > > > > We have: > > > > > > Forest Root Domain (Empty) > > > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > > > DC2 > > > > > > One Domain in the Forest > > > > > > DC4 > > > > > > DC5 (Holds all 5 Roles) > > > > > > DC6 > > > > > > </quote> > > > > > > Now looking again at this layout makes me a bit confused as child > > > domains > > can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? > > > "single-domain forest" or "empty root domain + child domain" ? > > > > > > Guy > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > > Williams > > > (RRE) > > > Sent: Tuesday, August 16, 2005 6:25 PM > > > To: [email protected] > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Actually, if it's a Single Domain Forest then the Infrastructure > > > Master > > > > > > has no phantoms to keep track of and thus, can be sent anywhere or > > > left > > > > > > alone as a paper weight. > > > > > > So while I agree with Jose that it is perfectly fine to move it, > > > doing > > > > > > so won't really matter until you have phantoms for the > > > infrastructure > > > > > > master to keep an eye on. > > > > > > Just my $0.02 > > > > > > Have a great day! > > > > > > Rob > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, > > > Jose > > > > > > Sent: Tuesday, August 16, 2005 11:17 AM > > > > > > To: [email protected] > > > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > You are correct. However if you have two DC's it doesn't hurt to > > > offload > > > > > > the infrastructure master role to the DC that dose not have the > > > other > > > 4 > > > > > > roles, even if it's in a single domain forest. > > > > > > Jose :-) > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > Teverovsky, Guy > > > > > > Sent: Tuesday, August 16, 2005 8:09 AM > > > > > > To: [email protected] > > > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > > Am I missing something or having Infrastructure Master running on > > > GC is > > > > > > an issue in multi-domain forest ? > > > > > > Guy > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky > > > Habeeb > > > > > > Sent: Monday, August 15, 2005 9:28 PM > > > > > > To: [email protected] > > > > > > Subject: [ActiveDir] Question on Replication Topology > > > > > > Dear List Members (Whom I have a hard time figuring out how you > > > all have > > > > > > so much time to help us "not quite up to speed, but severely > > > overtasked > > > > > > Administrators"); > > > > > > After a power failure took a Forest Root DC offline over the > > > weekend > > > > > > (for 26 hours), I came in today to find my replication "in question". > > > > > > Repadmin /Showreps does not show any errors however, it shows > > > > > > inconsistent Replication partners. Here is my question; > > > > > > We have: > > > > > > Forest Root Domain (Empty) > > > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > > > DC2 > > > > > > One Domain in the Forest > > > > > > DC4 > > > > > > DC5 (Holds all 5 Roles) > > > > > > DC6 > > > > > > Everyone is W2K3 (no Service Packs) and everyone is a GC and > > > everyone is > > > > > > a DNS server. > > > > > > I was positive that I had the Forest Root and Domain at Windows > > > Server > > > > > > 2003 Forest Functional Level but now when I go to AD Domains and > > > Trusts > > > > > > and click the Forest Root Domain and right click Properties I get: > > > > > > Domain Functional Level = Windows 2000 mixed > > > > > > Forest Functional Level = Windows 2000 > > > > > > When I go to AD Domains and Trusts and click the Domain and right > > > click > > > > > > Properties I get: > > > > > > Domain Functional Level = Windows Server 2003 > > > > > > Forest Functional Level = Windows 2000 > > > > > > I must have miscalculated, but that's not my question. > > > > > > In my AD Sites and Services, I have connection objects that have > > > > > > automatically been generated for each DC but they are inconsistent. ie: > > > > > > DC1 goes to DC2 and DC6 > > > > > > DC2 goes to DC1 and DC5 > > > > > > DC4 goes to DC5 and DC6 > > > > > > DC5 goes to DC4 and DC6 > > > > > > DC6 goes to DC1 and DC4 and DC5 > > > > > > The question is, "Shouldn't they all have automatically generated > > > > > > connection objects to everybody else and if they don't, is it just > > > a > > > > > > matter of me adding the manual new connection object?" Or am I > > > seeing a > > > > > > properly configured Sites and Services. If not, is part of my > > > problem > > > > > > that I have not got the Forest Root at FFL? > > > > > > Thanks in advance people for any assistance. This list is so > > > valuable, > > > > > > it's not funny. (Seriously!) > > > > > > ______________________________ > > > > > > Rocky Habeeb > > > > > > Microsoft Systems Administrator > > > > > > James W. Sewall Company > > > > > > 136 Center Street > > > > > > Old Town, Maine 04468 > > > > > > 207.827.4456 > > > > > > [EMAIL PROTECTED] > > > > > > www.jws.com > > > > > > ______________________________ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
