Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc.
Any documentation deemed a 'standard' upon which any directory service can even remotely claim to be based doesn't incorporate the specifics of the underlying store. As such, I don't define the dblayer as part of the directory ... its purpose is to abstract such specifics. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 8:27 AM To: [email protected] Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Yeah, that's what I thought you might mean ... that's not true. The process of injecting a phantom is carried out by the directory service itself. It's in the AD's dblayer code, barely above ESE, but it is still a behavior of the the DS not ESE. ESE has no idea what it is doing when a phantom is inserted, it's just 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase (=LinkID/2)) is how AD decided to use ESE to represent references for itself. Did that make sense? Cheers, -BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > ... that the process of injecting the phantom isn't a behavioral > requirement imposed or carried out by the directory service itself. > It is a requirement imposed by the underlying database and is > necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. > link pairs). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 4:24 AM > To: [email protected] > Subject: RE: [ActiveDir] Question on Replication Topology > > > Dean, what did you mean by the last line, indicated here? > > > The IM process itself does not create phantoms, if it were > > exclusively responsible for that task, all group modifications > > referencing non-local-domain members would require origination > > against the IM -- this is not the case. > > Phantoms are created locally by each DC > -> > (beneath the awareness of the directory itself). > > > Cheers, > BrettSh > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > Dean and all; > > > > This has been a great topic so far. It seems that the IM > > infrastructure role isn't quite grasped by everybody and can be a > > little confusing (me being first confused!) > > > > Can I suggest that we gather all of the information from this thread > > and publish it as a community article on the MS KB we can later > > refer to? > > > > I'm willing to whip up the article if everyone agrees; I can then > > post back to the list a draft (or publish it somewhere) for > > technical review. > > > > Thanks, > > Francis > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > > Sent: August 16, 2005 3:44 PM > > To: Send - AD mailing list > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Sounds good to me Robert. For the sake of clarification and a > > little more detail, see below - > > > > The IM process itself does not create phantoms, if it were > > exclusively > responsible for that task, all group modifications referencing > non-local-domain members would require origination against the IM -- > this is not the case. Phantoms are created locally by each DC > (beneath the awareness of the directory itself). > > > > The well-known role of the IM is to identify the validity of local > phantoms using the process that we've just recently described to > death. In addition, a lesser known function of the IM is that of > improving its own phantoms and replicating those improvements to the > remaining DCs within its own domain. > > This is achieved by a 'sorta' replication proxy -- my earlier post > describing an ADFIND.EXE syntax outlines a means of finding the > objects used by this aspect of the IM's behavior (that's assuming > you're interested of course). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Williams > > (RRE) > > Sent: Tuesday, August 16, 2005 3:15 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > I like your explanation...please allow me to comment on a snippet > > just to > be sure we're on the same page: > > > > <DEJI> > > IF the IM does not create phantoms, then the DCs that are not GCs do > > not > have a way to reference those objects that exist in the OTHER Domain. > These DCs who are not GCs rely on the IM to provide this facility, but > since the IM has stopped creating phantoms because it is also acting > as a GC, then the facility does not exist for the non-GC DCs to use. > > </DEJI> > > > > The DCs that are NOT GCs still can reference the object since it's > > replicated in after the phantom is created, however if your GC is on > > the IM > > ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs > > will > not ever update the objects when they are renamed since there aren't > any phantoms to update on the GC. > > > > And Dean, Brett, or Eric will hopefully correct me if I'm wrong but > > any DC > can and will create the phantom when necessary (or will it be the IM > or PDC which actually 'creates' the phantom??) but it's the IMs job to > update them...I think from the IM's perspective that it really doesn't > care how they are created, its job is to just keep them accurate. > That part I'm not 100% clear on so I hope someone straightens it out for me / us. > > > > Dean, Brett, or Eric...it's getting kinda deep here, can you clarify > > some > of these things if possible? > > > > Thanks! > > > > Rob > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 2:48 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Your conclusion sounds good to me. When I talk about this IM/GC > > thingy, > this is how I present it (to non- or semi-technical CxOs): > > > > In a multi-Domain environment: > > Each domain needs to know something about objects in the other domain. > > > > A GC in one domain knows something about objects in other domains in > > a > multi-domain environment. > > > > An IM provides references to objects in OTHER domains by creating > > phantoms > of those objects. These phantoms are used by other DCs in the IM's > domain (who are not GCs) when they need to reference those objects > that exist in the OTHER domain. These phantoms are NOT used by GCs > because they already have a way to reference these objects. > > > > Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it > already knows about those objects that exist in the OTHER domain. > > > > IF the IM does not create phantoms, then the DCs that are not GCs do > > not > have a way to reference those objects that exist in the OTHER Domain. > These DCs who are not GCs rely on the IM to provide this facility, but > since the IM has stopped creating phantoms because it is also acting > as a GC, then the facility does not exist for the non-GC DCs to use. > > > > Now, IF all DCs in that domain are GCs, they will have knowledge of > > the > objects in the OTHER domain and will know how to reference them > WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. > > > > In a single domain environment: > > There is no reason to be aware of ANY external object, because there > > is > only one domain. Knowledge of the objects in this domain is shared > equally by all the DCs in this domain. Nobody needs an IM. So, it does > not matter where the IM resides because nobody uses it since there is > no EXTERNAL object to reference. > > > > > > Sincerely, > > > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Robert > > Williams > > (RRE) > > Sent: Tue 8/16/2005 10:48 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > The part that is throwing me for a loop is that they both seem to be > saying the same thing...if all DC's in a multi-domain forest are GC's > then it doesn't matter where the IM goes since there aren't any > phantoms created and thus there aren't any phantoms to keep track of. > Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) > when we (we are DC's) don't have knowledge of the object. I don't > know about an object since it's not in my database, but in the > database of another DC somewhere. So when you ask me to reference > those objects on the other DC's (i.e. adding users from other domains > to groups in yours) I need some way to reference them. I will create > phantoms to reference these objects since they don't really exist in > my database. Well, the problem with having the GC on the IM is that > if I'm a GC then I will have a copy of the object (read-only, but > still a copy), so there will be no need for me to create a phantom > thus the problem where my references to your objects gets all outta > whack. If you have only one domain, again we will have no reason to > create these freaking phantoms (phantom sounds evil anyway) so the IM > will be sitting there doing nothing all day (how lazy!). If everyone > is a GC regardless of the # of domains then I again won't create a > phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. > > > > Please chime in if there is something to add / correct..imagine if > > the KB > article was as jumbled up as the above paragraph. I can almost hear > the phone ringing now... > > > > Have a good one guys! > > > > Rob > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 1:23 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > I love this particular discussion. I can never quite follow the > > reasoning > why about the IM/GC issue... but learn a little more about it each time. > > > > :m:dsm:cci:mvp > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky > > Habeeb > > Sent: Tuesday, August 16, 2005 12:12 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Deji, > > > > Thank you for pointing out my mistake. You are correct. DC5 holds > > all > > 3 roles, not all 5 roles. It's the details, I know. I can just > > hear joe > now, "SEE, SEE, This is what I'm always talking about! > > > > Rocky > > ____________________________________ > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, August 16, 2005 12:01 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > I read it to be that he has 2 domains. He fat-fingered the number of > > FSMO > roles in the child. But the conclusion is still the same - when all > DCs are GCs in a given domain, IM and GC can co-exist. > > > > > > Sincerely, > > > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Teverovsky, > > Guy > > Sent: Tue 8/16/2005 8:39 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > > > Rob, > > > > My understanding is that he has two domains in the forest: empty > > root and > a production child domain. Though the forest root domain is empty, but > it still has 2 domains. > > > > <quote> > > > > We have: > > > > Forest Root Domain (Empty) > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > DC2 > > > > One Domain in the Forest > > > > DC4 > > > > DC5 (Holds all 5 Roles) > > > > DC6 > > > > </quote> > > > > Now looking again at this layout makes me a bit confused as child > > domains > can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? > > "single-domain forest" or "empty root domain + child domain" ? > > > > Guy > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Williams > > (RRE) > > Sent: Tuesday, August 16, 2005 6:25 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Actually, if it's a Single Domain Forest then the Infrastructure > > Master > > > > has no phantoms to keep track of and thus, can be sent anywhere or > > left > > > > alone as a paper weight. > > > > So while I agree with Jose that it is perfectly fine to move it, > > doing > > > > so won't really matter until you have phantoms for the > > infrastructure > > > > master to keep an eye on. > > > > Just my $0.02 > > > > Have a great day! > > > > Rob > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, > > Jose > > > > Sent: Tuesday, August 16, 2005 11:17 AM > > > > To: [email protected] > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > You are correct. However if you have two DC's it doesn't hurt to > > offload > > > > the infrastructure master role to the DC that dose not have the > > other > > 4 > > > > roles, even if it's in a single domain forest. > > > > Jose :-) > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, > > Guy > > > > Sent: Tuesday, August 16, 2005 8:09 AM > > > > To: [email protected] > > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Am I missing something or having Infrastructure Master running on GC > > is > > > > an issue in multi-domain forest ? > > > > Guy > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky > > Habeeb > > > > Sent: Monday, August 15, 2005 9:28 PM > > > > To: [email protected] > > > > Subject: [ActiveDir] Question on Replication Topology > > > > Dear List Members (Whom I have a hard time figuring out how you all > > have > > > > so much time to help us "not quite up to speed, but severely > > overtasked > > > > Administrators"); > > > > After a power failure took a Forest Root DC offline over the weekend > > > > (for 26 hours), I came in today to find my replication "in question". > > > > Repadmin /Showreps does not show any errors however, it shows > > > > inconsistent Replication partners. Here is my question; > > > > We have: > > > > Forest Root Domain (Empty) > > > > DC1 (Holds all 5 roles) (the DC offline for 26 hours) > > > > DC2 > > > > One Domain in the Forest > > > > DC4 > > > > DC5 (Holds all 5 Roles) > > > > DC6 > > > > Everyone is W2K3 (no Service Packs) and everyone is a GC and > > everyone is > > > > a DNS server. > > > > I was positive that I had the Forest Root and Domain at Windows > > Server > > > > 2003 Forest Functional Level but now when I go to AD Domains and > > Trusts > > > > and click the Forest Root Domain and right click Properties I get: > > > > Domain Functional Level = Windows 2000 mixed > > > > Forest Functional Level = Windows 2000 > > > > When I go to AD Domains and Trusts and click the Domain and right > > click > > > > Properties I get: > > > > Domain Functional Level = Windows Server 2003 > > > > Forest Functional Level = Windows 2000 > > > > I must have miscalculated, but that's not my question. > > > > In my AD Sites and Services, I have connection objects that have > > > > automatically been generated for each DC but they are inconsistent. ie: > > > > DC1 goes to DC2 and DC6 > > > > DC2 goes to DC1 and DC5 > > > > DC4 goes to DC5 and DC6 > > > > DC5 goes to DC4 and DC6 > > > > DC6 goes to DC1 and DC4 and DC5 > > > > The question is, "Shouldn't they all have automatically generated > > > > connection objects to everybody else and if they don't, is it just a > > > > matter of me adding the manual new connection object?" Or am I > > seeing a > > > > properly configured Sites and Services. If not, is part of my > > problem > > > > that I have not got the Forest Root at FFL? > > > > Thanks in advance people for any assistance. This list is so > > valuable, > > > > it's not funny. (Seriously!) > > > > ______________________________ > > > > Rocky Habeeb > > > > Microsoft Systems Administrator > > > > James W. Sewall Company > > > > 136 Center Street > > > > Old Town, Maine 04468 > > > > 207.827.4456 > > > > [EMAIL PROTECTED] > > > > www.jws.com > > > > ______________________________ > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
