RE: [ActiveDir] Question on Replication Topology
Yeah, apparently they upgraded the Access engine a bit that AD used to run on in w2000, and now they gave it a different name. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology There's a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of
RE: [ActiveDir] Question on Replication Topology
One is an airline. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology There's a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im
RE: [ActiveDir] Question on Replication Topology
Ask Brett :P C From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 10/7/2005 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology There's a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPh
RE: [ActiveDir] Question on Replication Topology
Yeah, one's red and one's blue. Color monitors are great ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology There's a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a techniqu
RE: [ActiveDir] Question on Replication Topology
There's a difference? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPhantoms::1 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: ht
RE: [ActiveDir] Question on Replication Topology
Brett knows the difference between Jet Blue and Jet Red too :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 9:24 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPhantoms::1 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S IN
RE: [ActiveDir] Question on Replication Topology
Joe rude, NEVER he is just forceful ;P Dont worry Joe people are just intimidated by your knowledge like Dean :P C From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 10/7/2005 4:39 AM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Question on Replication Topology > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Thursday, August 18, 2005 7:05 AM > Some people choose to have nothing to do with me. That suits me fine, > I'm not fond of high politeness taxes. I think some would consider > joe rude as well. I usually consider joe refreshingly honest and straight. Only some? I need to work harder at this. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Question on Replication Topology
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Thursday, August 18, 2005 7:05 AM > Some people choose to have nothing to do with me. That suits me fine, > I'm not fond of high politeness taxes. I think some would consider > joe rude as well. I usually consider joe refreshingly honest and straight. Only some? I need to work harder at this. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
I may be slow but I finally saw this. Piss off Dean. ;o) Anyway, there are a few people I won't argue with about certain things 1. Dean and Phantoms/IM functionality. 2. ~Eric and debugging / dump diving. He also knows a good burger when he sees it. 3. Brett and anything ESE related or AD backup/Restore 4. Guido and disaster recovery. 5. Tony Murray and wine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:37 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPhantoms::1 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Brett "_You_ are one of the top top experts on AD itself, many of the surrounding technologies and issues, _AND_ AD internals too, I've have the pleasure of meeting. Why would I belittle you in that case." Are you sure you met the right Dean :P the guy with the funny accent? Hehehe Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 18 August 2005 09:05 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Outside of saying "whichever way you hash it Brett, your comments were rude and interpreted by me in a manner for which I see no alternative", I'm more than happy to continue to discuss the technology topic at hand. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 7:05 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Dean, unfortunately I have ALOT ALOT OH MY GOD SO MUCH STUFF to do tonight (just got into work a few hours ago) ... and don't have time to make a cogent argument on the original subject, right now. I do want to deal with the more interpersonal stuff now, as one shouldn't let that stuff fester ... so splitting your last mail into two parts ... hopefully you agree with my categorization of your latest response ... INTERPERSONAL PARTS: > As is often the case, your response is rude and comes across as little > more than an effort to belittle others ... me in this case. > Your opinion is, of course, your own and it could easily be conveyed in > a less insulting and less patronizing manner were you to bother yourself > with the additional effort. ON TOPIC PARTS: > You don't address my singular point; that the directory is a standard, > the underlying database is not part of that definition. In my > opinion, my original and subsequent posts remain accurate. > Your opinion is, of course, your own ... Addressing the interpersonal stuff ... which I'll seperate like this ... 1) Assertion my mail was "little more than an effort to belittle others ... me in this case" Response: ABSOLUTELY NOT! I definately, did not mean to belittle you. Wait let me check the exact definition fo belittle. Yes, definately this was not my intention. _You_ are one of the top top experts on AD itself, many of the surrounding technologies and issues, _AND_ AD internals too, I've have the pleasure of meeting. Why would I belittle you in that case. Unfortunately, I can't really make a case one way or the other against your assertion, because it is a judgement of my intentions. I am telling you, it was not my intention. You will have to decide from what you know of me, whether you believe me or not. As for belittl'ing others, that is not usually (if ever) the intentional case either, I'm a very loving guy. Really I am. But if someone says something I consider false or misinformed on a public forum, I will NOT shy away from correcting the misinformation. And I sometimes decide I do not want to pay any "politeness taxes" on my communications. 2) Accusation that both, often and in this case that I am rude. Response: Guilty. That is a fair statement, buuut in that last mail, if I was rude, I was only a _little_ bit rude. I mean come on Dean isn't a little bit of rudeness ok? You let me know. Speaking of rude, hypothetically, if another man reached over and tweaked my nipple uninvited ... would that be rude? I mean without knowing me well, he might've done something I considred very violating. Would that be rude? How rude? You let me know. Suffice it to say, most people would agree rudeness is definately subjective, and I'd say not just would I be considered rude to some, but to _MOST_ people. In fact, I probably qualify as very rude for some. Some people choose to have nothing to do with me. That suits me fine, I'm not fond of high politeness taxes. I think some would consider joe rude as well. I usually consider joe refreshingly honest and straight. Rude is generally a negative comment, I in fact don't think of it as negative ... I have several issues with the concept of rudeness being a negative trait, but that is an argument for another time. 3) Comment that my opinion could be conveyed in a less insulting and less patronizing manner, were you to bother yourself with the additional effort. Response: Well that sucks, I actually _took the time_ to make it patronizing. And then, the ironic part, I took more time, due to my respect for you as a collegue, and my suspicion you wouldn't appreciate an exceptionally patronizing mail, to reduce and make sure the patronizing content
RE: [ActiveDir] Question on Replication Topology
Outside of saying "whichever way you hash it Brett, your comments were rude and interpreted by me in a manner for which I see no alternative", I'm more than happy to continue to discuss the technology topic at hand. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 7:05 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Dean, unfortunately I have ALOT ALOT OH MY GOD SO MUCH STUFF to do tonight (just got into work a few hours ago) ... and don't have time to make a cogent argument on the original subject, right now. I do want to deal with the more interpersonal stuff now, as one shouldn't let that stuff fester ... so splitting your last mail into two parts ... hopefully you agree with my categorization of your latest response ... INTERPERSONAL PARTS: > As is often the case, your response is rude and comes across as little > more than an effort to belittle others ... me in this case. > Your opinion is, of course, your own and it could easily be conveyed in > a less insulting and less patronizing manner were you to bother yourself > with the additional effort. ON TOPIC PARTS: > You don't address my singular point; that the directory is a standard, > the underlying database is not part of that definition. In my > opinion, my original and subsequent posts remain accurate. > Your opinion is, of course, your own ... Addressing the interpersonal stuff ... which I'll seperate like this ... 1) Assertion my mail was "little more than an effort to belittle others ... me in this case" Response: ABSOLUTELY NOT! I definately, did not mean to belittle you. Wait let me check the exact definition fo belittle. Yes, definately this was not my intention. _You_ are one of the top top experts on AD itself, many of the surrounding technologies and issues, _AND_ AD internals too, I've have the pleasure of meeting. Why would I belittle you in that case. Unfortunately, I can't really make a case one way or the other against your assertion, because it is a judgement of my intentions. I am telling you, it was not my intention. You will have to decide from what you know of me, whether you believe me or not. As for belittl'ing others, that is not usually (if ever) the intentional case either, I'm a very loving guy. Really I am. But if someone says something I consider false or misinformed on a public forum, I will NOT shy away from correcting the misinformation. And I sometimes decide I do not want to pay any "politeness taxes" on my communications. 2) Accusation that both, often and in this case that I am rude. Response: Guilty. That is a fair statement, buuut in that last mail, if I was rude, I was only a _little_ bit rude. I mean come on Dean isn't a little bit of rudeness ok? You let me know. Speaking of rude, hypothetically, if another man reached over and tweaked my nipple uninvited ... would that be rude? I mean without knowing me well, he might've done something I considred very violating. Would that be rude? How rude? You let me know. Suffice it to say, most people would agree rudeness is definately subjective, and I'd say not just would I be considered rude to some, but to _MOST_ people. In fact, I probably qualify as very rude for some. Some people choose to have nothing to do with me. That suits me fine, I'm not fond of high politeness taxes. I think some would consider joe rude as well. I usually consider joe refreshingly honest and straight. Rude is generally a negative comment, I in fact don't think of it as negative ... I have several issues with the concept of rudeness being a negative trait, but that is an argument for another time. 3) Comment that my opinion could be conveyed in a less insulting and less patronizing manner, were you to bother yourself with the additional effort. Response: Well that sucks, I actually _took the time_ to make it patronizing. And then, the ironic part, I took more time, due to my respect for you as a collegue, and my suspicion you wouldn't appreciate an exceptionally patronizing mail, to reduce and make sure the patronizing content was "just right". Given your vehement response, and possible hurt feelings, the "right" amount of patronizing is clearly zero. I'm sorry I wasn't sensitive to that. I'll make sure I do that for the rest of this thread. Most of my friends teach through ridicule ... I sometimes forget that some people don't enjoy that style or culture as much. Personally I find a little bit of patronizing and insulting fun, remind me to tell you sometime of my 2nd most embaressing moment at Microsoft, about th
RE: [ActiveDir] Question on Replication Topology
ore > than an effort to belittle others ... me in this case. You don't address my > singular point; that the directory is a standard, the underlying database is > not part of that definition. In my opinion, my original and subsequent > posts remain accurate. > > Your opinion is, of course, your own and it could easily be conveyed in a > less insulting and less patronizing manner were you to bother yourself with > the additional effort. > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 11:37 AM > To: ActiveDir@mail.activedir.org > Cc: Send - AD mailing list > Subject: RE: [ActiveDir] Question on Replication Topology > > You're trying to weasel your way out of taking responsibility for your > misunderstanding or misstatement ... > > > > ... that the process of injecting the phantom isn't a behavioral > > > requirement imposed or carried out by the directory service itself. > > If I seperate that into two statements like so ... > > > > ... that the process of injecting the phantom isn't a behavioral > > > requirement imposed out by the directory service itself. > > and > > > > ... that the process of injecting the phantom isn't a behavior > > > carried out by the directory service itself. > > ... with the first you could argue (as you just did) that you were talking > about DS in the generic sense. And in that sense I might half-heartedly > agree with you, the phantom stuff perhaps isn't a behavioral requirement ... > > But that wasn't what you were really saying, (well seemed to me) it was more > the 2nd, which subltely changes the meaning of "DS" to be about the DS as a > specific component and implementation, because you go on to mention the > database componet of the stack thusly: > > > > It is a requirement imposed by the underlying database and is > > > necessary because of the mechanism used by ESE to provide uniform > > > representation of object references (i.e. link pairs). > > > Imagine an alternate reality where AD ran against SQL as it's store, would > you have said this: > > > > ... that the process of injecting the phantom isn't a behavior > > > carried out by the directory service itself. > > > It is a requirement imposed by the underlying database and is > > > necessary because of the mechanism used by SQL to provide uniform > > > representation of object references (i.e. link pairs). > > I don't think you would've made that claim. Everyone would say, "SQL doesn't > provides object references. No the DS decided to store object references in > SQL that way." > > Just because the phantom is an implementation detail, doesn't mean it's an > implementation detail in the database vs. in the directory service > component. There are alot of implementation specifics in the DS. The > phantom stuff is an implementation detail of the DS proper (and the dblayer > therein), not ESE. > > If you want to seperate the dblayer that's fine, but combining it with ESE > moves people farther from true understanding. Exchange, MSN Desktop Search, > DHCP, and don't use that dblayer code, nor have phantoms / DN references / > link pairs / etc, yet they store in ESE. > > Besides, I thought you liked to understand how this stuff actually works? > Otherwise, why am I bothering to read your posts? > > SO you either misstated or misunderstood ... I'll forgive you either way. > > Cheers, > BrettSh > > > On Wed, 17 Aug 2005, Dean Wells wrote: > > > Nod, I understand your point but, to me, it's a matter of perspective > > -- where does the directory begin and end? From a developers > > standpoint, the directory may well be a whole component neatly > > organized into a single area of a source tree. From my perspective, > > the term directory (in this context) is used to relay the concept of a > > (mostly) standards based component with predictable features, > > interfaces, behaviors, structures, underlying mechanisms, etc. > > > > Any documentation deemed a 'standard' upon which any directory service > > can even remotely claim to be based doesn't incorporate the specifics > > of the underlying store. As such, I don't define the dblayer as part > > of the directory ... its purpose is to abstract such specifics. > > > > -- > >
RE: [ActiveDir] Question on Replication Topology
Completely agree. I love the spirited discussions on this alias. I learn a lot. But I have also learned to respect those on it, and speaking in a demeaning way is just not something I would ever want to see creep in here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 17, 2005 11:25 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology As is often the case, your response is rude and comes across as little more than an effort to belittle others ... me in this case. You don't address my singular point; that the directory is a standard, the underlying database is not part of that definition. In my opinion, my original and subsequent posts remain accurate. Your opinion is, of course, your own and it could easily be conveyed in a less insulting and less patronizing manner were you to bother yourself with the additional effort. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 11:37 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology You're trying to weasel your way out of taking responsibility for your misunderstanding or misstatement ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory service itself. If I seperate that into two statements like so ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed out by the directory service itself. and > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. ... with the first you could argue (as you just did) that you were talking about DS in the generic sense. And in that sense I might half-heartedly agree with you, the phantom stuff perhaps isn't a behavioral requirement ... But that wasn't what you were really saying, (well seemed to me) it was more the 2nd, which subltely changes the meaning of "DS" to be about the DS as a specific component and implementation, because you go on to mention the database componet of the stack thusly: > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by ESE to provide uniform > > representation of object references (i.e. link pairs). Imagine an alternate reality where AD ran against SQL as it's store, would you have said this: > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by SQL to provide uniform > > representation of object references (i.e. link pairs). I don't think you would've made that claim. Everyone would say, "SQL doesn't provides object references. No the DS decided to store object references in SQL that way." Just because the phantom is an implementation detail, doesn't mean it's an implementation detail in the database vs. in the directory service component. There are alot of implementation specifics in the DS. The phantom stuff is an implementation detail of the DS proper (and the dblayer therein), not ESE. If you want to seperate the dblayer that's fine, but combining it with ESE moves people farther from true understanding. Exchange, MSN Desktop Search, DHCP, and don't use that dblayer code, nor have phantoms / DN references / link pairs / etc, yet they store in ESE. Besides, I thought you liked to understand how this stuff actually works? Otherwise, why am I bothering to read your posts? SO you either misstated or misunderstood ... I'll forgive you either way. Cheers, BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > Nod, I understand your point but, to me, it's a matter of perspective > -- where does the directory begin and end? From a developers > standpoint, the directory may well be a whole component neatly > organized into a single area of a source tree. From my perspective, > the term directory (in this context) is used to relay the concept of a > (mostly) standards based component with predictable features, > interfaces, behaviors, structures, underlying mechanisms, etc. > > Any documentation deemed a 'standard' upon which any directory service > can even remotely claim to be based doesn't incorporate the specifics > of the underlying store. As such, I don't define the dblayer as part > of the directory ... its purpose is to abstract such specifics. >
RE: [ActiveDir] Question on Replication Topology
As is often the case, your response is rude and comes across as little more than an effort to belittle others ... me in this case. You don't address my singular point; that the directory is a standard, the underlying database is not part of that definition. In my opinion, my original and subsequent posts remain accurate. Your opinion is, of course, your own and it could easily be conveyed in a less insulting and less patronizing manner were you to bother yourself with the additional effort. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 11:37 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology You're trying to weasel your way out of taking responsibility for your misunderstanding or misstatement ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory service itself. If I seperate that into two statements like so ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed out by the directory service itself. and > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. ... with the first you could argue (as you just did) that you were talking about DS in the generic sense. And in that sense I might half-heartedly agree with you, the phantom stuff perhaps isn't a behavioral requirement ... But that wasn't what you were really saying, (well seemed to me) it was more the 2nd, which subltely changes the meaning of "DS" to be about the DS as a specific component and implementation, because you go on to mention the database componet of the stack thusly: > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by ESE to provide uniform > > representation of object references (i.e. link pairs). Imagine an alternate reality where AD ran against SQL as it's store, would you have said this: > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by SQL to provide uniform > > representation of object references (i.e. link pairs). I don't think you would've made that claim. Everyone would say, "SQL doesn't provides object references. No the DS decided to store object references in SQL that way." Just because the phantom is an implementation detail, doesn't mean it's an implementation detail in the database vs. in the directory service component. There are alot of implementation specifics in the DS. The phantom stuff is an implementation detail of the DS proper (and the dblayer therein), not ESE. If you want to seperate the dblayer that's fine, but combining it with ESE moves people farther from true understanding. Exchange, MSN Desktop Search, DHCP, and don't use that dblayer code, nor have phantoms / DN references / link pairs / etc, yet they store in ESE. Besides, I thought you liked to understand how this stuff actually works? Otherwise, why am I bothering to read your posts? SO you either misstated or misunderstood ... I'll forgive you either way. Cheers, BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > Nod, I understand your point but, to me, it's a matter of perspective > -- where does the directory begin and end? From a developers > standpoint, the directory may well be a whole component neatly > organized into a single area of a source tree. From my perspective, > the term directory (in this context) is used to relay the concept of a > (mostly) standards based component with predictable features, > interfaces, behaviors, structures, underlying mechanisms, etc. > > Any documentation deemed a 'standard' upon which any directory service > can even remotely claim to be based doesn't incorporate the specifics > of the underlying store. As such, I don't define the dblayer as part > of the directory ... its purpose is to abstract such specifics. > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 8:27 AM > To: ActiveDir@mail.activedir.org > Cc: Send - AD mailing list > Subject: RE: [ActiveDir] Question on Replication Topology > > Yeah, that's what I thought
RE: [ActiveDir] Question on Replication Topology
You're trying to weasel your way out of taking responsibility for your misunderstanding or misstatement ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory service itself. If I seperate that into two statements like so ... > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed out by the directory service itself. and > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. ... with the first you could argue (as you just did) that you were talking about DS in the generic sense. And in that sense I might half-heartedly agree with you, the phantom stuff perhaps isn't a behavioral requirement ... But that wasn't what you were really saying, (well seemed to me) it was more the 2nd, which subltely changes the meaning of "DS" to be about the DS as a specific component and implementation, because you go on to mention the database componet of the stack thusly: > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by ESE to provide uniform > > representation of object references (i.e. link pairs). Imagine an alternate reality where AD ran against SQL as it's store, would you have said this: > > ... that the process of injecting the phantom isn't a behavior > > carried out by the directory service itself. > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by SQL to provide uniform > > representation of object references (i.e. link pairs). I don't think you would've made that claim. Everyone would say, "SQL doesn't provides object references. No the DS decided to store object references in SQL that way." Just because the phantom is an implementation detail, doesn't mean it's an implementation detail in the database vs. in the directory service component. There are alot of implementation specifics in the DS. The phantom stuff is an implementation detail of the DS proper (and the dblayer therein), not ESE. If you want to seperate the dblayer that's fine, but combining it with ESE moves people farther from true understanding. Exchange, MSN Desktop Search, DHCP, and don't use that dblayer code, nor have phantoms / DN references / link pairs / etc, yet they store in ESE. Besides, I thought you liked to understand how this stuff actually works? Otherwise, why am I bothering to read your posts? SO you either misstated or misunderstood ... I'll forgive you either way. Cheers, BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > Nod, I understand your point but, to me, it's a matter of perspective -- > where does the directory begin and end? From a developers standpoint, the > directory may well be a whole component neatly organized into a single area > of a source tree. From my perspective, the term directory (in this context) > is used to relay the concept of a (mostly) standards based component with > predictable features, interfaces, behaviors, structures, underlying > mechanisms, etc. > > Any documentation deemed a 'standard' upon which any directory service can > even remotely claim to be based doesn't incorporate the specifics of the > underlying store. As such, I don't define the dblayer as part of the > directory ... its purpose is to abstract such specifics. > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 8:27 AM > To: ActiveDir@mail.activedir.org > Cc: Send - AD mailing list > Subject: RE: [ActiveDir] Question on Replication Topology > > Yeah, that's what I thought you might mean ... that's not true. > > The process of injecting a phantom is carried out by the directory service > itself. It's in the AD's dblayer code, barely above ESE, but it is still a > behavior of the the DS not ESE. > > ESE has no idea what it is doing when a phantom is inserted, it's just 3 int > columns to ESE, it has no concept of what a phantom is. "link pairs" > (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase > (=LinkID/2)) is how AD decided to use ESE to represent references for > itself. > > Did that make sense? > > Cheers, > -BrettSh > > On Wed, 17 Aug 2005, Dean Wells wrote: > > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory
RE: [ActiveDir] Question on Replication Topology
Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any documentation deemed a 'standard' upon which any directory service can even remotely claim to be based doesn't incorporate the specifics of the underlying store. As such, I don't define the dblayer as part of the directory ... its purpose is to abstract such specifics. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 8:27 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Yeah, that's what I thought you might mean ... that's not true. The process of injecting a phantom is carried out by the directory service itself. It's in the AD's dblayer code, barely above ESE, but it is still a behavior of the the DS not ESE. ESE has no idea what it is doing when a phantom is inserted, it's just 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase (=LinkID/2)) is how AD decided to use ESE to represent references for itself. Did that make sense? Cheers, -BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > ... that the process of injecting the phantom isn't a behavioral > requirement imposed or carried out by the directory service itself. > It is a requirement imposed by the underlying database and is > necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. > link pairs). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 4:24 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Question on Replication Topology > > > Dean, what did you mean by the last line, indicated here? > > > The IM process itself does not create phantoms, if it were > > exclusively responsible for that task, all group modifications > > referencing non-local-domain members would require origination > > against the IM -- this is not the case. > > Phantoms are created locally by each DC > -> > (beneath the awareness of the directory itself). > > > Cheers, > BrettSh > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > Dean and all; > > > > This has been a great topic so far. It seems that the IM > > infrastructure role isn't quite grasped by everybody and can be a > > little confusing (me being first confused!) > > > > Can I suggest that we gather all of the information from this thread > > and publish it as a community article on the MS KB we can later > > refer to? > > > > I'm willing to whip up the article if everyone agrees; I can then > > post back to the list a draft (or publish it somewhere) for > > technical review. > > > > Thanks, > > Francis > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > > Sent: August 16, 2005 3:44 PM > > To: Send - AD mailing list > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Sounds good to me Robert. For the sake of clarification and a > > little more detail, see below - > > > > The IM process itself does not create phantoms, if it were > > exclusively > responsible for that task, all group modifications referencing > non-local-domain members would require origination against the IM -- > this is not the case. Phantoms are created locally by each DC > (beneath the awareness of the directory itself). > > > > The well-known role of the IM is to identify the validity of local > phantoms using the process that we've just recently described to > death. In addition, a lesser known function of the IM is that of > improving its own phantoms and replicating those improvements to the > remaining DCs within its own domain. > > This is achieved by a 'sorta' replication proxy -- my earlier
RE: [ActiveDir] Question on Replication Topology
We haven't even touched on the link table or the means by which the link-pairs are associated or even defined ... though I've a feeling we will be now! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 8:43 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Oh and I wasn't very clear, the link pair in the link table isn't the actual phantom ... the phantom is one referential phantom record, and zero or more structural phantoms records in the datatable ... the fact that AD wants to add a DN reference between two objects to the table is what makes the phantom necessary, and AD creates the phantomn if it doesn't exist. Cheers again, -B On Wed, 17 Aug 2005, Brett Shirley wrote: > Yeah, that's what I thought you might mean ... that's not true. > > The process of injecting a phantom is carried out by the directory > service itself. It's in the AD's dblayer code, barely above ESE, but > it is still a behavior of the the DS not ESE. > > ESE has no idea what it is doing when a phantom is inserted, it's just > 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" > (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase > (=LinkID/2)) is how AD decided to use ESE to represent references for > itself. > > Did that make sense? > > Cheers, > -BrettSh > > On Wed, 17 Aug 2005, Dean Wells wrote: > > > ... that the process of injecting the phantom isn't a behavioral > > requirement imposed or carried out by the directory service itself. > > It is a requirement imposed by the underlying database and is > > necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. > > link pairs). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett > > Shirley > > Sent: Wednesday, August 17, 2005 4:24 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Dean, what did you mean by the last line, indicated here? > > > > > The IM process itself does not create phantoms, if it were > > > exclusively responsible for that task, all group modifications > > > referencing non-local-domain members would require origination > > > against the IM -- this is not the case. > > > Phantoms are created locally by each DC > > -> > (beneath the awareness of the directory itself). > > > > > > Cheers, > > BrettSh > > > > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > > > Dean and all; > > > > > > This has been a great topic so far. It seems that the IM > > > infrastructure role isn't quite grasped by everybody and can be a > > > little confusing (me being first confused!) > > > > > > Can I suggest that we gather all of the information from this > > > thread and publish it as a community article on the MS KB we can > > > later refer to? > > > > > > I'm willing to whip up the article if everyone agrees; I can then > > > post back to the list a draft (or publish it somewhere) for > > > technical review. > > > > > > Thanks, > > > Francis > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean > > > Wells > > > Sent: August 16, 2005 3:44 PM > > > To: Send - AD mailing list > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Sounds good to me Robert. For the sake of clarification and a > > > little more detail, see below - > > > > > > The IM process itself does not create phantoms, if it were > > > exclusively > > responsible for that task, all group modifications referencing > > non-local-domain members would require origination against the IM -- > > this is not the case. Phantoms are created locally by each DC > > (beneath the awareness of the directory itself). > > > > > > The well-known role of the IM is to identify the validity of local > &
RE: [ActiveDir] Question on Replication Topology
Oh and I wasn't very clear, the link pair in the link table isn't the actual phantom ... the phantom is one referential phantom record, and zero or more structural phantoms records in the datatable ... the fact that AD wants to add a DN reference between two objects to the table is what makes the phantom necessary, and AD creates the phantomn if it doesn't exist. Cheers again, -B On Wed, 17 Aug 2005, Brett Shirley wrote: > Yeah, that's what I thought you might mean ... that's not true. > > The process of injecting a phantom is carried out by the directory service > itself. It's in the AD's dblayer code, barely above ESE, but it is still > a behavior of the the DS not ESE. > > ESE has no idea what it is doing when a phantom is inserted, it's just 3 > int columns to ESE, it has no concept of what a phantom is. "link pairs" > (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase > (=LinkID/2)) is how AD decided to use ESE to represent references for > itself. > > Did that make sense? > > Cheers, > -BrettSh > > On Wed, 17 Aug 2005, Dean Wells wrote: > > > ... that the process of injecting the phantom isn't a behavioral requirement > > imposed or carried out by the directory service itself. It is a requirement > > imposed by the underlying database and is necessary because of the mechanism > > used by ESE to provide uniform representation of object references (i.e. > > link pairs). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > > Sent: Wednesday, August 17, 2005 4:24 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Dean, what did you mean by the last line, indicated here? > > > > > The IM process itself does not create phantoms, if it were > > > exclusively responsible for that task, all group modifications > > > referencing non-local-domain members would require origination > > > against the IM -- this is not the case. > > > Phantoms are created locally by each DC > > -> > (beneath the awareness of the directory itself). > > > > > > Cheers, > > BrettSh > > > > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > > > Dean and all; > > > > > > This has been a great topic so far. It seems that the IM > > > infrastructure role isn't quite grasped by everybody and can be a > > > little confusing (me being first confused!) > > > > > > Can I suggest that we gather all of the information from this thread > > > and publish it as a community article on the MS KB we can later refer > > > to? > > > > > > I'm willing to whip up the article if everyone agrees; I can then post > > > back to the list a draft (or publish it somewhere) for technical > > > review. > > > > > > Thanks, > > > Francis > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > > > Sent: August 16, 2005 3:44 PM > > > To: Send - AD mailing list > > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > > > Sounds good to me Robert. For the sake of clarification and a little > > > more detail, see below - > > > > > > The IM process itself does not create phantoms, if it were exclusively > > responsible for that task, all group modifications referencing > > non-local-domain members would require origination against the IM -- this is > > not the case. Phantoms are created locally by each DC (beneath the > > awareness of the directory itself). > > > > > > The well-known role of the IM is to identify the validity of local > > phantoms using the process that we've just recently described to death. In > > addition, a lesser known function of the IM is that of improving its own > > phantoms and replicating those improvements to the remaining DCs within its > > own domain. > > > This is achieved by a 'sorta' replication proxy -- my earlier post > > describing an ADFIND.EXE syntax outlines a means of finding the objects used > > by this aspect of the IM's behavior (that's assuming you're interested of > &g
RE: [ActiveDir] Question on Replication Topology
Yeah, that's what I thought you might mean ... that's not true. The process of injecting a phantom is carried out by the directory service itself. It's in the AD's dblayer code, barely above ESE, but it is still a behavior of the the DS not ESE. ESE has no idea what it is doing when a phantom is inserted, it's just 3 int columns to ESE, it has no concept of what a phantom is. "link pairs" (i.e. the 3 ints, forward link DNT, backlink DNT, and linkbase (=LinkID/2)) is how AD decided to use ESE to represent references for itself. Did that make sense? Cheers, -BrettSh On Wed, 17 Aug 2005, Dean Wells wrote: > ... that the process of injecting the phantom isn't a behavioral requirement > imposed or carried out by the directory service itself. It is a requirement > imposed by the underlying database and is necessary because of the mechanism > used by ESE to provide uniform representation of object references (i.e. > link pairs). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, August 17, 2005 4:24 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Question on Replication Topology > > > Dean, what did you mean by the last line, indicated here? > > > The IM process itself does not create phantoms, if it were > > exclusively responsible for that task, all group modifications > > referencing non-local-domain members would require origination > > against the IM -- this is not the case. > > Phantoms are created locally by each DC > -> > (beneath the awareness of the directory itself). > > > Cheers, > BrettSh > > > On Tue, 16 Aug 2005, Francis Ouellet wrote: > > > Dean and all; > > > > This has been a great topic so far. It seems that the IM > > infrastructure role isn't quite grasped by everybody and can be a > > little confusing (me being first confused!) > > > > Can I suggest that we gather all of the information from this thread > > and publish it as a community article on the MS KB we can later refer > > to? > > > > I'm willing to whip up the article if everyone agrees; I can then post > > back to the list a draft (or publish it somewhere) for technical > > review. > > > > Thanks, > > Francis > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > > Sent: August 16, 2005 3:44 PM > > To: Send - AD mailing list > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > Sounds good to me Robert. For the sake of clarification and a little > > more detail, see below - > > > > The IM process itself does not create phantoms, if it were exclusively > responsible for that task, all group modifications referencing > non-local-domain members would require origination against the IM -- this is > not the case. Phantoms are created locally by each DC (beneath the > awareness of the directory itself). > > > > The well-known role of the IM is to identify the validity of local > phantoms using the process that we've just recently described to death. In > addition, a lesser known function of the IM is that of improving its own > phantoms and replicating those improvements to the remaining DCs within its > own domain. > > This is achieved by a 'sorta' replication proxy -- my earlier post > describing an ADFIND.EXE syntax outlines a means of finding the objects used > by this aspect of the IM's behavior (that's assuming you're interested of > course). > > > > -- > > Dean Wells > > MSEtechnology > > * Email: [EMAIL PROTECTED] > > http://msetechnology.com > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Williams > > (RRE) > > Sent: Tuesday, August 16, 2005 3:15 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Question on Replication Topology > > > > I like your explanation...please allow me to comment on a snippet just to > be sure we're on the same page: > > > > > > IF the IM does not create phantoms, then the DCs that are not GCs do not > have a way to reference those objects that exist in the OTHER Domain. These > DCs who are not GCs rely on the IM to provide this facility, but since the > IM has stopped creating phantoms becaus
RE: [ActiveDir] Question on Replication Topology
Please feel free, I'll happily do what I can ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Tuesday, August 16, 2005 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Dean and all; This has been a great topic so far. It seems that the IM infrastructure role isn't quite grasped by everybody and can be a little confusing (me being first confused!) Can I suggest that we gather all of the information from this thread and publish it as a community article on the MS KB we can later refer to? I'm willing to whip up the article if everyone agrees; I can then post back to the list a draft (or publish it somewhere) for technical review. Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: August 16, 2005 3:44 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Sounds good to me Robert. For the sake of clarification and a little more detail, see below - The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DC
RE: [ActiveDir] Question on Replication Topology
... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, August 17, 2005 4:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Dean, what did you mean by the last line, indicated here? > The IM process itself does not create phantoms, if it were > exclusively responsible for that task, all group modifications > referencing non-local-domain members would require origination > against the IM -- this is not the case. > Phantoms are created locally by each DC -> > (beneath the awareness of the directory itself). Cheers, BrettSh On Tue, 16 Aug 2005, Francis Ouellet wrote: > Dean and all; > > This has been a great topic so far. It seems that the IM > infrastructure role isn't quite grasped by everybody and can be a > little confusing (me being first confused!) > > Can I suggest that we gather all of the information from this thread > and publish it as a community article on the MS KB we can later refer > to? > > I'm willing to whip up the article if everyone agrees; I can then post > back to the list a draft (or publish it somewhere) for technical > review. > > Thanks, > Francis > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: August 16, 2005 3:44 PM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Question on Replication Topology > > Sounds good to me Robert. For the sake of clarification and a little > more detail, see below - > > The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). > > The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. > This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > Williams > (RRE) > Sent: Tuesday, August 16, 2005 3:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Question on Replication Topology > > I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: > > > IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. > > > The DCs that are NOT GCs still can reference the object since it's > replicated in after the phantom is created, however if your GC is on > the IM > ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. > > And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. > > Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? > > Thanks! > > Rob > > > > > -Original Message- > From: [EMAIL PROTECTED] > [m
RE: [ActiveDir] Question on Replication Topology
Dean, what did you mean by the last line, indicated here? > The IM process itself does not create phantoms, if it were > exclusively responsible for that task, all group modifications > referencing non-local-domain members would require origination > against the IM -- this is not the case. > Phantoms are created locally by each DC -> > (beneath the awareness of the directory itself). Cheers, BrettSh On Tue, 16 Aug 2005, Francis Ouellet wrote: > Dean and all; > > This has been a great topic so far. It seems that the IM > infrastructure role isn't quite grasped by everybody and can be a > little confusing (me being first confused!) > > Can I suggest that we gather all of the information from this thread > and publish it as a community article on the MS KB we can later refer > to? > > I'm willing to whip up the article if everyone agrees; I can then post > back to the list a draft (or publish it somewhere) for technical > review. > > Thanks, > Francis > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: August 16, 2005 3:44 PM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Question on Replication Topology > > Sounds good to me Robert. For the sake of clarification and a little more > detail, see below - > > The IM process itself does not create phantoms, if it were exclusively > responsible for that task, all group modifications referencing > non-local-domain members would require origination against the IM -- this is > not the case. Phantoms are created locally by each DC (beneath the awareness > of the directory itself). > > The well-known role of the IM is to identify the validity of local phantoms > using the process that we've just recently described to death. In addition, > a lesser known function of the IM is that of improving its own phantoms and > replicating those improvements to the remaining DCs within its own domain. > This is achieved by a 'sorta' replication proxy -- my earlier post describing > an ADFIND.EXE syntax outlines a means of finding the objects used by this > aspect of the IM's behavior (that's assuming you're interested of course). > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams > (RRE) > Sent: Tuesday, August 16, 2005 3:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Question on Replication Topology > > I like your explanation...please allow me to comment on a snippet just to be > sure we're on the same page: > > > IF the IM does not create phantoms, then the DCs that are not GCs do not have > a way to reference those objects that exist in the OTHER Domain. These DCs > who are not GCs rely on the IM to provide this facility, but since the IM has > stopped creating phantoms because it is also acting as a GC, then the > facility does not exist for the non-GC DCs to use. > > > The DCs that are NOT GCs still can reference the object since it's replicated > in after the phantom is created, however if your GC is on the IM > ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not > ever update the objects when they are renamed since there aren't any phantoms > to update on the GC. > > And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC > can and will create the phantom when necessary (or will it be the IM or PDC > which actually 'creates' the phantom??) but it's the IMs job to update > them...I think from the IM's perspective that it really doesn't care how they > are created, its job is to just keep them accurate. That part I'm not 100% > clear on so I hope someone straightens it out for me / us. > > Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of > these things if possible? > > Thanks! > > Rob > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, August 16, 2005 2:48 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Question on Replication Topology > > Your conclusion sounds good to me. When I talk about this IM/GC thingy, this > is how I present it (to non- or semi-technical CxOs): > > In a multi-Domain environment: > Each domain needs to know something about objects in the other domain. > > A GC in one domain knows something about objects in other do
RE: [ActiveDir] Question on Replication Topology
Funny that - I lost mine when I JOINED Microsoft. I was told that it might be hard to get as my job doesn't require access to source... Rick P.S. I say just plain "blech" They're great for throwing As to eating - Have no use for them. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 12:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I am fortunate enough to be provided with source access by Microsoft. Actually, I say "Tom-arto" since I'm British. ;0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 1:37 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct
RE: [ActiveDir] Question on Replication Topology
Dean and all; This has been a great topic so far. It seems that the IM infrastructure role isn't quite grasped by everybody and can be a little confusing (me being first confused!) Can I suggest that we gather all of the information from this thread and publish it as a community article on the MS KB we can later refer to? I'm willing to whip up the article if everyone agrees; I can then post back to the list a draft (or publish it somewhere) for technical review. Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: August 16, 2005 3:44 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Sounds good to me Robert. For the sake of clarification and a little more detail, see below - The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them
RE: [ActiveDir] Question on Replication Topology
Thanks, Robert. Oh, ... and Dean, too :-p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way t
RE: [ActiveDir] Question on Replication Topology
Sounds good to me Robert. For the sake of clarification and a little more detail, see below - The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sen
RE: [ActiveDir] Question on Replication Topology
I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these
RE: [ActiveDir] Question on Replication Topology
Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [
RE: [ActiveDir] Question on Replication Topology
Your explanation sounds great to me. As I understood it, there was a difference as to whether the IM can co-reside on a GC in a multi-domain forest if all DCs in its domain are GCs. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper wei
RE: [ActiveDir] Question on Replication Topology
I am fortunate enough to be provided with source access by Microsoft. Actually, I say "Tom-arto" since I'm British. ;0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 1:37 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent
RE: [ActiveDir] Question on Replication Topology
I'm kinda confused as to what the confusion is about... What is he saying that is different than what you're saying? Hehe Cheers! rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Ha
RE: [ActiveDir] Question on Replication Topology
The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However
RE: [ActiveDir] Question on Replication Topology
I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPhantoms::1 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005
RE: [ActiveDir] Question on Replication Topology
That's the way I read it too, Dean. I think the terminology gets confusing because of the wording that "Multidomain forest" and then referencing "every domain controller in a domain". I've personally seen that terminology get completely botched by MCS who inappropriately wrote into a health engagement that our domain was unhealthy because we held our IM on a GC. No matter how much I debated it... he wouldn't let it go. Wherever you are, 80's hair guy, I hope you're reading this post. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message
RE: [ActiveDir] Question on Replication Topology
I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have
RE: [ActiveDir] Question on Replication Topology
For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (f
RE: [ActiveDir] Question on Replication Topology
Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I hav
RE: [ActiveDir] Question on Replication Topology
I see... (just trying to understand here) Got back to the docs and it appears I was mistaken about how phantoms work. I was sure that Domain Local groups would have issues with having members from other domains, but now I realize that the membership will get updated via looking at the GC instead of relying on the phantom. (the fact the DLGs are not replicated to GC got me think in the wrong direction) Sorry for the confusion, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 6:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Note in the original post, Rocky mentioned that all DCs are GCs ... in instances such as these, co-hosting the IM and GC roles is a non-issue. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Pr
RE: [ActiveDir] Question on Replication Topology
Title: Message As I've said, this is incorrect. GCs do not maintain this kind of phantom as they have no need for it. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, August 16, 2005 6:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 11:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE)Sent: Tuesday, August 16, 2005 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to A
RE: [ActiveDir] Question on Replication Topology
Title: Message Correct…it can, unless all dc’s are gc’s… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6
RE: [ActiveDir] Question on Replication Topology
Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated
RE: [ActiveDir] Question on Replication Topology
Exactly...same conclusion...whew! Glad we got that out of the way...hehe. Have a great afternoon! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly con
RE: [ActiveDir] Question on Replication Topology
Title: RE: [ActiveDir] Question on Replication Topology I wasn’t answering with any specific setup in mind…the previous poster asked about the single-domain part. I don’t know where it came from and it wasn’t really important to my answer…but yes, if you have more than one domain than you will still have the same requirements (meaning separate the IM from GC or make *all DCs* GCs). Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall
RE: [ActiveDir] Question on Replication Topology
Title: Message In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matte
RE: [ActiveDir] Question on Replication Topology
I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, M
RE: [ActiveDir] Question on Replication Topology
Title: Message We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 11:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE)Sent: Tuesday, August 16, 2005 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? T
RE: [ActiveDir] Question on Replication Topology
Title: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx
RE: [ActiveDir] Question on Replication Topology
I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Note in the original post, Rocky mentioned that all DCs are GCs ... in instances such as these, co-hosting the IM and GC roles is a non-issue. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Title: Message It is indeed sufficient based on the forest structure you provided ... and you're most welcome. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, August 16, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Dean, Thank you for responding to my question. I am assuming that because you did not state "worry" (in so many words), that this ring topology is expected and is sufficient. I really appreciate your diagram and posts. I have learned a lot from this list and appreciate the time you and others take to post. Rocky -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, August 16, 2005 7:58 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Question on Replication Topology Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Title: Message Dean, Thank you for responding to my question. I am assuming that because you did not state "worry" (in so many words), that this ring topology is expected and is sufficient. I really appreciate your diagram and posts. I have learned a lot from this list and appreciate the time you and others take to post. Rocky -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, August 16, 2005 7:58 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Question on Replication Topology Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Gil, Thanks for responding. Everything is in the default First Site. Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 15, 2005 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Do you have sites and subnets defined, or is everything in the Default First Site? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 11:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Do you have sites and subnets defined, or is everything in the Default First Site? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 11:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
