That's because AD and NDS/eDir handle rights inheritence in different ways. In NDS, inherited rights are calculated at evaluation time, i.e., when the system tries to determine if an object has a specific right, it checks the object and then walks the tree upward to check for inherited rights. This makes rights changes very fast (there's only one update), but rights lookups slower.
In AD, inherited rights are evaluated at update time, i.e., when you change a right, AD propagates the inherited rights down the tree. This makes rights changes slower, but makes rights lookups much faster. Given that directories are subject to much more frequent reads than rights, the AD scheme should be more effective. On the other hand, write operations are generally slower than read operations, so the NDS scheme is potentially more efficient because it trades AD's multiple write operations for multiple read operations. You can find benchmarks that convincingly support either view <g>. -gil Gil Kirkpatrick Chief Technology Officer, NetPro Author of "Active Directory Programming" from MacMillan Got eBook? Get your free Active Directory Troubleshooting eBook at: http://www.netpro.com/ebook -----Original Message----- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:27 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Site Login Well, I have done some testing between NDS and AD and one thing I find is for certain. When you are dealing with a large number of users, NDS handles rights allocation faster and with less problems. Rene ----- Original Message ----- From: "Salandra, Justin A." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 16, 2002 10:04 AM Subject: RE: [ActiveDir] Site Login > Interesting, I have not heard of that, does anyone else here able to > shed some light on this? > > -----Original Message----- > From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 16, 2002 9:45 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Site Login > > Well a associate of mine who has a similiar AD size at his place of > work told me while AD holds the objects, issues such as rights changes > become a problem. > > > > Rene > > > ----- Original Message ----- > From: "Salandra, Justin A." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 16, 2002 9:34 AM > Subject: RE: [ActiveDir] Site Login > > > > AD can hold millions of objects, there is however a limit to the OU > > structure you can have, I think the OU Structure can only be 62 > > levels > deep > > and I believe after 40 levels the GPO's no longer travel down the levels. > I > > heard this from a consultant that taught AD as a MCT. He showed me > > the level limit, but I have not seen the GPO limit. > > > > -----Original Message----- > > From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 16, 2002 9:23 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] Site Login > > > > Comments Welcome: > > > > > > I am considering the idea of merging all my child-domains back > > into > the > > parent domain but am not sure. I've have 47,568 users in AD, 112 servers > > and 3,200 workstations across 8 sites. I've heard AD horror stories > > if > you > > try to have this many objects in 1 AD domain. Comments? > > > > > > > > Rene > > > > > > ----- Original Message ----- > > From: "Salandra, Justin A." <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, July 16, 2002 9:16 AM > > Subject: RE: [ActiveDir] Site Login > > > > > > > I think you do that by setting subnets to sites and making sure > > > that > there > > > is a Global Catalog server in each site. However, all down-level > clients > > > can only login to the PDC Emulator, there is no other way for down-level > > > clients, unless someone has figured out a way. > > > > > > -----Original Message----- > > > From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, July 16, 2002 7:37 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Site Login > > > > > > Hello Everyone > > > > > > I was at Comdex in Toronto last week and got talking to a Microsoft > > > Techie about how I want to eliminate the domain requirement when a > student > > > logs into the network. He said you can do this by making the > > > desktops > > sign > > > into the site they are apart of rather then the domain, any ideas > > > on how > > to > > > do this? > > > > > > > > > > > > > > > Rene > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
