The changes are all passed immediately to the PDC FSMO holder (assuming the mastering DC can reach it) and then the changes replicate out from both places slowly converging around the domain. If you change on multiple domain controllers all of those would be passed to the PDC FSMO and then the last one written (as Gil says an update that is the same doesn't update) would be passed out from the PDC and the rest of the DCs would send out the changes that they have going through the standard conflict resolution actions. Depending on how your topology layed out (star versus some form of spanning tree) you could have different amounts of replication generated based on which DC's got hit and what their partners are and which DC's would handle the conflict resolution actions prior to sending out a single change for the several password attributes.
I completely agree with the boneheaded comment. No point. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, July 30, 2003 9:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Making the same change on multiple DCs is bone-headed, but I don't think it will generate much additional replication traffic. Aren't the password changes forwarded to the PDC FSMO role owner for the domain and then replicated from there? If that's true, then the redundant changes coming into the PDCE should be dropped (generally, changing an attribute to its current value has no effect). So the additional password changes will each generate a message to the PDCE, but otherwise not much else. Or am I missing something? -gil -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs That strikes me as a way to cause replication storms in a flash, depending on how the application is written. Say you have 10 DC's, and this app changes the password on all 10 dc's. That's at least 81 different replication messages, since each DC will recongnize that as a different change. Seems to me to be both overkill and unnecessary. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 3:23 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > We're looking at a product to manage passwords - it enforces common > password policy and keeps passwords in sync across multiple platforms > (mainframe, AD, NDS, Unix, etc.), as well as provides self-service > password change/reset via a browser interface. > > One of its features on AD is that it's nominally site-aware - it can > determine a browser's location based on IP address and change the AD > password on a DC in that site. So far, so good. Now the tricky part > - it can also be configured to ALWAYS change the password on one or > more DCs that you specify on the config, in addition to the one it > selects. > The idea is to specify DCs near resources at headquarters > that people access from branch offices. This is supposed to > ensure that people can access the resources immediately > rather than waiting for the new password to replicate. > > Net result is that the same password change is applied directly at > multiple DCs in different sites at the same time. My question is, > what is the impact on the DCs and replication traffic ? What are the > caveats of such a scenario ? > > One other thing - the helpdesk can use the web interface to assist > callers who choose not to use self-service. In that case, the > helpdesk can see a list of all DCs and select the > one(s) they wish to send the change to. This can be > disabled, but is the default if you enable 'site-awareness'. > This bothers me a bit, since there's nothing to prevent a > helpdesk person from selecting 'em all. Your thoughts ? > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
