I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page:
<DEJI> IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. </DEJI> The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky ____________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. <quote> We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 </quote> Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) ______________________________ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com ______________________________ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
