RE: [ActiveDir] User Accounts
After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE
RE: [ActiveDir] User Accounts
Great info ~Eric! The link to the start of the thread is: http://www.activedir.org/ml/msg08620.aspx We've just moved the archive onto the ActiveDir.org web site and we're having one or two teething problems with the search feature. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, 9 June 2006 10:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per our IM, |the dblayer knows what they are (after all, DNT = distinguished name |tag
RE: [ActiveDir] User Accounts
You could build the archive on ADAM, and enable the indexes to allow for efficient medial substring indexes. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 08, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Great info ~Eric! The link to the start of the thread is: http://www.activedir.org/ml/msg08620.aspx We've just moved the archive onto the ActiveDir.org web site and we're having one or two teething problems with the search feature. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, 9 June 2006 10:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're
RE: [ActiveDir] User Accounts
It looks corrupted in IE7B2 on k3dp1. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, June 08, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per our IM, |the dblayer knows what they are (after all, DNT = distinguished name |tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has
RE: [ActiveDir] User Accounts
Nice - poking with the finger works - give it to me babe ;-) I wasn't aware that ADSI is 100% LDAP, I thought it's just 9x% + some special stuff (AFAIK setting pwds directly with LDAP doesn't work), so I thought there's some stuff which supports it server side. Seems like you guys have a pretty good definition of the layers, would be great if you get the time to create a diagram or just dump thoughts to us and we'll handle visio. Having a diagram of the layers (even if not 100% correct) would make some things easier to explain. E.g. the replication - it's pretty hard for many to understand that it's not handled in the DB - they just think AD and don't get that the DB is different on each server. Resetting DNTs: OK - if DNT is a auto-incrementing primary key (compared with SQL) there's a third option: reading the backup db and writing it into the real, while keeping a dnt-translation table during the process. However would slow down dcpromo /IFM (OK - not correct - you know what I mean) and really doesn't make any sense since it would be way easier to have larger values. And there would be other options in the future, but mentioning those would make me look like and alcoholic (and it's actually way to early here to handle thinking like that). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, May 15, 2006 7:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hmmm, you've actually combined too many layers in my opinion ... ADSI is client side, and based entirely on LDAP, and there is an LDAP marshalling component both on the client and LDAP server. Having an arch diagram where you don't clearly differentiate where the network interfaces is, seems confusing. The replication logic is actually split fairly evenly between the Directory and DBLAYER. USNs are in the dblayer for instance, while things like instanceType are handled in the Directory layer. With the current ESE level schema defined for the ntds.dit by AD you could not reuse DNTs, even after IFM. This is because AD creates the DNT column with the JET_bitColumnAutoincrement, so the auto-increment-ness is done in the ESE layer. I don't believe (though not 93% sure on this) that ESE provides a way to explicit set an auto-increment column, so you're stuck losing those DNT values. You would either have to add the ability to reuse orphaned auto-inc's in ESE, or make AD define the column as a regular integer, and manage the auto-inc'ness and reuse itself. Neither of those options is probably as good as making AD just have 64-bit DNTs. I'll try to write up a more explicit arch diagram, that is a little more accurate if it doesn't take me too long ... Cheers, BrettSh [msft] On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote: Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER
RE: [ActiveDir] User Accounts
@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hmmm, you've actually combined too many layers in my opinion ... ADSI is client side, and based entirely on LDAP, and there is an LDAP marshalling component both on the client and LDAP server. Having an arch diagram where you don't clearly differentiate where the network interfaces is, seems confusing. The replication logic is actually split fairly evenly between the Directory and DBLAYER. USNs are in the dblayer for instance, while things like instanceType are handled in the Directory layer. With the current ESE level schema defined for the ntds.dit by AD you could not reuse DNTs, even after IFM. This is because AD creates the DNT column with the JET_bitColumnAutoincrement, so the auto-increment-ness is done in the ESE layer. I don't believe (though not 93% sure on this) that ESE provides a way to explicit set an auto-increment column, so you're stuck losing those DNT values. You would either have to add the ability to reuse orphaned auto-inc's in ESE, or make AD define the column as a regular integer, and manage the auto-inc'ness and reuse itself. Neither of those options is probably as good as making AD just have 64-bit DNTs. I'll try to write up a more explicit arch diagram, that is a little more accurate if it doesn't take me too long ... Cheers, BrettSh [msft] On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote: Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER | | | --- | | | DB| | | --- Depending on who you are you make look at all three boxes as AD and truly for most everyone that is the case. However when speaking at the internal component level these are three main areas, it could be broken up into even more like for instance SAM, Kerb, Replication, LDAP, etc. But I think where some confusion may have come in when saying AD dblayer. To many that would read as the DB. But I am reading it as the layer that interfaces or more properly abstracts the the lower DB portions from the high level AD stuff. That way you could jack up AD and slide another DB under it say something good like Oracle or MySQL or notepad or something eg and make most adjustments at the dblayer, sort of like a HAL. So we could call the dblayer something more like DBAL. I expect the abstraction isn't that fully fleshed out and there is still dependencies based on the underlying DB tech but I expect that could be worked through rather speedily, those AD Dev guys are a generally smart bunch. Microsoft could look into a reuse system for older DNTs but it would be more logical, IMO, to just expand the bit size of the variable. Since again, these DNTs are local it wouldn't be an issue except in the case of IFM promos, you would now be in a situation where you could IFM from a machine with a 32 bit DNT to one with 32 bit DNTs or 64 Bit DNTs but if you have a backup from a 64 bit machine you could only IFM with another 64
RE: [ActiveDir] User Accounts
I can confirm what Brett says on ADSI, and for that matter .NET. Anything those toolsets are doing is through the standard client interfaces exposed by AD/Windows through the LDAP, DS[1] and NET[2] APIs. The NET and DS calls all come through the RPC interface. Most of .NET thunks[3] down into ADSI which then thunks down to LDAP or NET. For anyone interested, there is a new Dr. Dobbs out now with an article on DB replication in general and it talks about some open source DB and implementing replication there. It isn't the greatest written article but it does talk about several of the issues involved with keeping databases synced. I think the author spent almost a whole page of I don't know how many paragraphs explaining the need for a unique identifier for every object that flows between replicated instances which just kept shouting GUID GUID GUID to me. Maybe some folks would prefer to understand why the GUID is handy for this and that helps there as it states many of the problems and why you need that info. I disagreed with the described implementation and several of the ergo's stated but software development is a lot of opinions. :) joe [1] The DS API is stuff that admins tend to see through NLTEST or the brilliantly written repadmin. ;o) See the publicly published parts of that API here -- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/activ e_directory_functions.asp [2] Not to be mistaken with DOT NET APIs. These are calls that have been around a long time in the NT world. Such as NetUserGetInfo and others at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/net mgmt/network_management_functions.asp [3] This isn't imply any datasize changes, i.e. 16 to 32 bit or what not, but instead the generic thunk that is you are mapping from one convention to another. NET and ADSI are supposed to make things look consistent and they do that by trying to adopt one convention and handling under the covers for you, any other conventions that are needed to accomplish your goal on the different systems. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, May 15, 2006 3:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I started, it will take a long time to do a proper diagram that doesn't take too many liberties w/ the actual implementation ... But I found something that is approximately accurate (but with too many liberties IMO): http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usec dirw/03wsdsu.mspx Skip down to see diagram 3.3 (Security sub-system's interaction), and especially 3.4 (Directory Service proper) ... they're ok, but I wouldn't read / trust the text too closely. One thing that is not made very clear in fig 3.4 is that everything except ESE and (most of) SAM is in ntdsa.dll. Also parts of LDAP and MAPI may use helper libraries to expose thier network heads (such as an ASN.1 [de|en]coding library + TCP / sockets stuff, and RPC respectively). I honestly don't know too much about ADSI, but if there is something ADSI can do that actually can't be done through LDAP, then I would suspect it is cheating and skipping around and using the SAM RPC head (what the net apis eventually trickle down to). The first diagram here is even further refined on the replication side (though has taken some liberties, though a scant less): http://technet2.microsoft.com/WindowsServer/en/Library/1465d773-b763-45ec-b9 71-c23cdc27400e1033.mspx?mfr=true When you saying the DB is different on each server ... what I think your trying to describe is that AD replication is what I would call object logical. - object logical - meaning that two objects can be shown to be logially equivalent on separate servers, even if the actual datatable data, link_table data, etc are different. Though I might say it isn't pure, as some data on the objects may be different, when not replicated, such as USNs, instanceTypes, etc. If it was truly object logical, you wouldn't be able to view anything non-replicated/different from the object interface (LDAP). - Another option would be database logical, meaning the ESE DBs could be described as logically equivalent (i.e. the same object's row, would have the same DNTs, etc) ... i think SQL offers something like this with at least one form of SQL replication (SQL Merge Replication is springing to mind?)? Also an offline defragged ESE database would be database logically the same as the original DB. - One last common option is physical replication, where the databases are equivalent data at the same byte offsets into the databases. Often done with transaction log shipping (although not the only option), which SQL supports, and Exch/ESE will support with E12 (well it's mostly physically equivalent). Very
RE: [ActiveDir] User Accounts
there's a third option: reading the backup db and writing it into the real, while keeping a dnt-translation table during the process. If there were work on monkeying with DNTs I would just rather see the work put into expanding the DNT bit space than trying to hunt down and scan the DB for use of DNTs. There could be all sorts of assumptions hidden in the code that could be real fun to find in this way. The 32-64 bit issues could be a little easier to work out, IMO as techniques are already being used and worked out to help with this kind of issue for programmers trying to find 32/64 bit issues in code (primarily pointers) when moving from 32/64 bit machines. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, May 15, 2006 2:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Nice - poking with the finger works - give it to me babe ;-) I wasn't aware that ADSI is 100% LDAP, I thought it's just 9x% + some special stuff (AFAIK setting pwds directly with LDAP doesn't work), so I thought there's some stuff which supports it server side. Seems like you guys have a pretty good definition of the layers, would be great if you get the time to create a diagram or just dump thoughts to us and we'll handle visio. Having a diagram of the layers (even if not 100% correct) would make some things easier to explain. E.g. the replication - it's pretty hard for many to understand that it's not handled in the DB - they just think AD and don't get that the DB is different on each server. Resetting DNTs: OK - if DNT is a auto-incrementing primary key (compared with SQL) there's a third option: reading the backup db and writing it into the real, while keeping a dnt-translation table during the process. However would slow down dcpromo /IFM (OK - not correct - you know what I mean) and really doesn't make any sense since it would be way easier to have larger values. And there would be other options in the future, but mentioning those would make me look like and alcoholic (and it's actually way to early here to handle thinking like that). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, May 15, 2006 7:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hmmm, you've actually combined too many layers in my opinion ... ADSI is client side, and based entirely on LDAP, and there is an LDAP marshalling component both on the client and LDAP server. Having an arch diagram where you don't clearly differentiate where the network interfaces is, seems confusing. The replication logic is actually split fairly evenly between the Directory and DBLAYER. USNs are in the dblayer for instance, while things like instanceType are handled in the Directory layer. With the current ESE level schema defined for the ntds.dit by AD you could not reuse DNTs, even after IFM. This is because AD creates the DNT column with the JET_bitColumnAutoincrement, so the auto-increment-ness is done in the ESE layer. I don't believe (though not 93% sure on this) that ESE provides a way to explicit set an auto-increment column, so you're stuck losing those DNT values. You would either have to add the ability to reuse orphaned auto-inc's in ESE, or make AD define the column as a regular integer, and manage the auto-inc'ness and reuse itself. Neither of those options is probably as good as making AD just have 64-bit DNTs. I'll try to write up a more explicit arch diagram, that is a little more accurate if it doesn't take me too long ... Cheers, BrettSh [msft] On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote: Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO
RE: [ActiveDir] User Accounts
Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER | | | --- | | | DB| | | --- Depending on who you are you make look at all three boxes as AD and truly for most everyone that is the case. However when speaking at the internal component level these are three main areas, it could be broken up into even more like for instance SAM, Kerb, Replication, LDAP, etc. But I think where some confusion may have come in when saying AD dblayer. To many that would read as the DB. But I am reading it as the layer that interfaces or more properly abstracts the the lower DB portions from the high level AD stuff. That way you could jack up AD and slide another DB under it say something good like Oracle or MySQL or notepad or something eg and make most adjustments at the dblayer, sort of like a HAL. So we could call the dblayer something more like DBAL. I expect the abstraction isn't that fully fleshed out and there is still dependencies based on the underlying DB tech but I expect that could be worked through rather speedily, those AD Dev guys are a generally smart bunch. Microsoft could look into a reuse system for older DNTs but it would be more logical, IMO, to just expand the bit size of the variable. Since again, these DNTs are local it wouldn't be an issue except in the case of IFM promos, you would now be in a situation where you could IFM from a machine with a 32 bit DNT to one with 32 bit DNTs or 64 Bit DNTs but if you have a backup from a 64 bit machine you could only IFM with another 64 bit machine (even that could be made to work if you could guarantee that the high half of the variable wasn't being used but you would be silly to even start going in that direction). Anyway... Chase down the guy who stole the bit and get it back and we double the DNTs, fire someone and get another bit and double again (and you thought bits were just small little things...). Get it over with and go to 64 bits or really have fun and use 128. Of course this has implications on performance on 32 bit machines but those should be dropping off now that we are saying people need to load 64 bit OSes anyway - who is going to want to run 32 bit DCs with 64 bit Exchange pounding on them[1]? MS did it for Exchange, why not force the issue with AD as well in LH? Exchange 12 is due out before LH isn't it? Everyone should be used to being slapped and told they have to say they like it by then. :) joe [1] Being facetious here, though I don't really expect MS Exch Dev to change how they recommend DC hardware for Exchange. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 19, 2006 10:46 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 2:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User
RE: [ActiveDir] User Accounts
Hmmm, you've actually combined too many layers in my opinion ... ADSI is client side, and based entirely on LDAP, and there is an LDAP marshalling component both on the client and LDAP server. Having an arch diagram where you don't clearly differentiate where the network interfaces is, seems confusing. The replication logic is actually split fairly evenly between the Directory and DBLAYER. USNs are in the dblayer for instance, while things like instanceType are handled in the Directory layer. With the current ESE level schema defined for the ntds.dit by AD you could not reuse DNTs, even after IFM. This is because AD creates the DNT column with the JET_bitColumnAutoincrement, so the auto-increment-ness is done in the ESE layer. I don't believe (though not 93% sure on this) that ESE provides a way to explicit set an auto-increment column, so you're stuck losing those DNT values. You would either have to add the ability to reuse orphaned auto-inc's in ESE, or make AD define the column as a regular integer, and manage the auto-inc'ness and reuse itself. Neither of those options is probably as good as making AD just have 64-bit DNTs. I'll try to write up a more explicit arch diagram, that is a little more accurate if it doesn't take me too long ... Cheers, BrettSh [msft] On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote: Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER | | | --- | | | DB| | | --- Depending on who you are you make look at all three boxes as AD and truly for most everyone that is the case. However when speaking at the internal component level these are three main areas, it could be broken up into even more like for instance SAM, Kerb, Replication, LDAP, etc. But I think where some confusion may have come in when saying AD dblayer. To many that would read as the DB. But I am reading it as the layer that interfaces or more properly abstracts the the lower DB portions from the high level AD stuff. That way you could jack up AD and slide another DB under it say something good like Oracle or MySQL or notepad or something eg and make most adjustments at the dblayer, sort of like a HAL. So we could call the dblayer something more like DBAL. I expect the abstraction isn't that fully fleshed out and there is still dependencies based on the underlying DB tech but I expect that could be worked through rather speedily, those AD Dev guys are a generally smart bunch. Microsoft could look into a reuse system for older DNTs but it would be more logical, IMO, to just expand the bit size of the variable. Since again, these DNTs are local it wouldn't be an issue except in the case of IFM promos, you would now be in a situation where you could IFM from a machine with a 32 bit DNT to one with 32 bit DNTs or 64 Bit DNTs but if you have a backup from a 64 bit machine you could only IFM with another 64 bit machine (even that could be made to work if you could guarantee that the high half of the variable wasn't being used but you would be silly to even start going in that direction). Anyway... Chase down the guy
RE: [ActiveDir] User Accounts
This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER | | | --- | | | DB| | | --- Depending on who you are you make look at all three boxes as AD and truly for most everyone that is the case. However when speaking at the internal component level these are three main areas, it could be broken up into even more like for instance SAM, Kerb, Replication, LDAP, etc. But I think where some confusion may have come in when saying AD dblayer. To many that would read as the DB. But I am reading it as the layer that interfaces or more properly abstracts the the lower DB portions from the high level AD stuff. That way you could jack up AD and slide another DB under it say something good like Oracle or MySQL or notepad or something eg and make most adjustments at the dblayer, sort of like a HAL. So we could call the dblayer something more like DBAL. I expect the abstraction isn't that fully fleshed out and there is still dependencies based on the underlying DB tech but I expect that could be worked through rather speedily, those AD Dev guys are a generally smart bunch. Microsoft could look into a reuse system for older DNTs but it would be more logical, IMO, to just expand the bit size of the variable. Since again, these DNTs are local it wouldn't be an issue except in the case of IFM promos, you would now be in a situation where you could IFM from a machine with a 32 bit DNT to one with 32 bit DNTs or 64 Bit DNTs but if you have a backup from a 64 bit machine you could only IFM with another 64 bit machine (even that could be made to work if you could guarantee that the high half of the variable wasn't being used but you would be silly to even start going in that direction). Anyway... Chase down the guy who stole the bit and get it back and we double the DNTs, fire someone and get another bit and double again (and you thought bits were just small little things...). Get it over with and go to 64 bits or really have fun and use 128. Of course this has implications on performance on 32 bit machines but those should be dropping off now that we are saying people need to load 64 bit OSes anyway - who is going to want to run 32 bit DCs with 64 bit Exchange pounding on them[1]? MS did it for Exchange, why not force the issue with AD as well in LH? Exchange 12 is due out before LH isn't it? Everyone should be used to being slapped and told they have to say they like it by then. :) joe [1] Being facetious here, though I don't really expect MS Exch Dev to change how they recommend DC hardware for Exchange. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 19, 2006 10:46 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 2:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? Heh, depends since the dblayer _is_ the component that implements them, not ESE. * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. The DN of an AD object is the result of its DNT (or P[parent]DNT) ancestry, right the way back to a number of structural entries (I believe they're typically referred to as structural phantoms but don't quote me on that) that define the labels comprising the NC head. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server Since DNTs are not a natural component of ESE, the answer is implementation specific. , and the database will only reuse them if you recreate the DB by repromoting (cause the data
RE: [ActiveDir] User Accounts
* DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge pertaining to link-pairs influences my opinion on |where DNTs lie; directory or database. | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
yep, thanks Dean - quite useful, as was the whole thread. It's always interesting to see how much discussion a simple question can cause :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Mittwoch, 19. April 2006 01:18 To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Inline is my take on an IM conv. Brett and I just had, the result and content of which turned up some interesting (to me at least) implementation details. The short story is - * DNTs (to me) are _not_ a component of the directory - they _are_ a component of the layer that bridges the two (dblayer) - to Brett, I believe he sees them within the sum of what is the directory * DNTs (to both Brett and I) are not part of ESE * DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) * DNTs are not reusable I hope the summary and conversational text inline proves useful. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Dean, I didn't understand this comment ... But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT? Methinks perhaps you're muddling in the realms of personal interpretation ... though I'm quite certain you'll argue that too ... ESE purist :0p Are you claiming that ESE knows what a DNT is? Not at all ... but IMO, neither does the directory ... and per our IM, the dblayer knows what they are (after all, DNT = distinguished name tag ... blatantly not an ESE term ... and dblayer = database layer ... not a directory term ... hmmm) A DNT is an entirely AD concept, ESE has no idea what a DNT is. Nod. ESE also has no concept of linked-values, or the link_table. Now this was news to me, so here's the summary: ESE has tables + columns + indices over columns. The dblayer forms the bridge between two technologies, one molding the behavior of the other (dblayer molds ESE). ESE maintains no referential integrity, the dblayer does this ... including link-pairs -- this part was especially surprising to me. This is the 2nd time you've confused the AD dblayer (what maintains the AD schema on an ESE database) and the ESE database layer. Don't know that I'd agree with that since on neither occasion was the dblayer specifically referenced .. but it's moot for the moment since I'm still mulling over whether my new-found knowledge pertaining to link-pairs influences my opinion on where DNTs lie; directory or database. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge
RE: [ActiveDir] User Accounts
Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 2:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? Heh, depends since the dblayer _is_ the component that implements them, not ESE. * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. The DN of an AD object is the result of its DNT (or P[parent]DNT) ancestry, right the way back to a number of structural entries (I believe they're typically referred to as structural phantoms but don't quote me on that) that define the labels comprising the NC head. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server Since DNTs are not a natural component of ESE, the answer is implementation specific. , and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). The re-promotion aspect is of course true, assuming non-IFM. Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4 89-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per our IM, |the dblayer knows what they are (after all, DNT = distinguished name |tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of the other |(dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this ... |including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion was the |dblayer specifically referenced .. but it's moot
RE: [ActiveDir] User Accounts
Ok - thinking over it it's understandable that IFM does not touch DNTs but rather use the backup as default dit to start from. Obviously you are not creating a default dit and open up a second dit to do a local sync. How are you handling server specific settings? Delete/change those right at the beginning of a IFM, then go ahead with the default replication to figure out the changes? Guess USNs and watermark vectors can be kept and are the same at the beginning of IFM. However, thanks Eric and Dean for verification and additional thoughts. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Eric |Fleischman |Sent: Wednesday, April 19, 2006 4:39 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | DNTs are reusable in ESE, however ADs implementation does not allow |DNTs | to be released / reused on a single server, and the database |will only | reuse them if you recreate the DB by repromoting (cause |the data is | replicated from other servers into a virgin ESE, and DNTs |are assigned | from the beginning at this point). | |Basically, yes. Though I would point out, this is hardly |reusing DNTs...this is more starting over. :) For the sake of |clarity I would point out that such a re-promotion would need |to be over the wire and not IFM. IFM just picks up where the |last left off, as you are using the old database again, and so |the same AD level rules apply. | |~Eric | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Tuesday, April 18, 2006 11:40 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |* DNTs (to me) are _not_ a component of the directory | |IIRC they are like a (primary/foreign) key in a database. |Technically not needed by the database layer, and not needed |by the application, but needed to keep the data together for |the application. So if you look at AD from the outside it |won't be referenced, if you look at ESE it's just a DB and |doesn't care about the data stored within, but you still need |it in between to store the AD in the ESE. |Right? | |* DNTs are not reusable | |Unique per Server and don't provide any reference across |servers. If AD looks for a parent object by looking up it's |known DNT (stored with the child), ESE would fail in that |moment, AD would not able to go to another server and look up |the same DNT in it's database. The AD is distributed, the ESE |is local, and DNTs are part of the local table. | |If I understand correctly: |DNTs are reusable in ESE, however ADs implementation does not |allow DNTs to be released / reused on a single server, and the |database will only reuse |them if you recreate the DB by repromoting (cause the data is |replicated from other servers into a virgin ESE, and DNTs are |assigned from the beginning at this point). | |Right? | |Gruesse - Sincerely, | |Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org | Profile: |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 |C811 |D | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells ||Sent: Wednesday, April 19, 2006 1:18 AM ||To: Send - AD mailing list ||Subject: RE: [ActiveDir] User Accounts || ||Inline is my take on an IM conv. Brett and I just had, the result and ||content of which turned up some interesting (to me at least) ||implementation details. The short story is - || ||* DNTs (to me) are _not_ a component of the directory || - they _are_ a component of the layer that bridges the |two (dblayer) || - to Brett, I believe he sees them within the sum of |what is the ||directory ||* DNTs (to both Brett and I) are not part of ESE ||* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) ||* DNTs are not reusable || ||I hope the summary and conversational text inline proves useful. || ||-- ||Dean Wells ||MSEtechnology ||* Email: [EMAIL PROTECTED] ||http://msetechnology.com || || || || -Original Message- || From: [EMAIL PROTECTED] || [mailto:[EMAIL PROTECTED] On Behalf Of ||Brett Shirley || Sent: Tuesday, April 18, 2006 5:11 PM || To: ActiveDir@mail.activedir.org || Cc: Send - AD mailing list || Subject: RE: [ActiveDir] User Accounts || || || Dean, I didn't understand this comment ... || But, dude, seriously, you weren't aware that AD's ESE ||used a 32 bit || DNT? || Methinks perhaps you're muddling in the realms of personal || interpretation ... though I'm quite certain you'll argue |that too || ... ESE purist :0p || || Are you claiming that ESE knows what a DNT is? || ||Not at all ... but IMO, neither does the directory ... and |per our IM, ||the dblayer knows what they are (after all, DNT = distinguished name ||tag
RE: [ActiveDir] User Accounts
Inline is my take on an IM conv. Brett and I just had, the result and content of which turned up some interesting (to me at least) implementation details. The short story is - * DNTs (to me) are _not_ a component of the directory - they _are_ a component of the layer that bridges the two (dblayer) - to Brett, I believe he sees them within the sum of what is the directory * DNTs (to both Brett and I) are not part of ESE * DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) * DNTs are not reusable I hope the summary and conversational text inline proves useful. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Dean, I didn't understand this comment ... But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT? Methinks perhaps you're muddling in the realms of personal interpretation ... though I'm quite certain you'll argue that too ... ESE purist :0p Are you claiming that ESE knows what a DNT is? Not at all ... but IMO, neither does the directory ... and per our IM, the dblayer knows what they are (after all, DNT = distinguished name tag ... blatantly not an ESE term ... and dblayer = database layer ... not a directory term ... hmmm) A DNT is an entirely AD concept, ESE has no idea what a DNT is. Nod. ESE also has no concept of linked-values, or the link_table. Now this was news to me, so here's the summary: ESE has tables + columns + indices over columns. The dblayer forms the bridge between two technologies, one molding the behavior of the other (dblayer molds ESE). ESE maintains no referential integrity, the dblayer does this ... including link-pairs -- this part was especially surprising to me. This is the 2nd time you've confused the AD dblayer (what maintains the AD schema on an ESE database) and the ESE database layer. Don't know that I'd agree with that since on neither occasion was the dblayer specifically referenced .. but it's moot for the moment since I'm still mulling over whether my new-found knowledge pertaining to link-pairs influences my opinion on where DNTs lie; directory or database. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
Very interesting again, thanks for those explainations. So you've seen Ads with 50M - 100M Objects. This makes the theoretical part of my brain a bit anxious - theoretically ;-) Were these real objects, or what the regular AD-Guy would refer to (Sum of users, computers, groups, a.s.o - leaving out technical objects like phantoms, objects in the C-NC, S-NC, D-NC/System,.. dnsNode-Objects [1],..)? That means they'll have issues after a account overturn [2] of 20-40 (or 10 if 100M Objects and you feel comfortable with 1.07B) because then they hit the unreleased DNTs and have to start repromoting DCs to get them back. OK - while a account overturn of 20 seems very long term - I doubt that DNTs are being released by inplace upgrades and I don't look very happy imagining running ADMT or some other migration tool against 100M Object ADs. And the limit is still the forest, not the domain. So in the long term they might be even hitting the DNT-Limit, without even creating a bigger AD DIT (considering they perform regular DIT-maintenance) - just by deleting and recreating each object b/c of its natural overturn up to 40 times and not releasing their DNTs. However long term - if we assume 100M Objects and a object overturn about 10yrs we'll have 20 cycles and 200 yrs to figure that out - or just get the last bit back and rethink. Limit on RIDs - this one is interesting as well, since we only need to create 2147483 DCs and create 325 objects on the last one. Anyone out there to borrow me some hardware ;-) However I'm still curious what would happen when we have the 2^31+1 newly created objects (handled error, major bang of the server against the wall) (no matter how many are currently existing - same issue whold happen with lower numbers of objects and frequent deletion/creation)? Also - as Dean mentioned - what would happen when we have more than 2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs over at 1000, or overflow which would cause the RIDs to start at 1(yeah - I'd like to be the 2^30-1000+500 user then)? OK - everything extremely unlikely - but the d... [3] thing is that my brain wants to know that now - and I can't find the soft reset ;-) [1] Uupsi - they tend to be deleted and recreated quite frequently (compared to accounts) [2] How would you call this? Inventory overturn comes to my mind (the cycle when a warehouse has all inventory sold and new one in there), so account overturn may be appropriate defining when each account has been dismissed and a new one created (however technically I'm talking to object overturn) - people leave and people join - people die and people are being instantiated (aka born). [3] Swearword? Do clue - I'm german - we have our own - can't keep a dictionary of approabriate words in foreign languages in the same brain which is interested in those answers. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Monday, April 17, 2006 2:47 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |Eric's quoting didn't come across in pine so well, so I've |improved it by using where he was quoting others ... | |*Ahem* ... for the hex heads ... | |ESE limits: | |The underlying store (aka ESE or JET Blue) does not have a 4.2 |billion row constraint to the # of rows in a single table ... |ESE will support from |2^1 up to 2^(~240*8) rows in a single table, _depending upon |your primary key_ ... and if you found ESE's old max 9.95e+583 |rows to be woefully under sized, you'll be able to go to |around _I think_ 2^(~1875*8) rows in Vista ... if you can find |the storage for it [1]. | |AD design limits: | |Active Directory however choose a primary key (The DNT) that |has only 32 bits, and is signed, so limiting to positive |values is limited to 2.1 billion rows (as ~Eric mentions), but |this is not ESE's fault, nor an ESE limitation. Exchange for |example choose a 63-bit message ID on thier message table |(called 1-23 IIRC), and is thus limited to no more than |2^63 / 9.22 quintillion rows (though probably a bit less due |to the way they parse up the message ID). | |Clearly the Exchange limit of # of message rows, shows that |ESE is not limited to 2.1 or 4.2 billion rows in a single |table, this is why it is crucial to be able to distinguish how |ESE differs from the data layer / schema (of AD) constructed |on top of ESE. | |At this point we think we've established the max # of objects |in an AD database, BUT the actual hard limitation would be the |minimum of several competing constraints, any which could |reduce us far lower ... | |Actual hard limitation
RE: [ActiveDir] User Accounts
Title: RE: [ActiveDir] User Accounts I don't look very happy imagining running ADMT or some other migration tool against 100M Object ADs You don't need to think about anything like ADMT. In your scenario, with object overturn and DNT depletion, you would simply need to re-promote the machines slowly over time, perhaps when doing OS version upgrades or something, and not use IFM. This is not a forest concept, nor domain, nor NC.this is a DB instance concept. DNTs are different in each instance in your forest. They are not replicated. Were these real objects, or what the regular AD-Guy would refer to Yes, but I don't understand why this matters to you? ~Eric From: [EMAIL PROTECTED] on behalf of Ulf B. Simon-WeidnerSent: Mon 4/17/2006 1:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Very interesting again, thanks for those explainations.So you've seen Ads with 50M - 100M Objects. This makes the theoretical partof my brain a bit anxious - theoretically ;-)Were these real objects, or what the regular AD-Guy would refer to (Sum ofusers, computers, groups, a.s.o - leaving out technical objects likephantoms, objects in the C-NC, S-NC, D-NC/System,.. dnsNode-Objects [1],..)?That means they'll have issues after a "account overturn" [2] of 20-40 (or10 if 100M Objects and you feel comfortable with 1.07B) because then theyhit the "unreleased DNTs" and have to start repromoting DCs to get themback.OK - while a "account overturn" of 20 seems very long term - I doubt thatDNTs are being released by inplace upgrades and I don't look very happyimagining running ADMT or some other migration tool against 100M Object ADs.And the limit is still the forest, not the domain.So in the long term they might be even hitting the DNT-Limit, without evencreating a bigger AD DIT (considering they perform regular DIT-maintenance)- just by deleting and recreating each object b/c of its natural overturn upto 40 times and not releasing their DNTs. However long term - if we assume100M Objects and a object overturn about 10yrs we'll have 20 cycles and 200yrs to figure that out - or just get the last bit back and rethink.Limit on RIDs - this one is interesting as well, since we only need tocreate 2147483 DCs and create 325 objects on the last one. Anyone out thereto borrow me some hardware ;-)However I'm still curious what would happen when we have the 2^31+1 newlycreated objects (handled error, major bang of the server against the wall)(no matter how many are currently existing - same issue whold happen withlower numbers of objects and frequent deletion/creation)?Also - as Dean mentioned - what would happen when we have more than2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs over at1000, or overflow which would cause the RIDs to start at 1(yeah - I'd liketo be the 2^30-1000+500 user then)?OK - everything extremely unlikely - but the d... [3] thing is that my brainwants to know that now - and I can't find the soft reset ;-)[1] Uupsi - they tend to be deleted and recreated quite frequently (comparedto accounts)[2] How would you call this? "Inventory overturn" comes to my mind (thecycle when a warehouse has all inventory sold and new one in there), so"account overturn" may be appropriate defining when each account has beendismissed and a new one created (however technically I'm talking to "objectoverturn") - people leave and people join - people die and people are beinginstantiated (aka born).[3] Swearword? Do clue - I'm german - we have our own - can't keep adictionary of approabriate words in foreign languages in the same brainwhich is interested in those answers.Gruesse - Sincerely,Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">D|-Original Message-|From: [EMAIL PROTECTED]|[mailto:[EMAIL PROTECTED]] On Behalf Of Brett Shirley|Sent: Monday, April 17, 2006 2:47 AM|To: ActiveDir@mail.activedir.org|Subject: RE: [ActiveDir] User Accounts|||Eric's quoting didn't come across in pine so well, so I've|improved it by using "" where he was quoting others ...||*Ahem* ... for the hex heads ...||ESE limits:||The underlying store (aka ESE or JET Blue) does not have a 4.2|billion row constraint to the # of rows in a single table ...|ESE will support from|2^1 up to 2^(~240*8) rows in a single table, _depending upon|your primary key_ ... and if you found ESE's old max 9.95e+583|rows to be woefully under sized, you'll be able to go to|around _I think_ 2^(~1875*8) rows in Vista ... if you can find|the storage for it [1].||AD design limits:||Active Directory however choose a primary key ("The DNT") that|has only 32 bits, and is signed, so limiting to positive|values is limited to 2.1 billion rows (as ~Eric mention
RE: [ActiveDir] User Accounts
Up to this point, all we've talked about really is storing these puppies. For me, the real question is whether all of these user objects can actually be made use of. For example, if you wanted to use these for authentication and authorization, you presumably have to start adding them to groups (unless you think you're going to refer to them individually in an ACL.) That means you have to allow for a certain % of group objects in the DIT to support the user objects. Then there are actual servers that these folks would have to connect to in order to actually do anything. Even if you limit yourself to scenarios where you don't have folks actually log onto a server, you will run into any number of practical constraints from other directions. Granted, this isn't nearly as interesting as the pure theoretical limitation of the technology but it does remind us that we all deploy AD for a myriad of reasons. If the Hippies were successful in lobbying the UN for a user account for every human being (and most great apes), we would probably find that we had to partition well before a billion. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 16, 2006 7:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Excellent post Brett, had me laughing and learning all of the way. Even folks who don't understand it should read it IMO, probably twice. Dean cleared me up on the RIDs, sounds like someone decided to artificially limit them to 30 bits (not even 32 or 31 as I surmised) so 1 billion is a good round number to go with - possibly two people left that team previously and both took a bit with them. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, April 16, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Eric's quoting didn't come across in pine so well, so I've improved it by using where he was quoting others ... *Ahem* ... for the hex heads ... ESE limits: The underlying store (aka ESE or JET Blue) does not have a 4.2 billion row constraint to the # of rows in a single table ... ESE will support from 2^1 up to 2^(~240*8) rows in a single table, _depending upon your primary key_ ... and if you found ESE's old max 9.95e+583 rows to be woefully under sized, you'll be able to go to around _I think_ 2^(~1875*8) rows in Vista ... if you can find the storage for it [1]. AD design limits: Active Directory however choose a primary key (The DNT) that has only 32 bits, and is signed, so limiting to positive values is limited to 2.1 billion rows (as ~Eric mentions), but this is not ESE's fault, nor an ESE limitation. Exchange for example choose a 63-bit message ID on thier message table (called 1-23 IIRC), and is thus limited to no more than 2^63 / 9.22 quintillion rows (though probably a bit less due to the way they parse up the message ID). Clearly the Exchange limit of # of message rows, shows that ESE is not limited to 2.1 or 4.2 billion rows in a single table, this is why it is crucial to be able to distinguish how ESE differs from the data layer / schema (of AD) constructed on top of ESE. At this point we think we've established the max # of objects in an AD database, BUT the actual hard limitation would be the minimum of several competing constraints, any which could reduce us far lower ... Actual hard limitation will be the 1. Dean points out over the lifetime of the database. This is crucial to understand, you should consider his meaning, he is right on about that. This is again an AD limitation, not an ESE limitation though. AD could've concocted (not even that hard) a scheme to reuse rows / DNTs. 2. joe pointed out the 16 TB DB size limit, he is right about that, which means at 2 billion objects, your net aggregate object size cost (including SD which may be single instanced, the link values, the ESE overhead to maintain the database, indices, rows, record format, etc) must be below 8KB / object. This is worth noting because the average size of ONLY the raw data (i.e. excluding ESE overhead) _in the datatable_ of an AD user in our primary corp domains is 11,924 bytes. Dang certs. 3. Eric, also points out about LID (which is a Long-value ID) is a signed int (again 31 bits available in positive value space), so we could be limited to less than 2 billion objects, if each object had a couple burst long values (only _burst_ LVs use LIDs). LV = Long-Value, not Link Value for this discussion. This _IS_ an ESE limitation. Expeience tells us replProperlyMetaData and supplementalCredentials on typical AD users are burst, and thus the limit could be as low as 1 billion. 4. SIDs (well RIDs actually) can limit how many security principals you use, but RIDs are a security aspect, and so I have no idea if you can use 32
RE: [ActiveDir] User Accounts
In my experience the type of forest you're thinking about is a different beast, Ulf ... I don't know a single customer that has a NOS / IT infrastructure forest with 10M objects, in fact I can't even think of one with 5 M. Anything north of 5M - 10M objects is almost assuredly e-commerce, internet facing web portal type stuff ... There is natural churn because of user accounts on the web facing stuff churn, multiple personas, forgotten password, what ever, but they don't get any of the normal churn you associate with the IT infrastructure (DNS objects, computer accounts join/unjoin, MIIS or HR control system injected changes, etc). They're basically using it like a specialized database. They are more prone to IFM though, which doesn't recycle DNTs. But all things consider the object churn seems to be less ... I believe the churn isn't too ridiculous. But it seems you just want to say or me to admit, yes if you hit this limit you will need to repromote. That is true. People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, people will have to deal w/ AD when they use 2B RDNs ... if you're actually dealing with numbers that ballpark into that area, I'd be curious to hear about your scenario, but I suspect no one is doing that ... yet. Cheers, -BrettSh On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: Hi ~eric, I don't look very happy imagining running ADMT or some other migration tool against 100M Object ADs You don't need to think about anything like ADMT. In your scenario, with object overturn and DNT depletion, you would simply need to re-promote the machines slowly over time, perhaps when doing OS version upgrades or something, and not use IFM. This is not a forest concept, nor domain, nor NC.this is a DB instance concept. DNTs are different in each instance in your forest. They are not replicated. Yes - agree. My intend was to outline that we might approach the DNT-limit with directories this large because: - they might run for a longer time - object overturn will happen - AD will stay over time since I doubt a upgrade will touch the dit and recycle DNTs, and companies with that large forests will rather upgrade to a new OS than using ADMT I'm aware that a repromote of the DCs will take care of it. I just tried to say that there might be the time when a repromote because of DNTs might be necessary in some larger domains. However still unlikely, but not that much away from reality if you look at the numbers posted (100M Objects are 5-10% of the limit, employees and customers as well as other objects (DNS) tend to change, and the limit is the forest (b/c total number of objects on a GC)). Were these real objects, or what the regular AD-Guy would refer to Yes, but I don't understand why this matters to you? Just being curious if Brad was talking about 50M+ Accounts or Objects - main reason because of plain curiousity to figure out if we are talking about 50M+ Objects or 50M+ Accounts + another couple M dnsNodes/phantoms/... Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C81 1D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 17, 2006 4:43 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I don't look very happy imagining running ADMT or some other migration tool against 100M Object ADs You don't need to think about anything like ADMT. In your scenario, with object overturn and DNT depletion, you would simply need to re-promote the machines slowly over time, perhaps when doing OS version upgrades or something, and not use IFM. This is not a forest concept, nor domain, nor NC.this is a DB instance concept. DNTs are different in each instance in your forest. They are not replicated. Were these real objects, or what the regular AD-Guy would refer to Yes, but I don't understand why this matters to you? ~Eric _ From: [EMAIL PROTECTED] on behalf of Ulf B. Simon-Weidner Sent: Mon 4/17/2006 1:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Very interesting again, thanks for those explainations. So you've seen Ads with 50M - 100M Objects. This makes the theoretical part of my brain a bit anxious - theoretically ;-) Were these real objects, or what the regular AD-Guy would refer to (Sum of users, computers, groups, a.s.o - leaving out technical objects like phantoms, objects
RE: [ActiveDir] User Accounts
Hi Brett, I don't want you to say or admit anything - I'm just curious and having a conversation here ;-) I was refering to your sentence I've heard of two production ADs in excess of 50 M (less than 100 M though) Which really made me curious and I started to think that these are not that unlikely to hit the limit. Rest of the conversation is just curiousity and for the sake of being interested - no real scenario - just interested in opinions. Never take me to serious - I'm german but that wasn't my fault ;-) I like to discuss what-if scenarios and am mainly interested in geeky chit-chat. And I've never and will never ask someone of your group or company to confess something in public. We are just chatting here. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, April 18, 2006 12:32 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |In my experience the type of forest you're thinking about is a |different beast, Ulf ... | |I don't know a single customer that has a NOS / IT |infrastructure forest with 10M objects, in fact I can't even |think of one with 5 M. Anything north of 5M - 10M objects is |almost assuredly e-commerce, internet facing web portal type stuff ... | |There is natural churn because of user accounts on the web |facing stuff churn, multiple personas, forgotten password, |what ever, but they don't get any of the normal churn you |associate with the IT infrastructure (DNS objects, computer |accounts join/unjoin, MIIS or HR control system |injected changes, etc). They're basically using it like a |specialized database. | |They are more prone to IFM though, which doesn't recycle DNTs. | But all things consider the object churn seems to be less ... |I believe the churn isn't too ridiculous. | |But it seems you just want to say or me to admit, yes if you |hit this limit you will need to repromote. That is true. |People dealt w/ NT4 SAM when it balked at 70k accounts or |whatever, people will have to deal w/ AD when they use 2B RDNs |... if you're actually dealing with numbers that ballpark into |that area, I'd be curious to hear about your scenario, but I |suspect no one is doing that ... yet. | |Cheers, |-BrettSh | |On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: | | Hi ~eric, | | I don't look very happy | imagining running ADMT or some other migration tool against 100M | Object | ADs | | You don't need to think about anything like ADMT. In your |scenario, | with | object overturn and DNT depletion, you would simply need to |re-promote | the machines | slowly over time, perhaps when doing OS version upgrades or | something, and | not use IFM. | This is not a forest concept, nor domain, nor NC.this is a DB | instance | concept. DNTs are different in each instance in your forest. |They are | not replicated. | | Yes - agree. My intend was to outline that we might approach the | DNT-limit with directories this large because: | - they might run for a longer time | - object overturn will happen | - AD will stay over time since I doubt a upgrade will touch the dit | and recycle DNTs, and companies with that large forests will rather | upgrade to a new OS than using ADMT | | I'm aware that a repromote of the DCs will take care of it. I just | tried to say that there might be the time when a repromote |because of | DNTs might be necessary in some larger domains. However still | unlikely, but not that much away from reality if you look at the | numbers posted (100M Objects are 5-10% of the limit, employees and | customers as well as other objects (DNS) tend to change, and |the limit is the forest (b/c total number of objects on a GC)). | | Were these real objects, or what the regular AD-Guy would refer to | | Yes, but I don't understand why this matters to you? | | Just being curious if Brad was talking about 50M+ Accounts |or Objects | - main reason because of plain curiousity to figure out if we are | talking about | 50M+ Objects or 50M+ Accounts + another couple M |dnsNodes/phantoms/... | | Gruesse - Sincerely, | | Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: | http://tinyurl.com/44zcz http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org/ | http://www.windowsserverfaq.org | Profile: | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1 | 214C81 | 1D | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 |9-F2F1214C811 | D | | | | | _ | | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Eric | Fleischman | Sent: Monday, April 17, 2006 4:43 PM | To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] User Accounts | | | I don't look very happy | imagining running ADMT or some other
RE: [ActiveDir] User Accounts
Never take me to serious Seriously? :) (Great thread by the way) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, April 17, 2006 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hi Brett, I don't want you to say or admit anything - I'm just curious and having a conversation here ;-) I was refering to your sentence I've heard of two production ADs in excess of 50 M (less than 100 M though) Which really made me curious and I started to think that these are not that unlikely to hit the limit. Rest of the conversation is just curiousity and for the sake of being interested - no real scenario - just interested in opinions. Never take me to serious - I'm german but that wasn't my fault ;-) I like to discuss what-if scenarios and am mainly interested in geeky chit-chat. And I've never and will never ask someone of your group or company to confess something in public. We are just chatting here. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, April 18, 2006 12:32 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |In my experience the type of forest you're thinking about is a |different beast, Ulf ... | |I don't know a single customer that has a NOS / IT |infrastructure forest with 10M objects, in fact I can't even |think of one with 5 M. Anything north of 5M - 10M objects is |almost assuredly e-commerce, internet facing web portal type stuff ... | |There is natural churn because of user accounts on the web |facing stuff churn, multiple personas, forgotten password, |what ever, but they don't get any of the normal churn you |associate with the IT infrastructure (DNS objects, computer |accounts join/unjoin, MIIS or HR control system |injected changes, etc). They're basically using it like a |specialized database. | |They are more prone to IFM though, which doesn't recycle DNTs. | But all things consider the object churn seems to be less ... |I believe the churn isn't too ridiculous. | |But it seems you just want to say or me to admit, yes if you |hit this limit you will need to repromote. That is true. |People dealt w/ NT4 SAM when it balked at 70k accounts or |whatever, people will have to deal w/ AD when they use 2B RDNs |... if you're actually dealing with numbers that ballpark into |that area, I'd be curious to hear about your scenario, but I |suspect no one is doing that ... yet. | |Cheers, |-BrettSh | |On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: | | Hi ~eric, | | I don't look very happy | imagining running ADMT or some other migration tool against 100M | Object | ADs | | You don't need to think about anything like ADMT. In your |scenario, | with | object overturn and DNT depletion, you would simply need to |re-promote | the machines | slowly over time, perhaps when doing OS version upgrades or | something, and | not use IFM. | This is not a forest concept, nor domain, nor NC.this is a DB | instance | concept. DNTs are different in each instance in your forest. |They are | not replicated. | | Yes - agree. My intend was to outline that we might approach the | DNT-limit with directories this large because: | - they might run for a longer time | - object overturn will happen | - AD will stay over time since I doubt a upgrade will touch the dit | and recycle DNTs, and companies with that large forests will rather | upgrade to a new OS than using ADMT | | I'm aware that a repromote of the DCs will take care of it. I just | tried to say that there might be the time when a repromote |because of | DNTs might be necessary in some larger domains. However still | unlikely, but not that much away from reality if you look at the | numbers posted (100M Objects are 5-10% of the limit, employees and | customers as well as other objects (DNS) tend to change, and |the limit is the forest (b/c total number of objects on a GC)). | | Were these real objects, or what the regular AD-Guy would refer to | | Yes, but I don't understand why this matters to you? | | Just being curious if Brad was talking about 50M+ Accounts |or Objects | - main reason because of plain curiousity to figure out if we are | talking about | 50M+ Objects or 50M+ Accounts + another couple M |dnsNodes/phantoms/... | | Gruesse - Sincerely, | | Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: | http://tinyurl.com/44zcz http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org/ | http://www.windowsserverfaq.org | Profile: | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1 | 214C81 | 1D | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 |9-F2F1214C811 | D | | | | | _ | | From: [EMAIL
RE: [ActiveDir] User Accounts
Yes, both Brett and I have seen large directories in this range. All of my experience with directories 25M objects was outward facing. IE, internet portal types, like Brett was talking about. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, April 17, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hi Brett, I don't want you to say or admit anything - I'm just curious and having a conversation here ;-) I was refering to your sentence I've heard of two production ADs in excess of 50 M (less than 100 M though) Which really made me curious and I started to think that these are not that unlikely to hit the limit. Rest of the conversation is just curiousity and for the sake of being interested - no real scenario - just interested in opinions. Never take me to serious - I'm german but that wasn't my fault ;-) I like to discuss what-if scenarios and am mainly interested in geeky chit-chat. And I've never and will never ask someone of your group or company to confess something in public. We are just chatting here. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, April 18, 2006 12:32 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |In my experience the type of forest you're thinking about is a |different beast, Ulf ... | |I don't know a single customer that has a NOS / IT |infrastructure forest with 10M objects, in fact I can't even |think of one with 5 M. Anything north of 5M - 10M objects is |almost assuredly e-commerce, internet facing web portal type stuff ... | |There is natural churn because of user accounts on the web |facing stuff churn, multiple personas, forgotten password, |what ever, but they don't get any of the normal churn you |associate with the IT infrastructure (DNS objects, computer |accounts join/unjoin, MIIS or HR control system |injected changes, etc). They're basically using it like a |specialized database. | |They are more prone to IFM though, which doesn't recycle DNTs. | But all things consider the object churn seems to be less ... |I believe the churn isn't too ridiculous. | |But it seems you just want to say or me to admit, yes if you |hit this limit you will need to repromote. That is true. |People dealt w/ NT4 SAM when it balked at 70k accounts or |whatever, people will have to deal w/ AD when they use 2B RDNs |... if you're actually dealing with numbers that ballpark into |that area, I'd be curious to hear about your scenario, but I |suspect no one is doing that ... yet. | |Cheers, |-BrettSh | |On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: | | Hi ~eric, | | I don't look very happy | imagining running ADMT or some other migration tool against 100M | Object | ADs | | You don't need to think about anything like ADMT. In your |scenario, | with | object overturn and DNT depletion, you would simply need to |re-promote | the machines | slowly over time, perhaps when doing OS version upgrades or | something, and | not use IFM. | This is not a forest concept, nor domain, nor NC.this is a DB | instance | concept. DNTs are different in each instance in your forest. |They are | not replicated. | | Yes - agree. My intend was to outline that we might approach the | DNT-limit with directories this large because: | - they might run for a longer time | - object overturn will happen | - AD will stay over time since I doubt a upgrade will touch the dit | and recycle DNTs, and companies with that large forests will rather | upgrade to a new OS than using ADMT | | I'm aware that a repromote of the DCs will take care of it. I just | tried to say that there might be the time when a repromote |because of | DNTs might be necessary in some larger domains. However still | unlikely, but not that much away from reality if you look at the | numbers posted (100M Objects are 5-10% of the limit, employees and | customers as well as other objects (DNS) tend to change, and |the limit is the forest (b/c total number of objects on a GC)). | | Were these real objects, or what the regular AD-Guy would refer to | | Yes, but I don't understand why this matters to you? | | Just being curious if Brad was talking about 50M+ Accounts |or Objects | - main reason because of plain curiousity to figure out if we are | talking about | 50M+ Objects or 50M+ Accounts + another couple M |dnsNodes/phantoms/... | | Gruesse - Sincerely, | | Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: | http://tinyurl.com/44zcz http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org/ | http://www.windowsserverfaq.org | Profile: | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1 | 214C81 | 1D
RE: [ActiveDir] User Accounts
Never take me to serious Seriously? :) Absolutely ;) (Great thread by the way) I agree! Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Crawford, Scott |Sent: Tuesday, April 18, 2006 1:16 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Never take me to serious | |Seriously? :) | |(Great thread by the way) | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, April 17, 2006 6:06 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Hi Brett, | |I don't want you to say or admit anything - I'm just curious |and having a conversation here ;-) | |I was refering to your sentence | I've heard of two production ADs in excess of 50 M (less than 100 M |though) |Which really made me curious and I started to think that these |are not that unlikely to hit the limit. Rest of the |conversation is just curiousity and for the sake of being |interested - no real scenario - just interested in opinions. | |Never take me to serious - I'm german but that wasn't my fault |;-) I like to discuss what-if scenarios and am mainly |interested in geeky chit-chat. | |And I've never and will never ask someone of your group or |company to confess something in public. We are just chatting here. | |Ulf | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley ||Sent: Tuesday, April 18, 2006 12:32 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] User Accounts || || ||In my experience the type of forest you're thinking about is a ||different beast, Ulf ... || ||I don't know a single customer that has a NOS / IT infrastructure ||forest with 10M objects, in fact I can't even think of one with 5 M. ||Anything north of 5M - 10M objects is almost assuredly e-commerce, ||internet facing web portal type stuff ... || ||There is natural churn because of user accounts on the web |facing stuff ||churn, multiple personas, forgotten password, what ever, but |they don't ||get any of the normal churn you associate with the IT infrastructure ||(DNS objects, computer accounts join/unjoin, MIIS or HR control ||system ||injected changes, etc). They're basically using it like a |specialized ||database. || ||They are more prone to IFM though, which doesn't recycle DNTs. || But all things consider the object churn seems to be less ... ||I believe the churn isn't too ridiculous. || ||But it seems you just want to say or me to admit, yes if you hit this ||limit you will need to repromote. That is true. ||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, ||people will have to deal w/ AD when they use 2B RDNs ... if you're ||actually dealing with numbers that ballpark into that area, I'd be ||curious to hear about your scenario, but I suspect no one is |doing that ||... yet. || ||Cheers, ||-BrettSh || ||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: || || Hi ~eric, || || I don't look very happy || imagining running ADMT or some other migration tool against 100M || Object || ADs || || You don't need to think about anything like ADMT. In your ||scenario, || with || object overturn and DNT depletion, you would simply need to ||re-promote || the machines || slowly over time, perhaps when doing OS version upgrades or || something, and || not use IFM. || This is not a forest concept, nor domain, nor NC.this is a DB || instance || concept. DNTs are different in each instance in your forest. ||They are || not replicated. || || Yes - agree. My intend was to outline that we might approach the || DNT-limit with directories this large because: || - they might run for a longer time || - object overturn will happen || - AD will stay over time since I doubt a upgrade will touch the dit || and recycle DNTs, and companies with that large forests will rather || upgrade to a new OS than using ADMT || || I'm aware that a repromote of the DCs will take care of it. I just || tried to say that there might be the time when a repromote ||because of || DNTs might be necessary in some larger domains. However still || unlikely, but not that much away from reality if you look at the || numbers posted (100M Objects are 5-10% of the limit, employees and || customers as well as other objects (DNS) tend to change, and ||the limit is the forest (b/c total number of objects on a GC)). || || Were these real objects, or what the regular AD-Guy |would refer to || || Yes, but I don't understand why this matters to you? || || Just being curious if Brad was talking about 50M+ Accounts ||or Objects || - main reason because of plain curiousity to figure out if we are || talking about || 50M+ Objects or 50M+ Accounts + another couple M ||dnsNodes/phantoms/... || || Gruesse - Sincerely, || || Ulf B. Simon-Weidner || || MVP-Book Windows XP - Die
RE: [ActiveDir] User Accounts
Hi ~eric, Thanks for the answer. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Eric |Fleischman |Sent: Tuesday, April 18, 2006 4:05 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Yes, both Brett and I have seen large directories in this range. |All of my experience with directories 25M objects was outward facing. |IE, internet portal types, like Brett was talking about. | |~Eric | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, April 17, 2006 4:06 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Hi Brett, | |I don't want you to say or admit anything - I'm just curious |and having a conversation here ;-) | |I was refering to your sentence | I've heard of two production ADs in excess of 50 M (less than 100 M |though) |Which really made me curious and I started to think that these |are not that unlikely to hit the limit. Rest of the |conversation is just curiousity and for the sake of being |interested - no real scenario - just interested in opinions. | |Never take me to serious - I'm german but that wasn't my fault |;-) I like to discuss what-if scenarios and am mainly |interested in geeky chit-chat. | |And I've never and will never ask someone of your group or |company to confess something in public. We are just chatting here. | |Ulf | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley ||Sent: Tuesday, April 18, 2006 12:32 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] User Accounts || || ||In my experience the type of forest you're thinking about is a ||different beast, Ulf ... || ||I don't know a single customer that has a NOS / IT infrastructure ||forest with 10M objects, in fact I can't even think of one with 5 M. ||Anything north of 5M - 10M objects is almost assuredly e-commerce, ||internet facing web portal type stuff ... || ||There is natural churn because of user accounts on the web |facing stuff ||churn, multiple personas, forgotten password, what ever, but |they don't ||get any of the normal churn you associate with the IT infrastructure ||(DNS objects, computer accounts join/unjoin, MIIS or HR control ||system ||injected changes, etc). They're basically using it like a |specialized ||database. || ||They are more prone to IFM though, which doesn't recycle DNTs. || But all things consider the object churn seems to be less ... ||I believe the churn isn't too ridiculous. || ||But it seems you just want to say or me to admit, yes if you hit this ||limit you will need to repromote. That is true. ||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, ||people will have to deal w/ AD when they use 2B RDNs ... if you're ||actually dealing with numbers that ballpark into that area, I'd be ||curious to hear about your scenario, but I suspect no one is |doing that ||... yet. || ||Cheers, ||-BrettSh || ||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: || || Hi ~eric, || || I don't look very happy || imagining running ADMT or some other migration tool against 100M || Object || ADs || || You don't need to think about anything like ADMT. In your ||scenario, || with || object overturn and DNT depletion, you would simply need to ||re-promote || the machines || slowly over time, perhaps when doing OS version upgrades or || something, and || not use IFM. || This is not a forest concept, nor domain, nor NC.this is a DB || instance || concept. DNTs are different in each instance in your forest. ||They are || not replicated. || || Yes - agree. My intend was to outline that we might approach the || DNT-limit with directories this large because: || - they might run for a longer time || - object overturn will happen || - AD will stay over time since I doubt a upgrade will touch the dit || and recycle DNTs, and companies with that large forests will rather || upgrade to a new OS than using ADMT || || I'm aware that a repromote of the DCs will take care of it. I just || tried to say that there might be the time when a repromote ||because of || DNTs might be necessary in some larger domains. However still || unlikely, but not that much away from reality if you look at the || numbers posted (100M Objects are 5-10% of the limit, employees and || customers as well as other objects (DNS) tend to change, and ||the limit is the forest (b/c total number of objects on a GC)). || || Were these real objects, or what the regular AD-Guy |would refer to || || Yes, but I don't understand why this matters to you? || || Just being curious if Brad was talking about 50M+ Accounts ||or Objects || - main reason because of plain curiousity to figure out if we are || talking about || 50M+ Objects or 50M+ Accounts + another couple M ||dnsNodes/phantoms/... || || Gruesse
RE: [ActiveDir] User Accounts
Title: User Accounts So you saved the negative DNTs for Longhorn or Blackcomb - if you realize that someone is getting to close to that limit in his forest? Interested in sharing the reason? What are you going to do if someone asks nicely (to get the bit back)? Sounds deeper in the system as some hotfix or sp can fix - err - change. When will you relase the whitepaper "Maintaining Active Directory Forests at the DITs Limit" which states to regulary repromote DCs in the intervals of garbage-collection (to release unused DNTs)? (And note that this will be the introduction of implementing manuall processes for floating roles) And just in case: ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Sunday, April 16, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that cant play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a single server. I havent seen people break that on a single box.but I dont deny it has been done, I just havent seen it. J Oh yea, the concept of negative linkIDs somehow came up in conversation as well. Ill blog about that I think. Perhaps even tonight, if I get my stuff done. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 15, 2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the
RE: [ActiveDir] User Accounts
Title: User Accounts I expect it isn't about saving anything for LH/BC, I expect it is more along the lines of why ESE avoids the high bit as well which I previously mentioned. Basically perf and tighter code. Again easier to paint with the masking tape up than not. Integer overflow can be a pain to deal with (again I mean in the bulk of the code at the low level, anyone with ADSI/NET programming as their entire background probably will be thinking huh? when they read that). I am actually curious to see the negative linkid blog post Eric alluded to. We (Dean, Eric, and I) started to discuss this a little over IM/email last night but didn't get too far into it and its implications. I don't want to hang around a DC that has to replicate in 2 billion+ objects... Especially if most of the objects are in RO NCs, that would probably never complete replicating, ever. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Sunday, April 16, 2006 10:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts So you saved the negative DNTs for Longhorn or Blackcomb - if you realize that someone is getting to close to that limit in his forest? Interested in sharing the reason? What are you going to do if someone asks nicely (to get the bit back)? Sounds deeper in the system as some hotfix or sp can fix - err - change. When will you relase the whitepaper "Maintaining Active Directory Forests at the DITs Limit" which states to regulary repromote DCs in the intervals of garbage-collection (to release unused DNTs)? (And note that this will be the introduction of implementing manuall processes for floating roles) And just in case: ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Sunday, April 16, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). S
RE: [ActiveDir] User Accounts
, will likely cause one to scale out and _probably_ partition (via NCs replicated to only some ADAM instances) before going to billion area scales. Management of database size on these scales is non-trivial, and drives the real per server #'s of objects / database sizes one should support down below 1 billion. Even e-commece doesn't care about these kind of numbers, because if you look at the income of the 1 billionth richest person in the world, you'll probably realize she/he is not worth selling to. Only hippies and the U.N. care about going above 1 billion accounts. [1] which you can't, as there are only IIRC ~1.0e+83 [or 84 or 82?] particles in the universe anyway. Sorry, if this mail used too much lingo, it was aimed at the super experts (Dean, joe, et al), I'll try to digest it into a series of more edible blog posts that would explain the terms as introduced ... :P Anyway, all I'm saying, is the Garage Door Operator has never heard of this 2.1 or 4.2 billion row limit of an ESE database you speak of ... Cheers, Brett P.S. - I've never heard of negative link IDs, I'm most curious to see Eric's description of this ... On Sat, 15 Apr 2006, Eric Fleischman wrote: Good thread. A few corrections, for the sake of keeping the search engines fresh The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and don't use the negative side. Sorry, you can't have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully :-)). There is a similar limit for # of long values (doesn't work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IM'd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale but if memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point herethere is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that can't play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a single server. I haven't seen people break that on a single boxbut I don't deny it has been done, I just haven't seen it. :-) Oh yea, the concept of negative linkIDs somehow came up in conversation as well. I'll blog about that I think. Perhaps even tonight, if I get my stuff done. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing
RE: [ActiveDir] User Accounts
Excellent post Brett, had me laughing and learning all of the way. Even folks who don't understand it should read it IMO, probably twice. Dean cleared me up on the RIDs, sounds like someone decided to artificially limit them to 30 bits (not even 32 or 31 as I surmised) so 1 billion is a good round number to go with - possibly two people left that team previously and both took a bit with them. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, April 16, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Eric's quoting didn't come across in pine so well, so I've improved it by using where he was quoting others ... *Ahem* ... for the hex heads ... ESE limits: The underlying store (aka ESE or JET Blue) does not have a 4.2 billion row constraint to the # of rows in a single table ... ESE will support from 2^1 up to 2^(~240*8) rows in a single table, _depending upon your primary key_ ... and if you found ESE's old max 9.95e+583 rows to be woefully under sized, you'll be able to go to around _I think_ 2^(~1875*8) rows in Vista ... if you can find the storage for it [1]. AD design limits: Active Directory however choose a primary key (The DNT) that has only 32 bits, and is signed, so limiting to positive values is limited to 2.1 billion rows (as ~Eric mentions), but this is not ESE's fault, nor an ESE limitation. Exchange for example choose a 63-bit message ID on thier message table (called 1-23 IIRC), and is thus limited to no more than 2^63 / 9.22 quintillion rows (though probably a bit less due to the way they parse up the message ID). Clearly the Exchange limit of # of message rows, shows that ESE is not limited to 2.1 or 4.2 billion rows in a single table, this is why it is crucial to be able to distinguish how ESE differs from the data layer / schema (of AD) constructed on top of ESE. At this point we think we've established the max # of objects in an AD database, BUT the actual hard limitation would be the minimum of several competing constraints, any which could reduce us far lower ... Actual hard limitation will be the 1. Dean points out over the lifetime of the database. This is crucial to understand, you should consider his meaning, he is right on about that. This is again an AD limitation, not an ESE limitation though. AD could've concocted (not even that hard) a scheme to reuse rows / DNTs. 2. joe pointed out the 16 TB DB size limit, he is right about that, which means at 2 billion objects, your net aggregate object size cost (including SD which may be single instanced, the link values, the ESE overhead to maintain the database, indices, rows, record format, etc) must be below 8KB / object. This is worth noting because the average size of ONLY the raw data (i.e. excluding ESE overhead) _in the datatable_ of an AD user in our primary corp domains is 11,924 bytes. Dang certs. 3. Eric, also points out about LID (which is a Long-value ID) is a signed int (again 31 bits available in positive value space), so we could be limited to less than 2 billion objects, if each object had a couple burst long values (only _burst_ LVs use LIDs). LV = Long-Value, not Link Value for this discussion. This _IS_ an ESE limitation. Expeience tells us replProperlyMetaData and supplementalCredentials on typical AD users are burst, and thus the limit could be as low as 1 billion. 4. SIDs (well RIDs actually) can limit how many security principals you use, but RIDs are a security aspect, and so I have no idea if you can use 32, 31, or less of that number space, I suspect 1 billion but don't know that at all. Anyway along time ago we (some AD people) went through all the various aspects, issues, etc and we came up with the safe value, that special value we wanted to claim / support ... and we started saying 1 billion was the official limit. I updated the wikipedia topic on it awhile back. The issue joe mentioned with the # of pages in an ESE database being 2^31 ... I like to state it as: Jordie (my pseudonym for a paticularly talented developer) took away the high bit before he moved off the ESE team, and won't give it back.. g That is the funny way to say, paranoia drove one of us to cap it to explicitly positive page numbers. Given that the file system is limited to 16 TBs for a single file for some paticular (?default? 4k? max?) allocation size, I don't really see this being fixed anytime soon... My confidence ranges from 53% to 72% for all the above info ... I don't give a confidence of more than 80% to anything I didn't personally verify in code, and never a confidence of over 90% that I didn't personally test that the code worked like it looked ... that is experience talking. Confidences of 53% to 72% probably means talented and smart / non-blowheart types told me this information. *Cough
RE: [ActiveDir] User Accounts
One can but bow down to the creator and accept the facts as is (well, mostly, I'm kinda talkative after all) ... and an informative post at that ... nice job Mrs. Shirley (DEC attendees may understand that reference ... either way, I'm grinning as I suspect are joe and possibly ~Eric ;0) But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT? Methinks perhaps you're muddling in the realms of personal interpretation ... though I'm quite certain you'll argue that too ... ESE purist :0p To satisfy my curiosity; what happens (in theory I'd guess, though perhaps in practice if this has indeed been tested) when a long-standing AD (say 2K3) DC has, within a single lifetime, written 2^31 (props to ~Eric) DNT-consuming rows of stuff to the DIT ... does it error or soldier on? PS - re: RIDs: last I checked, ceiling was 2^30 ... at least for traditional SIDs (non-ADAM). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, April 16, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Eric's quoting didn't come across in pine so well, so I've improved it by using where he was quoting others ... *Ahem* ... for the hex heads ... ESE limits: The underlying store (aka ESE or JET Blue) does not have a 4.2 billion row constraint to the # of rows in a single table ... ESE will support from 2^1 up to 2^(~240*8) rows in a single table, _depending upon your primary key_ ... and if you found ESE's old max 9.95e+583 rows to be woefully under sized, you'll be able to go to around _I think_ 2^(~1875*8) rows in Vista ... if you can find the storage for it [1]. AD design limits: Active Directory however choose a primary key (The DNT) that has only 32 bits, and is signed, so limiting to positive values is limited to 2.1 billion rows (as ~Eric mentions), but this is not ESE's fault, nor an ESE limitation. Exchange for example choose a 63-bit message ID on thier message table (called 1-23 IIRC), and is thus limited to no more than 2^63 / 9.22 quintillion rows (though probably a bit less due to the way they parse up the message ID). Clearly the Exchange limit of # of message rows, shows that ESE is not limited to 2.1 or 4.2 billion rows in a single table, this is why it is crucial to be able to distinguish how ESE differs from the data layer / schema (of AD) constructed on top of ESE. At this point we think we've established the max # of objects in an AD database, BUT the actual hard limitation would be the minimum of several competing constraints, any which could reduce us far lower ... Actual hard limitation will be the 1. Dean points out over the lifetime of the database. This is crucial to understand, you should consider his meaning, he is right on about that. This is again an AD limitation, not an ESE limitation though. AD could've concocted (not even that hard) a scheme to reuse rows / DNTs. 2. joe pointed out the 16 TB DB size limit, he is right about that, which means at 2 billion objects, your net aggregate object size cost (including SD which may be single instanced, the link values, the ESE overhead to maintain the database, indices, rows, record format, etc) must be below 8KB / object. This is worth noting because the average size of ONLY the raw data (i.e. excluding ESE overhead) _in the datatable_ of an AD user in our primary corp domains is 11,924 bytes. Dang certs. 3. Eric, also points out about LID (which is a Long-value ID) is a signed int (again 31 bits available in positive value space), so we could be limited to less than 2 billion objects, if each object had a couple burst long values (only _burst_ LVs use LIDs). LV = Long-Value, not Link Value for this discussion. This _IS_ an ESE limitation. Expeience tells us replProperlyMetaData and supplementalCredentials on typical AD users are burst, and thus the limit could be as low as 1 billion. 4. SIDs (well RIDs actually) can limit how many security principals you use, but RIDs are a security aspect, and so I have no idea if you can use 32, 31, or less of that number space, I suspect 1 billion but don't know that at all. Anyway along time ago we (some AD people) went through all the various aspects, issues, etc and we came up with the safe value, that special value we wanted to claim / support ... and we started saying 1 billion was the official limit. I updated the wikipedia topic on it awhile back. The issue joe mentioned with the # of pages in an ESE database being 2^31 ... I like to state it as: Jordie (my pseudonym for a paticularly talented developer) took away the high bit before he moved off the ESE team, and won't give it back.. g That is the funny way to say, paranoia drove one of us to cap
RE: [ActiveDir] User Accounts
Title: User Accounts That number isn't accurate I'm afraid. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) within its lifetime, deleted objects (garbage collected or otherwise) do not return row numbers to the available pool. A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc. Note that the limitation also differs from DC to DC since long-standing DCs will have less row space available than those recently promoted. Windows 2003 does not address this limitation (although improvements have been made in other areas). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Friday, April 14, 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts I was told 5 billion objects ( In Theory ) when I took the Windows Server 2000, Designing a Microsoft Windows 2000 Networking Services Infrastructure , taught by Cathy Moya at Quickstart Technologies ( Now with Microsoft ). Joe, has Microsoft changed this in AD 2003? Jose From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Friday, April 14, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User Accounts Hello, How many user accounts can Active Directory 2000/2003 support (including email)? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] User Accounts
Title: User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing the SIDs, they are not based on a domain SID coupled with an artificially limited32 bit "RID". -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 15, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts I agree with Dean on this. :o) The only user logical or implementation related limitation I could think of off the top of my head would be around SIDs and you are talking a number in the trillions for Active Directory and much much errr much higher for ADAM since they changed how SIDs are generated[1]. For completeness though not directly related to Christine's question I also wanted to add that the other physical limit is simply one of size which is~16TB. This is governed by the max pages of ESE (2147483646[2]) coupled with the page size used for the Active Directory DB which is 8KB. That works out to 8*1024*2147483646 / 1099511627776[3] or 15.TB. joe [1] See discussion in book mentioned in signature[7] [2] This max page size is publicly available in the ESE docs. It is located on the page http://msdn.microsoft.com/library/default.asp?url="">however notethere is a doco bug where it says that is 2^32 - 2 and it obviously isn't... It is 2^31 - 2[4]. Why not 2^32- 2which effectively doubles the size of the DB for those who find ~16TB a trifle claustrophobic? You would have to ask our Garage Door guy but I __know__ that the page vars are specified as 32 bit "longs"and I would __theorize__ it is to avoid hitting bit issues and make it is easier (and faster) for comparisons and calculations so you don't have to watch out for overflows, etc. This isn't something you tend to think about in scripting and languages like VB and .NET but I can assure you, something below your code has to handle it and it is extra work. So not using the high bit getsyou a nice one bit buffer[5] which sounds like very little but is a lot of buffer for the calculations that would need to be made. [3] This is the number of bytes in a TB. 1024^4. If you had that much in pennies you would be a billionaire. But still not as rich as billg. [4] I have submitted this feedback to MSDN for a second time. Usually they are a little better about that whenyou submit something. :) Oh how do I know which number is the correct one? I cheated and looked at the source. ;o) [5] Not like a storage buffer but a programming buffer sort of like putting tape up when painting so you don't have to go and do extra work of scraping (or repainting another colour) later. [6] Why are you reading this footnote, I didn't reference it. :) -- [7]O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, April 15, 2006 9:48 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] User Accounts That number isn't accurate I'm afraid. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) within its lifetime, deleted objects (garbage collected or otherwise) do not return row numbers to the available pool. A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc. Note that the limitation also differs from DC to DC since long-standing DCs will have less row space available than those recently promoted. Windows 2003 does not address this limitation (although improvements have been made in other areas). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Friday, April 14, 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts I was told 5 billion objects ( In Theory ) when I took the Windows Server 2000, Designing a Microsoft Windows 2000 Networking Services Infrastructure , taught by Cathy Moya at Quickstart
RE: [ActiveDir] User Accounts
Title: User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that cant play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a single server. I havent seen people break that on a single box.but I dont deny it has been done, I just havent seen it. J Oh yea, the concept of negative linkIDs somehow came up in conversation as well. Ill blog about that I think. Perhaps even tonight, if I get my stuff done. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing the SIDs, they are not based on a domain SID coupled with an artificially limited32 bit RID. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I agree with Dean on this. :o) The only user logical or implementation related limitation I could think of off the top of my head would be around SIDs and you are talking a number in the trillions for Active Directory and much much errr much higher for ADAM since they changed how SIDs are generated[1]. For completeness though not directly related to Christine's question I also wanted to add that the other physical limit is simply one of size which is~16TB. This is governed by the max pages of ESE (2147483646[2]) coupled with the page size used for the Active Directory DB which is 8KB. That works out to 8*1024*2147483646 / 1099511627776[3] or 15.TB. joe [1] See discussion in book mentioned in signature[7] [2] This max page size is publicly available in the ESE docs. It is located on the page http://msdn.microsoft.com/library/default.asp?url="">however notethere is a doco bug where it says tha
RE: [ActiveDir] User Accounts
Title: User Accounts A long and unbelievably off-topic IM with Eric (and joe towards the end) re: this thread touched on some of ESE'slesser-known artifacts or behaviors ... thanks for the input Eric. Inline ... --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 15, 2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g [[Dean]]Good to know ... reasoning is interesting also -- ask Eric :0/ A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed.[[Dean]]That was interesting to me, I'll do some further digging. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently.[[Dean]]Love the justification here... reasoning issound. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below).[[Dean]]Most "new" forests these days are based on a single-domain model so the GC no longer presents a distinction in limitingfactors. So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that cant play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs.[[Dean]]Nod,that's an interesting point ... no cause for concern in my experience but a potential, certainly. The larger directories I have worked with had ~100M objects on a single server. I havent seen people break that on a single box.but I dont deny it has been done, I just havent seen it. J Oh yea, the concept of negative linkIDs somehow came up in conversation as well. Ill blog about that I think. Perhaps even tonight, if I get my stuff done.[[Dean]]Life? :0) ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 15, 2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing the SIDs, they are not based on a domain SID coupled with an artificially limited32 bit "RID". -- O'Reilly Active Directory
RE: [ActiveDir] User Accounts
Title: User Accounts I expect more than you need. Anyway, depends on the use and quality of the DCs as well as the other objects in the directory but last I heard MS had tested in the ball park of 40,000,000 (40 million) objects. I have personally run domains with 100k users (forest was around 250k users). I have spoken with folks who have had domains 500k users. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Friday, April 14, 2006 10:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User Accounts Hello, How many user accounts can Active Directory 2000/2003 support (including email)? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] User Accounts
Title: User Accounts I was told 5 billion objects ( In Theory ) when I took the Windows Server 2000, Designing a Microsoft Windows 2000 Networking Services Infrastructure , taught by Cathy Moya at Quickstart Technologies ( Now with Microsoft ). Joe, has Microsoft changed this in AD 2003? Jose From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, April 14, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Accounts Hello, How many user accounts can Active Directory 2000/2003 support (including email)? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] User Accounts
Title: User Accounts I have nearly 200K in one domain I expect it will have nearly 500K when its all done Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 14, 2006 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I expect more than you need. Anyway, depends on the use and quality of the DCs as well as the other objects in the directory but last I heard MS had tested in the ball park of 40,000,000 (40 million) objects. I have personally run domains with 100k users (forest was around 250k users). I have spoken with folks who have had domains 500k users. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, April 14, 2006 10:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Accounts Hello, How many user accounts can Active Directory 2000/2003 support (including email)? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
Re: [ActiveDir] User accounts getting locked out..
for starters - check out: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx and http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en steve - Original Message - From: Sudhir Kaushal To: ActiveDir@mail.activedir.org Sent: Tuesday, November 15, 2005 2:12 AM Subject: [ActiveDir] User accounts getting locked out.. Hi All, I am facing one strange issue. All of sudden my user accounts are getting locked out in certain OU's. The event logs says Event Id - 675, AUDIT FAILURE, Security, Mon Nov 14 12:50:57 2005, NT AUTHORITY\SYSTEM, Pre-authentication failed: User Name: xyz User ID: %{xyz} Service Name: krbtgt/domain name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: IP address. Event Id - 644, AUDIT SUCCESS, Security, Mon Nov 14 12:50:56 2005, NT AUTHORITY\SYSTEM, User Account Locked Out: Target Account Name: xyz Target Account ID: %{xyz} Caller Machine Name: Name of the machine Caller User Name: Name of the DC Caller Domain: Domain Name Caller Logon ID: (0x0,0x3E7) They also get clear after some time automatically. One reason which i figure out is that it could be related to the system time of the client machine with the system time of DC ( Related to failure of Kerberos ticket ) . Any other pointers??? Thanks in Advance. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold”This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [ActiveDir] User accounts getting locked out..
This article contains the on troubleshooting account lockout, http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html plus you can look at Best practices guide for account lockout. http://www.microsoft.com/downloads/details.aspx?FamilyID=8c8e0d90-a13b-4977-a4fc-3e2b67e3748eDisplayLang=en -- KamleshOn 11/15/05, Sudhir Kaushal [EMAIL PROTECTED] wrote: Hi All, I am facing one strange issue. All of sudden my user accounts are getting locked out in certain OU's. The event logs says Event Id - 675, AUDIT FAILURE, Security, Mon Nov 14 12:50:57 2005, NT AUTHORITY\SYSTEM, Pre-authentication failed: User Name: xyz User ID: %{xyz} Service Name: krbtgt/domain name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: IP address. Event Id - 644, AUDIT SUCCESS, Security, Mon Nov 14 12:50:56 2005, NT AUTHORITY\SYSTEM, User Account Locked Out: Target Account Name: xyz Target Account ID: %{xyz} Caller Machine Name: Name of the machine Caller User Name: Name of the DC Caller Domain: Domain Name Caller Logon ID: (0x0,0x3E7) They also get clear after some time automatically. One reason which i figure out is that it could be related to the system time of the client machine with the system time of DC ( Related to failure of Kerberos ticket ) . Any other pointers??? Thanks in Advance. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 "You never win Silver, You lose Gold" This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its showInAdvancedViewOnly set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yes, I run Unity in UM mode. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yes, I have hundreds of restricted address lists. Do you have a reference you could share? Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its showInAdvancedViewOnly set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
We're not using any address lists except the default. I'm the only one in our building who can spell ADSIEdit or do any scripting, so no one would have done anything like that here. I keep coming back to Unity, except that this has only happened on two accounts and we've been running Unity 4.0(4) for the past 6 months with no issue... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its showInAdvancedViewOnly set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
I've seen this behavior every few months. We have Unity as well and I always blamed it on it as I've never seen this on any of my clients who do not have Unity. Simple fix, but still annoying to have to watch out for it and correct it. It seems to be ramdon as I can find no pattern as to who it will happen to next. Cheers On 8/16/05, Free, Bob [EMAIL PROTECTED] wrote: This is a bit surreal,I *just* got asked about this exact situationonly a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3,is Unity a common denominator?-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B.SmithSent: Tuesday, August 16, 2005 1:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUEI can't explain it to you, but you aren't alone. I've seen exactly thesame thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate.-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Charlie KaiserSent: Tuesday, August 16, 2005 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything thatexplains it to me.W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, CiscoUnity VM schema extensions.Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved accountfrom Employees OU to terminated sub-OU. I had to do something to one ofthose accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute hadbeen set to TRUE.Junior admin logs into exchange server to perform the accountmanagement, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load thetools on his machine. G) He didn't do anything special, doesn't useADSIEdit or DSMOD; strictly the ADUC GUI.I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering whyit would set it in the first place. AFAIK, there isn't any way to setthat attribute via the ADUC GUI...This has only happened on two accounts, both dealt with in the past couple of weeks...Thanks!**Charlie KaiserW2K3 MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083**List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Unfortunately, I don't. I just remember it being a standard practice when we have to hide address lists of one company from all the other companies we were hosting emails for. If I come across a reference, I'll post it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Yes, I have hundreds of restricted address lists. Do you have a reference you could share? Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its showInAdvancedViewOnly set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
While were on the Unity thread did you guys have a helluva time getting Cisco to open up with what was happening with that god-awful Permissions Wizard??? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Tuesday, August 16, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've seen this behavior every few months. We have Unity as well and I always blamed it on it as I've never seen this on any of my clients who do not have Unity. Simple fix, but still annoying to have to watch out for it and correct it. It seems to be ramdon as I can find no pattern as to who it will happen to next. Cheers On 8/16/05, Free, Bob [EMAIL PROTECTED] wrote: This is a bit surreal,I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
OK; I just looked at that and verified that if I set the Show subscriber in e-mail server address book box in unity to be unchecked, it sets the flag to true in AD. If I check it, the flag gets set to false. Except that our admin didn't touch the Unity config. That's the weird part. Perhaps it's a combination of disabling the account, moving it to another OU, etc. Might be a unity bug; I'll look farther into that. Problem is, if we set the hide from address list box in ADUC exchange advanced, it doesn't set the same flag in Unity. Seems like Unity and Exchange aren't looking at the same attribute. If I get time, I'll call cisco on it tomorrow ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Charlie, the mod you are doing in ADUC Exchange Advanced corresponds to the ShowInAddressBook attrib, not the showInAdvancedViewOnly attrib. I am not familiar with Unity, but from what you guys have been saying, it looks that Unity is toggling the showInAdvancedViewOnly value, not (or maybe in addition to) the ShowInAddressBook attrib. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Tue 8/16/2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE OK; I just looked at that and verified that if I set the Show subscriber in e-mail server address book box in unity to be unchecked, it sets the flag to true in AD. If I check it, the flag gets set to false. Except that our admin didn't touch the Unity config. That's the weird part. Perhaps it's a combination of disabling the account, moving it to another OU, etc. Might be a unity bug; I'll look farther into that. Problem is, if we set the hide from address list box in ADUC exchange advanced, it doesn't set the same flag in Unity. Seems like Unity and Exchange aren't looking at the same attribute. If I get time, I'll call cisco on it tomorrow ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Hope it's not bad juju to reply to myself 2x in the same day :-] Here's what our Unity admin found on his side- When Show in the GAL is not checked, it makes the showInAdvancedViewOnly: TRUE When it's checked it shows showInAdvancedViewOnly: FALSE The list in phone directory setting doesn't make any difference. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
OK, so we know now that Unity is doing the toggling. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Tue 8/16/2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Hope it's not bad juju to reply to myself 2x in the same day :-] Here's what our Unity admin found on his side- When Show in the GAL is not checked, it makes the showInAdvancedViewOnly: TRUE When it's checked it shows showInAdvancedViewOnly: FALSE The list in phone directory setting doesn't make any difference. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. G) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yep. That's why I think it's a Unity bug. Sounds like they've flagged the wrong attribute. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Charlie, the mod you are doing in ADUC Exchange Advanced corresponds to the ShowInAddressBook attrib, not the showInAdvancedViewOnly attrib. I am not familiar with Unity, but from what you guys have been saying, it looks that Unity is toggling the showInAdvancedViewOnly value, not (or maybe in addition to) the ShowInAddressBook attrib. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Tue 8/16/2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE OK; I just looked at that and verified that if I set the Show subscriber in e-mail server address book box in unity to be unchecked, it sets the flag to true in AD. If I check it, the flag gets set to false. Except that our admin didn't touch the Unity config. That's the weird part. Perhaps it's a combination of disabling the account, moving it to another OU, etc. Might be a unity bug; I'll look farther into that. Problem is, if we set the hide from address list box in ADUC exchange advanced, it doesn't set the same flag in Unity. Seems like Unity and Exchange aren't looking at the same attribute. If I get time, I'll call cisco on it tomorrow ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was Do not list subscriber in phone directory and Show subscriber in e-mail server address book. He changed it to Do not show in GAL. saved it. Then enabled both so the settings are now List in phone directory and Show subscriber in e-mail server address book I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly