Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
hai,
i have 2 dc 2003, one ( first in the forest)dc hold fsmo,gc,dhcp,dns,.
the seconfd dc is adtionall dc in the domain
replication work fine between the dc.
my question if i create user in the first dc
and the user want to login to domain, should he wait until replication start with
the second dc? or he can login to domain even the second dc not replicate yet...
and same question just the oposite if i create user in the 2 dc, can he login to domain without replicate with the first dc
in domain? if there logical rules about that
it will be great to hear.
thanks alot sharon
In both scenarios, yes, it will work fine.
Also, your second DC should also be a DNS server and a GC for redundancy.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0 
To say it will work fine isn't exactly true. It depends entirely on how you have things configured. If you attempt to log on with an account before replication has completed and the DC that authenticates you doesn't is not aware of the newly created account, you will not be authenticated. As far as that DC is concerned, the account doesn't exist.
It depends on which DC the client contacts and that depends on how your Active Directory is configured, how DNS is configured, how many sites and subnets you have etc.
Assuming everything is working correctly and replication has occured, it will work fine. If you have one site, replication will be withing a few minutes at max, if you have multiple sites and subnets, replication might take up to 180 mins.
0
"If you attempt to log on with an account before replication has completed and the DC that authenticates you doesn't is not aware of the newly created account, you will not be authenticated. As far as that DC is concerned, the account doesn't exist."
Except that he said one domain, two DC's, and didn't mention anything about multiple sites, which most likely means this is a single site.
"Assuming everything is working correctly and replication has occured, it will work fine. If you have one site, replication will be withing a few minutes at max.."
Intrasite replication works through immediate notification of object changes, including account creation. Therefore, the other DC is immediately aware of the new account.
"...if you have multiple sites and subnets, replication might take up to 180 mins."
Not true. It could be far longer than 180 minutes in that case. Since we're splitting hairs, you could have interconnected sites in a chain. As in
Site A -> Site B -> Site C -> Site D -> Site E
If each site link is set to replicate once per hour, an account created in site A could take up to 240 minutes to appear in Site E.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
Fine, but if you want to split hairs, I said, "it depends how you have things configured" which is the whole point. I was simple addressing the point that you said it will work fine. It will, it just might not be immediate which was the general point in his initial question.
And to split hair even further, the question didn't ask how quickly it would replicate, the question was, "should he wait until replication start with
the second dc? or he can login to domain even the second dc not replicate yet..." so the correct answer still is - you have to wait for replication to the second DC.
0
Except in intrasite replication, object creation triggers immediate notification, as I stated. There is no wait. So the simple answer in this case was: yes, it will work fine.
The way you answered it made it in an intrasite replication scenario, replication only happens on a schedule like intersite replication. That is simply not the case.
Getting into the thick of intersite replication in a single site environment in the first place was hair splitting. There was no need to go into that in the first place unless you wanted to do hair splitting. I'm simply happy to oblige, so nit pick my answer, and I'll nit pick yours. :-)
As long as it's all done in the name of enlightenment, I'm okay with it.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
I don't agree that immediate replication occurs for new object creation. It has always been my understanding that urgent replication is triggered by some events - account lockout, changing of certain group policies and some other security related issues. I have never been aware of new object creation triggering urgent replication however I will admit I have never really tested it. All of my DCs are in separate sites.
I may be wrong so if you have something indicating that object creating triggers urgent replication, I'd love to see it.
So for now, I'll stick with my story of having to wait for replication to occur on DC2.
0
How long after you join a computer to a domain do you have to wait for it to successfully allow logging into the domain across domain controllers within the same site consistently? It's the exact same thing.
How is that possible?
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
I'm not sure I understand your question. In the process of adding a computer to the domain, it will create a computer account in the domain if one isn't there. If you try to log in, it will most likely use the same DC to authenticate so you will get in almost right away. It depends which DC authenticates you.
Very few things will trigger urgent replication. To my knowledge, new object creation isn't one of them. You have to wait for replication - or manually force it.
But again, I'm open to some proof I am wrong on that.
0
Have you ever seen a computer added to a domain that couldn't immediately authenticate consistently?
"It depends which DC authenticates you."
Ditto with a user. But according to you, the user may not be able to log in for up to 5 minutes.
"If you try to log in, it will most likely use the same DC to authenticate so you will get in almost right away."
Why would it most likely use the same DC it used to join the domain? If you know the process of how a DC is selected to be used for authentication, it's pretty much potluck which server within a site a client happens to use. The factor most likely to determine which DC the client would use in this case is ping. Let's say you have 4 DC's in a site with a client. Since a site is defined as "well connected", what are the odds the DC with lowest ping at the time of joining the domain will be the same DC with the lowest ping after the reboot required when a PC joins a domain? Not good.
I don't know about you, but I've never seen a client not be able to log into a domain after a reboot because of normal intrasite replication latency, and I've done A LOT of AD work in environments from smaller businesses to large multidomain corporations and government agencies.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
I didn't say it would take 5 mins for intrasite replication. I said it could - depending on a lot of things. The reality is, that by the time a pc reboots, it probably would have replicated.
I don't want to beat this to death. My whole point is addressing his first question. I have over 25 DC's in my domain. I'm pretty familiar with how this all works. So again, I am not aware of new objects triggering urgent replication, or immediate replication as you refer to it. I'll grant you that on a low traffic network with powerful enough DCs the replication will be quick intrasite, but my point is, it isn't immediate and you will have to wait for replication, however long that may be.
0
"I have over 25 DC's in my domain."
"All of my DCs are in separate sites."
I rest my case.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
Ok. I'm not sure you had a case in the first place.
Sorry for the distraction to the original poster of the question. The answer to your question is, you'll have to wait for replication. Good luck with it.
0
According to you, we're to believe you because you claim...
"I have over 25 DC's in my domain. I'm pretty familiar with how this all works."
But then you admit...
"All of my DCs are in separate sites."
How can you be "pretty familiar" with intrasite replication when you have no intrasite replication happening in your environment? You could have 250 domain controllers for all I care. If they're all in separate sites, from that, you wouldn't know how replication works.
In fact, you even said...
"I will admit I have never really tested it."
You can be unsure if I have a case or not. I couldn't care less. I have tested it. I know flat out how it works in an intrasite scenario. There isn't even a delay in uncompressing the data because there is no compression in replication traffic in intrasite scenarios.
"The answer to your question is, you'll have to wait for replication."
Which there is no wait in intrasite replication, as I said before. This thread should have been over at the first response...
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0
So then I can only understand how intrasite replication works if I have multiple DC's in a site? In other words, I designed an AD network with multiple subnets, multiple site, site links, replication schedules etc, and I don't know how intrasite replication works?
New user object creation does not trigger urgent replication. Point me to a link that says it does. In the meantime...
http://www.microsoft.com/technet/pr...
"Urgent replication ensures that critical directory changes are immediately replicated, including account lockouts, changes in the account lockout policy, changes in the domain password policy, and changes to the password on a domain controller account. With urgent replication, an update notification is sent out immediately, regardless of the notification delay.""The following events are not urgent replications in Windows 2000 domains:
•Changing the account lockout policy
•Changing the domain password policy
•Changing the password on a computer account
•Domain trust passwords"
0
"New user object creation does not trigger urgent replication. Point me to a link that says it does."
LOL!
Read that closely. They list various things that cause urgent replication, but they do not say that is the definitive list, nor do they say that list is exclusive. It doesn't say...
"The only events that cause this are..."
They say "Urgent replication ensures that critical directory changes are immediately replicated, including..."
They then compare that to Windows 2000.
Show me where that says new accounts are not immediately replicated. It doesn't say one way or the other.
If I said...
"I enjoy many types of food, including Chinese, Mexican, and Italian."
Is it logical to say from that I don't like Indian food? No. You don't know if I like Indian food or not from that statement.
SO...
Try it yourself!
I am volunteering one thing I could be wrong about. I know from experience new user accounts work virtually immediately. However, it may not be because of urgent replication; it could be from immediate replication to the PDC emulator, which other DC's would check before failing the authentication attempt. For example, password changes are handled in this manner.
Unfortunately, Microsoft documentation isn't clear how new accounts are handled in these circumstances. Regardless, the outcome is the same - it will work almost immediately. Proof is in the pudding.
"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
