Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
iPhone 5 rumors for the week ending May 18
Cisco's wireless unit shifts emphasis to "mobility"
Comcast ditches flat 250GB bandwidth cap for tiered service approach
Open-source messaging at (nearly) the speed of light
Social media a boon for businesses, but creates security quagmire
Academics propose groundbreaking uses for Watson
With Verizon pushing more into data caps, Sprint touts unlimited option
J*******k: Dirty word disappears from Apple iTunes store
Survey: BYOD sparks enterprise investment in Unified Communication and Collaboration
Privacy advocates fear CISPA
Doctors warned not to use social media with patients
Cisco mobility bundles target BYOD, mobile virtual desktop
iPhone 5 said, again, to have 4-inch display
Ethernet switching gets specialized
'Thelma & Louise,' 'Beetlejuice' star Geena Davis wins major telecom award
/

A flaw in Active Directory?

Today's breaking news
Send to a friendFeedback

By Dave Kearns
Network World, 08/16/99

In Network World Fusion's "Windows NT" newsletter I've been taking a close look at Active Directory as it is implemented in Windows 2000. In the August 2 newsletter, I outlined the Active Directory replication and synchronization strategy. But the more I think about it, the more afraid I become.

Active Directory uses multimaster replication. No more Primary Domain Controllers (PDC) and Backup Domain Controllers (BDC) - all Domain Controllers are equal peers. Objects can be manipulated on any Domain Controller, and the changes are then propagated to the remaining domain controllers. While this is easier on the administrator than the PDC-BDC mode of NT 4 (where all changes had to be made on the PDC), it means that there needs to be a way to reconcile changes which might be made to the same object on different Domain Controllers.

There is no time synchronization among the Domain Controllers, so changes based on time stamps won't work. Instead, a concept called the Update Sequence Number (USN) is used. Each Domain Controller holds a table containing entries for its own USN and the USNs of its replication partners. During replication, the Domain Controller compares the last known USN of its replication partner (saved in the table) with the current USN that the replication partner provides. If there have been recent changes (that is, if the replication partner provides a higher USN), the data store requests all changes from the replication partner. After receiving the data, the directory store sets the USN to the same value as that of the replication partner. This only guarantees that all changes made on a single Domain Controller will be propagated in the correct order.

If properties on the same object are changed from different domain controllers, a series of comparisons must be made by Active Directory to decide which is the correct order of changes.

The first decider is the version number. All properties carry a version number that is incremented with each change, and the higher version always takes precedent. But if I make two changes to an object on one Domain Controller (+2 to the version number), then make a change to the same object on another Domain Controller (+1 to the version number) before the first changes are propagated, my second change - not the third one, which would be correct - is the one accepted as final.

If the version numbers on the changed object are the same, then the timestamps on the changes are used. But because there is no time synchronization between Domain Controllers, this could lead to wrong information being propagated.

If both version number and timestamp are the same, Active Directory performs a binary memory copy operation and compares the buffer size. The higher buffer size wins. If the two buffers are equal, the data is the same, and one can be discarded. If they're not the same, though, there's nothing to guarantee that the correct information is chosen - just the one with a bigger buffer size!

Because none of these methods guarantees that correct information is propagated, all possible changes are logged. You can peruse the logs, then make further changes to correct the errors - and hope that they get propagated correctly.

RELATED LINKS

Dave Kearns is a writer and consultant in Silicon Valley. His most recent book is "Peter Norton's Complete Guide to Networks" published by SAMS. Dave's company, Virtual Quill, provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more at www.vquill.com/ or by e-mail at info@vquill.com

Wired Windows archive

What do you think? Jump into nwfusion.talk and start a thread.

Review: Active Directory migration tools
Network World, 8/16/99.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.