Criei o mesmo usuário em dois controladores de domínio diferentes

5

Suponha que você tenha 2 controladores de domínio, DC1 e DC2.

Por qualquer motivo, duas pessoas diferentes criam uma nova conta de usuário - uma no DC1 e outra no DC2.

Presumivelmente, as duas contas agora têm o mesmo nome de usuário, mas SIDs diferentes.

O que acontece quando os controladores de domínio tentam sincronizar da próxima vez?

    
por Grant 21.01.2013 / 19:01

1 resposta

10

Você recebe um conflito de replicação .

Uma das contas conseguirá manter o nome desejado e a outra será automaticamente renomeada para outra coisa para resolver o conflito.

Este exemplo é realmente usado aqui e as partes relevantes são coladas abaixo .

Consider the example of the jsmith user object in the contoso.com domain. An administrator on DC1 changes jsmith's description to "Marketing." Nearly simultaneously, an administrator on DC3 changes the same user's description to "Sales and Marketing." At this point, DC1's and DC3's information about jsmith's description attribute compare as shown in Figure 9.

enter image description here

If DC2 receives both of these changes simultaneously, it will clearly need to determine which one is the "winning" change. The order of tiebreakers for conflict resolution is as follows:

The modification that has the higher versionID will be accepted as the "winning" change; the "losing" change will be overwritten. In this case, the versionID is 2 for both records, so we need to move onto the second tiebreaker.

If both records have the same versionID, the change that has the later timestamp will be accepted as the winning change; the losing change will be overwritten. In this case, the timestamp from DC3's originating write is later, so jsmith's description will be set to "Sales and Marketing." In the rare instance when both the versionID and timestamp are identical, we need a third and definitive tiebreaker:

If both records have the same versionID and timestamp, whichever write was originated by the DC with the lower-numbered GUID will win; the write from the higher-numbered GUID will be overwritten. So if DC1's GUID is 1234567890 and DC3's GUID is 2345678901, the originating write from DC1 would win if both the versionID and timestamp were identical.

You are probably thinking, "Wouldn't it make more sense to have the timestamp be the first tie-breaker?" This isn't as cut-and-dried as you might think. If timestamp were the primary tie-breaker in Active Directory conflict resolution, the only thing that a malicious administrator would need to do to propagate his or her changes would be to set back the clock on one particular DC so that it would always win by way of timestamps.

Resolving Conflicting Object Creation

In cases where two objects are created with the same name, Active Directory will use the same three tie-breakers described in the previous section to determine which one is the "winning" object. Unlike the previous section, however, the "losing" object doesn't get overwritten. Instead, the losing object is renamed using the characters CNF (for conflict object), followed by a colon and the GUID of the "losing" object. This allows administrators to more methodically determine which object should be retained and which should be deleted.

    
por 21.01.2013 / 19:10