Understanding Sync Immediate
Novell Cool Solutions: Tip
Digg This -
Updated: 16 Jun 2005
A reader recently asked:
"I have to satisfy an audit item. Let's say I have a three-server environment and one NDS partition. Server1 holds the Master replica, and Server2 and Server3 hold R/W replicas. In a perfect world with no server, network or communication issues, I am authenticated to Server1 and change my password. How quickly does that password change sync out to Server2 and Server3? Is there any documentation on this? Is this sync delay time configurable?"
And here's what the reader and two Forum experts found out on the topic:
Reader: In the September 2001 AppNotes it states:
"If an attribute is flagged Sync Immediate, when it is modified, the synchronization process is scheduled to run within 10 seconds. This does not necessarily guarantee that the attribute will be "immediately" sent to all other replicas, but the process does start. If there are other circumstances preventing or delaying successful synchronization, the attribute will take some time (depending on the specific circumstance) before being fully synchronized.
If an attribute is not flagged Sync Immediate, when it is modified, it schedules the synchronization process to run in 30 minutes or less. When the synchronization process is initiated, all changes within a given partition will be synchronized, so if 10 attributes are modified and only one is set to Sync Immediate, they will all go when that one does."
(See http://developer.novell.com/research/ebooks/September2001.pdf, page 102.)
Expert 1: The Logic Source for eDirectory states that all of the Password attributes are listed with "sync immediate" as a constraint. You can find this information at: LogicSource for eDirectory - eDirectory Attribute Type Definitions - Password Allow Change, etc.
Expert 2: Security-related items are flagged "Immediate Sync," which means that they will synchronize in a maximum of 10 seconds. This is hard-coded and cannot be changed.
In eDirectory 8.8 (not out yet) you will be able to make some changes in priority of attributes, but only in speeding them up. For instance, you could take a non-import attribute that could normally sync in more than 10 seconds and set it to synchronize immediately. You could also make a password synchronize sooner (or any other attribute) but not later. As I mentioned, immediate sync isn't only for passwords. You cannot change it (short of unplugging a server from the network, but if people have access to do that, then you wouldn't care about password synchronization).
You can also check out the following tutorial on the subject:
* Update: *
Novell's Paul McKeith adds the following notes to this article:
"In older versions of eDirectory, the synchronization process was scheduled to run in 30 minutes or less. Now the time is actually determined by the Heartbeat Interval setting, for which the default is 60 minutes.
Also, Priority sync in eDir 8.8 is completely independent of the "normal" skulker-based sync process. With Priority sync, attributes flagged as such will be sent through this new channel to the other servers in the ring. The attribute will still sync again when the skulker-based sync occurs. It should also be pointed out that this feature should be used judiciously."
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com