A. There might be instances in which you want to identify changes made to AD--for example, when you want to duplicate the changes to another AD or database or for certain types of audit tracking.
There are two main types of change tracking:
- Polling-based solutions. At periodic intervals, a process connects to AD and requests all changes that have occurred since it last connected. You can find changes by checking uSNChanged attributes on objects. Microsoft provides the AD directory synchronization (DirSync) tool to perform this process for you. You can find more information on the polling approach at the following URLs:
- http://support.microsoft.com/?kbid=891995
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/polling_for_changes_using_the_dirsync_control.asp?frame=true
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/polling_for_changes_using_usnchanged.asp?frame=true
- Real time notification solutions. With this method, a process registers itself with AD and requests to be notified as changes happen. This method offers a more up-to-date solution than polling-based methods, however the process receiving the changes must be able to keep up with the notification traffic. You can find information about real-time notification solutions at these URLs:
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/change_notifications_in_active_directory.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/example_code_for_receiving_change_notifications.asp
Be careful when using any change-notification solution because they place additional load on domain controllers (DCs) and often require high privilege rights.
7 comments
Hide comments
