Information and challenges regarding querying Active Directory for changes using the USN?

[Joshua Hawkinson]

Greetings,

I have a few really high level questions about samba's ability to work in remote office situations while participating as a ADS member server in large domain (objects in the hundreds of thousands) context.  In certain environments I occasionally run into is that while working with samba in large ADS domains that we run into a few problems.  The first problem is that if said samba server is across a WAN we occasionally get complaints of bandwidth consumption.  Secondly  I seem to notice that winbindd has a large system resource spike while processing the user import sometimes rendering winbindd useless (behavior has improved of the year though).  Typically we work around these problems by increasing the winbind cache time parameter.  However I like to have my cake and eat it to... so to speak.  So an initial thought would be to increase the winbindd cache time and use the standard import as a full update.  Then we could wedge in another function that will pull ADS for updates based on USN.  In theory this should address both concerns with the only drawback that I see is that if a object is deleted that it will not be removed from the samba DBs until the cache is dumped and the full update occurs.  Granted this is probably a super simplistic view on problems that are not faced very often.  But I was just wondering what the team thought of this approach or if you guys had any other ideas or thoughts on this matter.

BTW thanks for producing one of the best open source projects out there

Joshua Hawkinson
OS test engineer
Overland Storage, Inc.