| Author | Messages | |
mark.parris@xxxx.yyy
 | | 03/13/2006 8:34 AM |
| Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner to 1 and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark | | | |
| amulnick
Posts:143
| | 03/13/2006 9:22 AM |
| Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since
July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner
to 1
and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition
(/advisory_mode
) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark | | | |
| mark.parris@xxxx.yyy
| | 03/13/2006 9:39 AM |
| Why “ Because they want to. I have
suggested the demotion approach. They don™t have dedicated hardware for most
DC™s and it is a real mare.
During the failings they have treated each
DC effectively as a domain and each DC has objects that are vital but not
replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the
failings “ over 15gbs worth of System state backups and i386 in the
SYSVOL which caused the DC™s to keel over.
Mark
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a
line from a song - "It has been too long since this machine
replicated"
I have to ask: Why? Why bother taking that chance with that registry
key vs. flattening the DC and building new? To me, those DCs are suspect
and should be shot on site. It's worth the extra effort and the hardware
investment at this point (it's really only one new server. I'd be fine
with a desktop as a server if that's what it takes to get the AD back in
shape; until you could flatten and rebuild the existing server class hardware
(big assumption on my part)).
Be sure to address the issues that led to that kind of issue in
the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my
current employer ;) ?
Al
On 3/13/06, Mark Parris mark.parris@xxxxxxxxxxxx> wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated
since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest
level 2003).
I have managed to most of get the DC's talking to each other and I now
have partial replication,
I have done this by setting the registry key Allow
Replication With Divergent and Corrupt Partner to 1 and I have run repadmin
/removelingeringobjects ServerName ServerGUID DirectoryPartition
(/advisory_mode ) on the server that is the PDC
emulator.
I have three DC's which will not replicate and I believe this is due to
there being a password mismatch on the DC Machine accounts so I will reset
these tomorrow.
Is there anything else I should be aware of?
Mark | | | |
| amulnick
Posts:143
| | 03/13/2006 11:20 AM |
| Demoting the DC's would still be my first choice in the road to recovery. It's not my gig, but I typically suggest it as a way to ensure that things are solid. With the approach you're taking, you'll always have that smoldering fire to work with. Dedicated hardware concerns? For the price of about an hour of the consultants time, they could likely come up with a desktop that could be used in the interim as a DC until the other one in the site can be rebuilt. Painful? Yes. The best thing long-term? In most situations, most definitely.
In the end, it's your call along with the customer. This is just my $0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark Parris wrote:
Why “ Because they want to. I have suggested the demotion approach. They don't have dedicated hardware for most DC's and it is a real mare.
During the failings they have treated each DC effectively as a domain and each DC has objects that are vital but not replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the failings “ over 15gbs worth of System state backups and i386 in the SYSVOL which caused the DC's to keel over.
Mark
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Al MulnickSent: 13 March 2006 21:20To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I have to ask: Why? Why bother taking that chance with that registry key vs. flattening the DC and building new? To me, those DCs are suspect and should be shot on site. It's worth the extra effort and the hardware investment at this point (it's really only one new server. I'd be fine with a desktop as a server if that's what it takes to get the AD back in shape; until you could flatten and rebuild the existing server class hardware (big assumption on my part)).
Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since
July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key
Allow Replication With Divergent and Corrupt Partner
to 1
and I have run
repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode
) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark | | | |
| GuidoG
Posts:63
| | 03/14/2006 8:37 AM |
| I'd certainly vote for the demotion approach - this can't
be an environment where thousands of changes have occured on the various DCs -
they would have had RID issues etc... Especially if you only have 3 DCs left
that are "misbehaving", I seriously doubt that you'd lose much more than a few
PW resets and maybe some group-changes and maybe a new user.
You could investigate the differences between DCs by using
DSASTAT from the support tools - for example, the following command will show
you if you have different users in your Sales OU between DC1 and
DC2:
dsastat ?s:DC1;DC2
?b:OU=Sales,DC=Domain,DC=com ?gcattrs:all ?sort:true ?t:false
?p:16 ?filter:"(&(objectclass=user)(!objectClass=computer))"
for more infos, see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
The "They don't have
dedicated hardware for most DC's and it is a real mare." argument doesn't
really count => a demotion should typically not hurt the other apps on your
DCs, that's what the /forcedemotion option was added for... It's a
different story, that the DC shouldn't host other apps, but it's certainly not a
reason not to force-demote it.
When you've checked the differences between the DCs, you'll
likely feel more comfortable doing a forced demotion of the faulty DCs, a
metadata cleanup in the domain, and then a re-promotion of the machines to DCs
of your domain. And fixing that user-profile for that one new user that
you'd then have to re-create is not a big deal either :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
MulnickSent: Dienstag, 14. März 2006 00:18To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Not a line from
a song - "It has been too long since this machine
replicated"
That's a shame. But if that's the way it has to be, then that's the
way it has to be. You *might* want to suggest virtualization as a way to
save hardware costs and still maintain somewhat dedicated small dc's.
They'll save on consulting costs in the long run if they do something similar
AND fix the monitoring processes :)
Demoting the DC's would still be my first choice in the road to recovery.
It's not my gig, but I typically suggest it as a way to ensure that things are
solid. With the approach you're taking, you'll always have that smoldering
fire to work with. Dedicated hardware concerns? For the price of about an
hour of the consultants time, they could likely come up with a desktop that
could be used in the interim as a DC until the other one in the site can be
rebuilt. Painful? Yes. The best thing long-term? In most situations, most
definitely.
In the end, it's your call along with the customer. This is just my
$0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark
Parris mark.parris@xxxxxxxxxxxx>
wrote:
Why ? Because they
want to. I have suggested the demotion approach. They don't have dedicated
hardware for most DC's and it is a real mare.
During the failings
they have treated each DC effectively as a domain and each DC has objects that
are vital but not replicated so I cannot just flatten it ? if I could I would.
I think I found one
of the reasons for the failings ? over 15gbs worth of System state backups and
i386 in the SYSVOL which caused the DC's to keel over.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al MulnickSent: 13 March 2006 21:20To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Not a line from
a song - "It has been too long since this machine
replicated"
I have to
ask: Why? Why bother taking that chance with that registry key vs. flattening
the DC and building new? To me, those DCs are suspect and should be shot
on site. It's worth the extra effort and the hardware investment at this
point (it's really only one new server. I'd be fine with a
desktop as a server if that's what it takes to get the AD back in shape;
until you could flatten and rebuild the existing server class hardware (big
assumption on my part)).
Be sure
to address the issues that led to that kind of issue in the first place
prior to completing the fixes. Otherwise, you'll be back.
I also
have to ask: Are you working in one of the far reaches of my current employer
;) ?
Al
On
3/13/06, Mark Parris
mark.parris@xxxxxxxxxxxx> wrote:
Hello All,
This is for several beers at DEC
if you're there.
This week I am sorting out a
company whose AD has not fully replicated since July
2005!
They have 9 DC's All Windows
Server 2003 SP1 (Forest level 2003).
I have managed to most of get the
DC's talking to each other and I now have partial
replication,
I have done this by setting the
registry key
Allow
Replication With Divergent and Corrupt Partner to 1 and I have
run
repadmin
/removelingeringobjects ServerName ServerGUID DirectoryPartition
(/advisory_mode ) on the server that is the PDC
emulator.
I have three DC's which will not
replicate and I believe this is due to there being a password mismatch on the
DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be
aware of?
Mark | | | |
| mark.parris@xxxx.yyy
| | 03/14/2006 9:27 AM |
| Thanks guido, the other issue is that they don't want me rebooting servers. I may have to be a little more forceful.
Mark
-----Original Message-----
From: "Grillenmeier, Guido"
Date: Tue, 14 Mar 2006 08:12:06
To:
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I'd certainly vote for the demotion approach - this can't be an environment where thousands of changes have occured on the various DCs - they would have had RID issues etc... Especially if you only have 3 DCs left that are "misbehaving", I seriously doubt that you'd lose much more than a few PW resets and maybe some group-changes and maybe a new user.
You could investigate the differences between DCs by using DSASTAT from the support tools - for example, the following command will show you if you have different users in your Sales OU between DC1 and DC2:
dsastat “s:DC1;DC2 “b:OU=Sales,DC=Domain,DC=com “gcattrs:all “sort:true “t:false “p:16 “filter:"(&(objectclass=user)(!objectClass=computer))"
for more infos, see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
The "They don't have dedicated hardware for most DC's and it is a real mare." argument doesn't really count => a demotion should typically not hurt the other apps on your DCs, that's what the /forcedemotion option was added for... It's a different story, that the DC shouldn't host other apps, but it's certainly not a reason not to force-demote it.
When you've checked the differences between the DCs, you'll likely feel more comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in the domain, and then a re-promotion of the machines to DCs of your domain. And fixing that user-profile for that one new user that you'd then have to re-create is not a big deal either :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
That's a shame. But if that's the way it has to be, then that's the way it has to be. You *might* want to suggest virtualization as a way to save hardware costs and still maintain somewhat dedicated small dc's. They'll save on consulting costs in the long run if they do something similar AND fix the monitoring processes :)
Demoting the DC's would still be my first choice in the road to recovery. It's not my gig, but I typically suggest it as a way to ensure that things are solid. With the approach you're taking, you'll always have that smoldering fire to work with. Dedicated hardware concerns? For the price of about an hour of the consultants time, they could likely come up with a desktop that could be used in the interim as a DC until the other one in the site can be rebuilt. Painful? Yes. The best thing long-term? In most situations, most definitely.
In the end, it's your call along with the customer. This is just my $0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark Parris wrote:
Why “ Because they want to. I have suggested the demotion approach. They don't have dedicated hardware for most DC's and it is a real mare.
During the failings they have treated each DC effectively as a domain and each DC has objects that are vital but not replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the failings “ over 15gbs worth of System state backups and i386 in the SYSVOL which caused the DC's to keel over.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I have to ask: Why? Why bother taking that chance with that registry key vs. flattening the DC and building new? To me, those DCs are suspect and should be shot on site. It's worth the extra effort and the hardware investment at this point (it's really only one new server. I'd be fine with a desktop as a server if that's what it takes to get the AD back in shape; until you could flatten and rebuild the existing server class hardware (big assumption on my part)).
Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner to 1 and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode ) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark | | | |
| GuidoG
Posts:63
| | 03/14/2006 9:42 AM |
| that's a fairly naive request to make by your customer, after they've not taken appropriate care and screwed their servers - and I'm sure you'd even be willing to do this after hours, so it shouldn't hurt them much.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark Parris
Sent: Dienstag, 14. März 2006 10:25
To: ActiveDir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
Thanks guido, the other issue is that they don't want me rebooting servers. I may have to be a little more forceful.
Mark
-----Original Message-----
From: "Grillenmeier, Guido"
Date: Tue, 14 Mar 2006 08:12:06
To:
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I'd certainly vote for the demotion approach - this can't be an environment where thousands of changes have occured on the various DCs - they would have had RID issues etc... Especially if you only have 3 DCs left that are "misbehaving", I seriously doubt that you'd lose much more than a few PW resets and maybe some group-changes and maybe a new user.
You could investigate the differences between DCs by using DSASTAT from the support tools - for example, the following command will show you if you have different users in your Sales OU between DC1 and DC2:
dsastat “s:DC1;DC2 “b:OU=Sales,DC=Domain,DC=com “gcattrs:all “sort:true “t:false “p:16 “filter:"(&(objectclass=user)(!objectClass=computer))"
for more infos, see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
The "They don't have dedicated hardware for most DC's and it is a real mare." argument doesn't really count => a demotion should typically not hurt the other apps on your DCs, that's what the /forcedemotion option was added for... It's a different story, that the DC shouldn't host other apps, but it's certainly not a reason not to force-demote it.
When you've checked the differences between the DCs, you'll likely feel more comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in the domain, and then a re-promotion of the machines to DCs of your domain. And fixing that user-profile for that one new user that you'd then have to re-create is not a big deal either :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
That's a shame. But if that's the way it has to be, then that's the way it has to be. You *might* want to suggest virtualization as a way to save hardware costs and still maintain somewhat dedicated small dc's. They'll save on consulting costs in the long run if they do something similar AND fix the monitoring processes :)
Demoting the DC's would still be my first choice in the road to recovery. It's not my gig, but I typically suggest it as a way to ensure that things are solid. With the approach you're taking, you'll always have that smoldering fire to work with. Dedicated hardware concerns? For the price of about an hour of the consultants time, they could likely come up with a desktop that could be used in the interim as a DC until the other one in the site can be rebuilt. Painful? Yes. The best thing long-term? In most situations, most definitely.
In the end, it's your call along with the customer. This is just my $0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark Parris wrote:
Why “ Because they want to. I have suggested the demotion approach. They don't have dedicated hardware for most DC's and it is a real mare.
During the failings they have treated each DC effectively as a domain and each DC has objects that are vital but not replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the failings “ over 15gbs worth of System state backups and i386 in the SYSVOL which caused the DC's to keel over.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I have to ask: Why? Why bother taking that chance with that registry key vs. flattening the DC and building new? To me, those DCs are suspect and should be shot on site. It's worth the extra effort and the hardware investment at this point (it's really only one new server. I'd be fine with a desktop as a server if that's what it takes to get the AD back in shape; until you could flatten and rebuild the existing server class hardware (big assumption on my part)).
Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner to 1 and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode ) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark
.+Å w ÛÿüçŠ÷ŠºÆ’ò²Ã–§�²Ã‘B�§Ã¿Ãƒ�¶+v*®�ŠË��§�â²Ã–«r�¯z�m§Ã¿Ã°Ãƒ Å¡Å V«r�¯yÊ&ý§-Š÷Š¾4„¢¨¥iËb½Ã§b®Å Ã
.+-�w�i���+������@B�m����+�*�ˊ��������r��z�m����V�r��y����4���i����� | | | |
| AD000001290
Posts:0
| | 03/14/2006 9:43 AM |
| That ol chestnut - 'fix the server without changing anything, nor without rebooting services nor the OS' :)
Enjoy, Mark :)
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark Parris
Sent: 14 March 2006 09:25
To: ActiveDir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
Thanks guido, the other issue is that they don't want me rebooting servers. I may have to be a little more forceful.
Mark
-----Original Message-----
From: "Grillenmeier, Guido"
Date: Tue, 14 Mar 2006 08:12:06
To:
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I'd certainly vote for the demotion approach - this can't be an environment where thousands of changes have occured on the various DCs - they would have had RID issues etc... Especially if you only have 3 DCs left that are "misbehaving", I seriously doubt that you'd lose much more than a few PW resets and maybe some group-changes and maybe a new user.
You could investigate the differences between DCs by using DSASTAT from the support tools - for example, the following command will show you if you have different users in your Sales OU between DC1 and DC2:
dsastat “s:DC1;DC2 “b:OU=Sales,DC=Domain,DC=com “gcattrs:all “sort:true “t:false “p:16 “filter:"(&(objectclass=user)(!objectClass=computer))"
for more infos, see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
The "They don't have dedicated hardware for most DC's and it is a real mare." argument doesn't really count => a demotion should typically not hurt the other apps on your DCs, that's what the /forcedemotion option was added for... It's a different story, that the DC shouldn't host other apps, but it's certainly not a reason not to force-demote it.
When you've checked the differences between the DCs, you'll likely feel more comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in the domain, and then a re-promotion of the machines to DCs of your domain. And fixing that user-profile for that one new user that you'd then have to re-create is not a big deal either :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
That's a shame. But if that's the way it has to be, then that's the way it has to be. You *might* want to suggest virtualization as a way to save hardware costs and still maintain somewhat dedicated small dc's. They'll save on consulting costs in the long run if they do something similar AND fix the monitoring processes :)
Demoting the DC's would still be my first choice in the road to recovery. It's not my gig, but I typically suggest it as a way to ensure that things are solid. With the approach you're taking, you'll always have that smoldering fire to work with. Dedicated hardware concerns? For the price of about an hour of the consultants time, they could likely come up with a desktop that could be used in the interim as a DC until the other one in the site can be rebuilt. Painful? Yes. The best thing long-term? In most situations, most definitely.
In the end, it's your call along with the customer. This is just my $0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark Parris wrote:
Why “ Because they want to. I have suggested the demotion approach. They don't have dedicated hardware for most DC's and it is a real mare.
During the failings they have treated each DC effectively as a domain and each DC has objects that are vital but not replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the failings “ over 15gbs worth of System state backups and i386 in the SYSVOL which caused the DC's to keel over.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I have to ask: Why? Why bother taking that chance with that registry key vs. flattening the DC and building new? To me, those DCs are suspect and should be shot on site. It's worth the extra effort and the hardware investment at this point (it's really only one new server. I'd be fine with a desktop as a server if that's what it takes to get the AD back in shape; until you could flatten and rebuild the existing server class hardware (big assumption on my part)).
Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner to 1 and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode ) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark
.+Å w ÛÿüçŠ÷ŠºÆ’ò²Ã–§�²Ã‘B�§Ã¿Ãƒ�¶+v*®�ŠË��§�â²Ã–«r�¯z�m§Ã¿Ã°Ãƒ Å¡Å V«r�¯yÊ&ý§-Š÷Š¾4„¢¨¥iËb½Ã§b®Å Ã
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| mark.parris@xxxx.yyy
| | 03/20/2006 10:46 AM |
| Well I got it all working - and yes I was not allowed to do a rebuild. What I wanted to do and was permitted to do were two separate things. No Lectures please - I know!!!!!
But I recon the problems may go away now that I have enabled several key services in the Hardware profiles tab on each service on all DC's(Including the KDC and Windows time Service)- All Automatic services stated started - but when I went to do a DC password reset I got 1058 error messages.
Now I just need them to move the SQL Servers off of their DC's and implement a monitoring solution (this is now someone else's battle as I have done what was required of me).
-----
Oh and I had a shock today - money is not an issue - the company's turnover last year was over £800 Million ($1,380 million), it's just bad design and lack of knowledge.
So I get a few days off now and then its spearmint rhino's with a rubber chicken.
As a footnote I might suggest an Episode of CSI: Who killed the AD? (Contractor for hire).
Ciao.
Mark
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of neil.ruston@xxxxxxxxxxxxx
Sent: 14 March 2006 09:39
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
That ol chestnut - 'fix the server without changing anything, nor without rebooting services nor the OS' :)
Enjoy, Mark :)
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark Parris
Sent: 14 March 2006 09:25
To: ActiveDir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
Thanks guido, the other issue is that they don't want me rebooting servers. I may have to be a little more forceful.
Mark
-----Original Message-----
From: "Grillenmeier, Guido"
Date: Tue, 14 Mar 2006 08:12:06
To:
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I'd certainly vote for the demotion approach - this can't be an environment where thousands of changes have occured on the various DCs - they would have had RID issues etc... Especially if you only have 3 DCs left that are "misbehaving", I seriously doubt that you'd lose much more than a few PW resets and maybe some group-changes and maybe a new user.
You could investigate the differences between DCs by using DSASTAT from the support tools - for example, the following command will show you if you have different users in your Sales OU between DC1 and DC2:
dsastat “s:DC1;DC2 “b:OU=Sales,DC=Domain,DC=com “gcattrs:all “sort:true “t:false “p:16 “filter:"(&(objectclass=user)(!objectClass=computer))"
for more infos, see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
The "They don't have dedicated hardware for most DC's and it is a real mare." argument doesn't really count => a demotion should typically not hurt the other apps on your DCs, that's what the /forcedemotion option was added for... It's a different story, that the DC shouldn't host other apps, but it's certainly not a reason not to force-demote it.
When you've checked the differences between the DCs, you'll likely feel more comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in the domain, and then a re-promotion of the machines to DCs of your domain. And fixing that user-profile for that one new user that you'd then have to re-create is not a big deal either :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
That's a shame. But if that's the way it has to be, then that's the way it has to be. You *might* want to suggest virtualization as a way to save hardware costs and still maintain somewhat dedicated small dc's. They'll save on consulting costs in the long run if they do something similar AND fix the monitoring processes :)
Demoting the DC's would still be my first choice in the road to recovery. It's not my gig, but I typically suggest it as a way to ensure that things are solid. With the approach you're taking, you'll always have that smoldering fire to work with. Dedicated hardware concerns? For the price of about an hour of the consultants time, they could likely come up with a desktop that could be used in the interim as a DC until the other one in the site can be rebuilt. Painful? Yes. The best thing long-term? In most situations, most definitely.
In the end, it's your call along with the customer. This is just my $0.04 worth from a distance.
Best of luck and all that.
Al
On 3/13/06, Mark Parris wrote:
Why “ Because they want to. I have suggested the demotion approach. They don't have dedicated hardware for most DC's and it is a real mare.
During the failings they have treated each DC effectively as a domain and each DC has objects that are vital but not replicated so I cannot just flatten it “ if I could I would.
I think I found one of the reasons for the failings “ over 15gbs worth of System state backups and i386 in the SYSVOL which caused the DC's to keel over.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"
I have to ask: Why? Why bother taking that chance with that registry key vs. flattening the DC and building new? To me, those DCs are suspect and should be shot on site. It's worth the extra effort and the hardware investment at this point (it's really only one new server. I'd be fine with a desktop as a server if that's what it takes to get the AD back in shape; until you could flatten and rebuild the existing server class hardware (big assumption on my part)).
Be sure to address the issues that led to that kind of issue in the first place prior to completing the fixes. Otherwise, you'll be back.
I also have to ask: Are you working in one of the far reaches of my current employer ;) ?
Al
On 3/13/06, Mark Parris wrote:
Hello All,
This is for several beers at DEC if you're there.
This week I am sorting out a company whose AD has not fully replicated since July 2005!
They have 9 DC's All Windows Server 2003 SP1 (Forest level 2003).
I have managed to most of get the DC's talking to each other and I now have partial replication,
I have done this by setting the registry key Allow Replication With Divergent and Corrupt Partner to 1 and I have run repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition (/advisory_mode ) on the server that is the PDC emulator.
I have three DC's which will not replicate and I believe this is due to there being a password mismatch on the DC Machine accounts so I will reset these tomorrow.
Is there anything else I should be aware of?
Mark
.+Å w ÛÿüçŠ÷ŠºÆ’ò²Ã–§�²Ã‘B�§Ã¿Ãƒ�¶+v*®�ŠË��§�â²Ã–«r�¯z�m§Ã¿Ã°Ãƒ Å¡Å V«r�¯yÊ&ý§-Š÷Š¾4„¢¨¥iËb½Ã§b®Å Ã
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
.+w֧�B��+v*����r�z� Vr�yi˽箊
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|