| Author | Messages | |
boubbha
Posts:0
 | | 05/29/2006 7:14 AM |
| | Message body was not found. | | | |
| amulnick
Posts:163
| | 05/29/2006 7:45 AM |
| Anyway, if you suspect that the users are being removed, turn on auditing on Active Directory for modifications, turn up the diagnostic logging on the ADC itself, and turn up the logging on Exchange 5.5. This will help you to narrow down the source system next time this occurs. Once you find out what the source system is, you can refine the troubleshooting that much more.
Be sure to increase the size of your logs and be sure to scrape them off to some other repository so that wrapping won't cause you to miss the event. MOM is a great tool for this for what it's worth.
To reduce the possibilities, you may want to reduce the number of possible input vectors i.e. reduce the number of users with administrative abilities to modify these groups. And if it's the same groups each time, focus on those :)
I know that what I'm suggesting is politically difficult. See the beginning of my email to see my thoughts on this.
Al
On 5/29/06, Yann wrote:
Hello all,
I have an issue where member(s) of distribution list (DL) in exchange 5.5 disapear and this state is replicated via my Connection Agreement to my AD2k3.
I have not seen this on my own but some adminitrators (always the same guys :( ) frequently complain to my boss that some users disapear and so are not able to receive mail sent to this DL. They usually resolve this issue by putting those users back in the DL.
So my boss urges me to resolve this issue ASAP !
I know that there was no issue possible but for my safety ;o) I'd like to give my boss with some proofs.
So is there a way to track possible user disapearing from a DL in e5.5/AD/ADC ?
In active Directory, i used repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
FYI: The admin stated that user(s) disapear around the 06-20-2006.
Is the info from repadmin tells me that the user is a member of the DL since 05-15-2006 13:04:26 and since that date, the user has never disapeared ?If yes can i considered this as a proof that those admins lies ?
The replication planning of my Connection Agreement between e5.5AD is set to "always".
Thanks very much for help,
Yann
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel.
Cliquez ici. | | | |
| boubbha
Posts:0
| | 05/29/2006 9:21 AM |
| | Message body was not found. | | | |
| listmail
Posts:824
| | 05/29/2006 11:20 AM |
| If you ask MSFT, they will tell you that the ADC was not
really designed to run that long. For something like that they would have (or if
you got the good Enterprise Exchange MCS guys) recommended going to some sort of
metadirectory product that is robust and has good error handling. In one of the
companies I worked with we took half a year or so to do the migration and were
told that was way over the length of time the ADC should be running. It is a
product to get you over a hump, not something to stay running on. We only had 3
ADCs and less than 20 CAs and it was a big PITA.
The date after the value indicates the last change to that
value. So if it says PRESENT 06-15-2006 it means that it was added on June 15
2006 and hasn't changed since.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Monday, May 29, 2006 5:22 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] [OT] Active
Directory Connector: member issues.
Hi Al,
We have around 300 CAs localizd in 7 ADCs Servers.
The migration e5.5 to e2k3 started last summer 2005 and will be
ended (hope it will) in june 2007. We can not hurry for political reasons
;(, so i have to maintain the 2 databases as consistent as possible. So
unfortunately tshoot ADC is my first goal in this situation.
I will follow tomorrow your advices.
But for a first tshoot, can repadmin /showobjmeta, as I stated
earlier, prove that no modification to the user DL membership has
occured since the date mentioned after "member"?
This is the whole command.
repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that
the user in question has this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
Thanks again.
Yann
Al Mulnick a
écrit :
The issue is not terribly uncommon. It's one of the joys of having
two directories joined like this. The absolute best way to deal with this is
to hurry up and get off of 5.5 as fast as you possibly can. Things like this
occur and it's barely worth your time to troubleshoot it. The complexity
of your setup dictates that the troubleshooting time will be magnitudes longer
than with a single system.
Anyway, if you suspect that the users are being removed, turn on auditing
on Active Directory for modifications, turn up the diagnostic logging on the
ADC itself, and turn up the logging on Exchange 5.5. This will help you
to narrow down the source system next time this occurs. Once you find
out what the source system is, you can refine the troubleshooting that much
more.
Be sure to increase the size of your logs and be sure to scrape them off
to some other repository so that wrapping won't cause you to miss the
event. MOM is a great tool for this for what it's worth.
To reduce the possibilities, you may want to reduce the number of
possible input vectors i.e. reduce the number of users with administrative
abilities to modify these groups. And if it's the same groups each time, focus
on those :)
I know that what I'm suggesting is politically difficult. See the
beginning of my email to see my thoughts on this.
Al
On 5/29/06, Yann
wrote:
Hello all,
I have an issue where member(s) of distribution list (DL) in exchange
5.5 disapear and this state is replicated via my Connection Agreement to my
AD2k3.
I have not seen this on my own but some adminitrators (always the same
guys :( ) frequently complain to my boss that some users disapear and so are
not able to receive mail sent to this DL. They usually resolve this issue by
putting those users back in the DL.
So my boss urges me to resolve this issue ASAP !
I know that there was no issue possible but for my safety ;o) I'd like
to give my boss with some proofs.
So is there a way to track possible user disapearing from a DL in
e5.5/AD/ADC ?
In active Directory, i used repadmin /showbjmeta mydc
"dn_of_the_problematicDL_in_myAD" and i see that the user in question has
this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
FYI: The admin stated that user(s) disapear around the
06-20-2006.
Is the info from repadmin tells me that the user is a member of
the DL since 05-15-2006 13:04:26 and since that date, the user has
never disapeared ?If yes can i considered this as a proof that those admins
lies ?
The replication planning of my Connection Agreement between
e5.5AD is set to "always".
Thanks very much for help,
Yann
Faites de Yahoo! votre page d'accueil sur le web pour retrouver
directement vos services préférés : vérifiez vos nouveaux mails, lancez vos
recherches et suivez l'actualité en temps réel. Cliquez ici.
Yahoo! Mail réinvente le mail ! Découvrez le nouveau
Yahoo! Mail et son interface révolutionnaire. | | | |
| amulnick
Posts:163
| | 05/30/2006 1:17 AM |
| With that many CA's and that many ADC's deployed, you're likely not going to have enough hours in the day to find your data. Yann, I'm sure I'm not telling you something you don't already know, but the level of complexity you have likely translates that you won't be able to pinpoint this the way you want to. It's much more likely that, even with the political issues and delays, you'll finish the migration long before you've got a satisfactory answer. You have way more variables than is conducive to the troubleshooting your boss wants done.
That said, if you really really really want to get the troubleshooting done, you might want to suggest a change freeze for 7 days while you watch the ADC do it's work (and probably stabilize). That's 7 days of no change in either
5.5 or Active Directory.
joe is correct in that the ADC was not intended to do what you describe. I've seen it do what you describe and do it quite well, but it's not meant for that duration. MIIS' IIFP is a better fit for that type of work and for that duration.
My guess is that some admin likely made a change to something, and didn't realize the impact it would have on the group in question. It could also be a 5.5 troubleshooting endeavor that whacked that user that would otherwise seem totally unrelated.
The troubling part is that you're trying to prove it was not there. That tells me that you likely have a situation where one is saying one thing and another is saying that's not so. You're trying to prove that no change took effect and an admin made a mistake and didn't add the user, but instead is being touchy about the change and blaming their issues on the migration even though it technically is no longer a migration but a way of life :) That's a slippery slope you're travelling on.
Best of luck Yann.
Write if you need anything.
Al
On 5/29/06, joe wrote:
If you ask MSFT, they will tell you that the ADC was not really designed to run that long. For something like that they would have (or if you got the good Enterprise Exchange MCS guys) recommended going to some sort of metadirectory product that is robust and has good error handling. In one of the companies I worked with we took half a year or so to do the migration and were told that was way over the length of time the ADC should be running. It is a product to get you over a hump, not something to stay running on. We only had 3 ADCs and less than 20 CAs and it was a big PITA.
The date after the value indicates the last change to that value. So if it says PRESENT 06-15-2006 it means that it was added on June 15 2006 and hasn't changed since.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of YannSent: Monday, May 29, 2006 5:22 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] [OT] Active Directory Connector: member issues.
Hi Al,
We have around 300 CAs localizd in 7 ADCs Servers.
The migration e5.5 to e2k3 started last summer 2005 and will be ended (hope it will) in june 2007. We can not hurry for political reasons ;(, so i have to maintain the 2 databases as consistent as possible. So unfortunately tshoot ADC is my first goal in this situation.
I will follow tomorrow your advices.
But for a first tshoot, can repadmin /showobjmeta, as I stated earlier, prove that no modification to the user DL membership has occured since the date mentioned after "member"?
This is the whole command.
repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
Thanks again.
Yann
Al Mulnick a écrit :
The issue is not terribly uncommon. It's one of the joys of having two directories joined like this. The absolute best way to deal with this is to hurry up and get off of 5.5 as fast as you possibly can. Things like this occur and it's barely worth your time to troubleshoot it. The complexity of your setup dictates that the troubleshooting time will be magnitudes longer than with a single system.
Anyway, if you suspect that the users are being removed, turn on auditing on Active Directory for modifications, turn up the diagnostic logging on the ADC itself, and turn up the logging on Exchange 5.5. This will help you to narrow down the source system next time this occurs. Once you find out what the source system is, you can refine the troubleshooting that much more.
Be sure to increase the size of your logs and be sure to scrape them off to some other repository so that wrapping won't cause you to miss the event. MOM is a great tool for this for what it's worth.
To reduce the possibilities, you may want to reduce the number of possible input vectors i.e. reduce the number of users with administrative abilities to modify these groups. And if it's the same groups each time, focus on those :)
I know that what I'm suggesting is politically difficult. See the beginning of my email to see my thoughts on this.
Al
On 5/29/06, Yann wrote:
Hello all,
I have an issue where member(s) of distribution list (DL) in exchange 5.5 disapear and this state is replicated via my Connection Agreement to my AD2k3.
I have not seen this on my own but some adminitrators (always the same guys :( ) frequently complain to my boss that some users disapear and so are not able to receive mail sent to this DL. They usually resolve this issue by putting those users back in the DL.
So my boss urges me to resolve this issue ASAP !
I know that there was no issue possible but for my safety ;o) I'd like to give my boss with some proofs.
So is there a way to track possible user disapearing from a DL in e5.5/AD/ADC ?
In active Directory, i used repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
FYI: The admin stated that user(s) disapear around the 06-20-2006.
Is the info from repadmin tells me that the user is a member of the DL since 05-15-2006 13:04:26 and since that date, the user has never disapeared ?If yes can i considered this as a proof that those admins lies ?
The replication planning of my Connection Agreement between e5.5AD is set to "always".
Thanks very much for help,
Yann
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel.
Cliquez ici.
Yahoo! Mail réinvente le mail ! Découvrez le
nouveau Yahoo! Mail et son interface révolutionnaire. | | | |
| listmail
Posts:824
| | 05/30/2006 1:56 AM |
| I don't know why you keep saying 5/15, since your first
note says
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Monday, May 29, 2006 8:31 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] [OT] Active
Directory Connector: member issues.
Agree with u joe with the fact that ADC is only used temporarily and not
for a long time running as we do now.
MSFT also confrm us that they do not either support it.
Thanks for clarification about the repadmin output. I can then confirm to
my boss that no modification was made to the member of the DLs since
05-15-2006 13:04:26 (and not 06-15-2006
13:04:26 :o)).
Cheers,
Yann
joe a écrit :
If you ask MSFT, they will tell you that the ADC was not
really designed to run that long. For something like that they would have (or
if you got the good Enterprise Exchange MCS guys) recommended going to some
sort of metadirectory product that is robust and has good error handling. In
one of the companies I worked with we took half a year or so to do the
migration and were told that was way over the length of time the ADC should be
running. It is a product to get you over a hump, not something to stay running
on. We only had 3 ADCs and less than 20 CAs and it was a big
PITA.
The date after the value indicates the last change to
that value. So if it says PRESENT 06-15-2006 it means that it was added on
June 15 2006 and hasn't changed since.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Monday, May 29, 2006 5:22 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] [OT] Active
Directory Connector: member issues.
Hi Al,
We have around 300 CAs localizd in 7 ADCs Servers.
The migration e5.5 to e2k3 started last summer 2005 and will be
ended (hope it will) in june 2007. We can not hurry for political reasons
;(, so i have to maintain the 2 databases as consistent as possible. So
unfortunately tshoot ADC is my first goal in this situation.
I will follow tomorrow your advices.
But for a first tshoot, can repadmin /showobjmeta, as I stated
earlier, prove that no modification to the user DL membership has
occured since the date mentioned after "member"?
This is the whole command.
repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see
that the user in question has this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
Thanks again.
Yann
Al Mulnick a
écrit :
The issue is not terribly uncommon. It's one of the joys of
having two directories joined like this. The absolute best way to deal with
this is to hurry up and get off of 5.5 as fast as you possibly can. Things
like this occur and it's barely worth your time to troubleshoot it.
The complexity of your setup dictates that the troubleshooting time will be
magnitudes longer than with a single system.
Anyway, if you suspect that the users are being removed, turn on
auditing on Active Directory for modifications, turn up the diagnostic
logging on the ADC itself, and turn up the logging on Exchange 5.5.
This will help you to narrow down the source system next time this
occurs. Once you find out what the source system is, you can refine
the troubleshooting that much more.
Be sure to increase the size of your logs and be sure to scrape them
off to some other repository so that wrapping won't cause you to miss the
event. MOM is a great tool for this for what it's worth.
To reduce the possibilities, you may want to reduce the number of
possible input vectors i.e. reduce the number of users with administrative
abilities to modify these groups. And if it's the same groups each time,
focus on those :)
I know that what I'm suggesting is politically difficult. See the
beginning of my email to see my thoughts on this.
Al
On 5/29/06, Yann
wrote:
Hello all,
I have an issue where member(s) of distribution list (DL) in exchange
5.5 disapear and this state is replicated via my Connection Agreement to
my AD2k3.
I have not seen this on my own but some adminitrators (always the
same guys :( ) frequently complain to my boss that some users disapear and
so are not able to receive mail sent to this DL. They usually resolve this
issue by putting those users back in the DL.
So my boss urges me to resolve this issue ASAP !
I know that there was no issue possible but for my safety ;o) I'd
like to give my boss with some proofs.
So is there a way to track possible user disapearing from a DL in
e5.5/AD/ADC ?
In active Directory, i used repadmin /showbjmeta mydc
"dn_of_the_problematicDL_in_myAD" and i see that the user in question has
this information:
PRESENT "dn_of_the_user"
member 06-15-2006 13:04:26
FYI: The admin stated that user(s) disapear around the
06-20-2006.
Is the info from repadmin tells me that the user is a member of
the DL since 05-15-2006 13:04:26 and since that date, the user has
never disapeared ?If yes can i considered this as a proof that those
admins lies ?
The replication planning of my Connection Agreement between
e5.5AD is set to "always".
Thanks very much for help,
Yann
Faites de Yahoo! votre page d'accueil sur le web pour retrouver
directement vos services préférés : vérifiez vos nouveaux mails, lancez
vos recherches et suivez l'actualité en temps réel. Cliquez ici.
Yahoo! Mail réinvente le mail ! Découvrez le nouveau
Yahoo! Mail et son interface révolutionnaire.
Yahoo! Mail réinvente le mail ! Découvrez le nouveau
Yahoo! Mail et son interface révolutionnaire. | | | |
| boubbha
Posts:0
| | 05/30/2006 12:31 PM |
| | Message body was not found. | | | |
|
|