| Author | Messages | |
sbradcpa
Posts:299
 | | 12/04/2005 6:59 AM |
| SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 12/04/2005 5:46 AM |
| Given that in SBSland that our AD in wizardly built for us and just
works, unfortunately I didn't think to dig deeper into that relay of a
statement from the SBSer. I'll check. This is one of those Oh Sh_t
moments when we go .. you know those folks who say a second dc were
right... events.
Eric Fleischman wrote:
Going back to the original post, I'm not sure I fully understand the
problem yet.
Susan, can you define "ntds.dit file corruption" for us? What sort of
corruption? What errors/events lead you to believe this? Specifically,
I'm interested in errors from NTDS ISAM or ESE if you have any.
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
*Sent:* Sat 12/3/2005 10:58 PM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| josemedeiros
Posts:0
| | 12/04/2005 7:15 AM |
| Hmm.. I have never experienced this with either McAfee or Symantec AV on any
of the DC's that I have built and or maintened. Have you had a chance to
run chkdsk /r yet? More then likely the problem is bad clusters on the drive
which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message -----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
To:
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and
PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but before
they do that I'd like to get the view of the AD gods and goddesses around
here. From all that I've seen, read, seen in the SBS newsgroup, the
corruption of ntds.dit is rare to nil and an underlying cause is hardware
issues [raid, disk subsystem]. This doesn't just happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is a
good thing even in SBSland...but question.... many times the second server
in SBSland is a terminal server box because we do not support TS in app
mode on our PDCs. So we've established that having a domain controller and
a terminal server is a security issue [see Windows Security resource kit,
NIST Terminal services hardening guide, etc etc....] If our second server
is a member server handing out TS externally, should that be a candidate
for the additional DC? Are the issues of TS on a DC ... true for 'any'
DC? Would it be better than to Vserver/VPC a Win2k3 inside a workstation
in the network if a third server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 12/04/2005 7:22 AM |
| http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
Jose Medeiros wrote:
Hmm.. I have never experienced this with either McAfee or Symantec AV
on any of the DC's that I have built and or maintened. Have you had a
chance to run chkdsk /r yet? More then likely the problem is bad
clusters on the drive which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP]"
To:
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant and PSS have been banging on. Could not get the services
back running, changed the RPC service to local system and some
service came back up [I don't have all the details but the consultant
opened a support case of SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the
SBS newsgroup, the corruption of ntds.dit is rare to nil and an
underlying cause is hardware issues [raid, disk subsystem]. This
doesn't just happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that
I doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows
Server 2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys
in big server land you'd just slide over another box into that server
role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller
is a good thing even in SBSland...but question.... many times the
second server in SBSland is a terminal server box because we do not
support TS in app mode on our PDCs. So we've established that having
a domain controller and a terminal server is a security issue [see
Windows Security resource kit, NIST Terminal services hardening
guide, etc etc....] If our second server is a member server handing
out TS externally, should that be a candidate for the additional DC?
Are the issues of TS on a DC ... true for 'any' DC? Would it be
better than to Vserver/VPC a Win2k3 inside a workstation in the
network if a third server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:347
| | 12/04/2005 8:07 AM |
| I think those are SATA only?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, December 04, 2005 2:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
Jose Medeiros wrote:
> Hmm.. I have never experienced this with either McAfee or Symantec AV
> on any of the DC's that I have built and or maintened. Have you had a
> chance to run chkdsk /r yet? More then likely the problem is bad
> clusters on the drive which caused the NTDS.DIT file to become corrupt.
>
> Was this server built using IDE /ATA/SATA drives?
>
>
> Jose
>
>
>
> ----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
> Rocks [MVP]"
> To:
> Sent: Saturday, December 03, 2005 10:58 PM
> Subject: [ActiveDir] Ntds.dit file corruption
>
>
>> SBS box [with Windows 2003 sp1 since September]
>>
>> RE: [ActiveDir] Database Corruption:
>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
>>
>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
>> Consultant and PSS have been banging on. Could not get the services
>> back running, changed the RPC service to local system and some
>> service came back up [I don't have all the details but the consultant
>> opened a support case of SRX051202605433].
>> Bottom line they are about going to give up and start a restore but
>> before they do that I'd like to get the view of the AD gods and
>> goddesses around here. From all that I've seen, read, seen in the
>> SBS newsgroup, the corruption of ntds.dit is rare to nil and an
>> underlying cause is hardware issues [raid, disk subsystem]. This
>> doesn't just happen.
>> The VAP asked if not properly excluding the ad databases from the a/v
>> would cause this/trigger this and my expectation is 'no', given that
>> I doubt the majority of us in SBSland properly set up exclusions
>> Virus scanning recommendations on a Windows 2000 or on a Windows
>> Server 2003 domain controller:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>
>> If this were my hardware and box, I'd be putting this sucker on the
>> operating table and getting an autopsy before putting it back online.
>>
>> Are we right in being paranoid now about this hardware? For you guys
>> in big server land you'd just slide over another box into that server
>> role.
>>
>> ---------------------------------------
>> Stupid question alert....
>>
>> Okay so we know that having a secondary/additional domain controller
>> is a good thing even in SBSland...but question.... many times the
>> second server in SBSland is a terminal server box because we do not
>> support TS in app mode on our PDCs. So we've established that having
>> a domain controller and a terminal server is a security issue [see
>> Windows Security resource kit, NIST Terminal services hardening
>> guide, etc etc....] If our second server is a member server handing
>> out TS externally, should that be a candidate for the additional DC?
>> Are the issues of TS on a DC ... true for 'any' DC? Would it be
>> better than to Vserver/VPC a Win2k3 inside a workstation in the
>> network if a third server box was not feasible?
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 12/04/2005 8:13 AM |
| SCSI RAID 5 ( 3 x 36 GB DISKS 10K ) PERC CONTROLLER, DELL SC1420 SERVER
Okay so not SATA
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
Jose Medeiros wrote:
Hmm.. I have never experienced this with either McAfee or Symantec AV
on any of the DC's that I have built and or maintened. Have you had
a chance to run chkdsk /r yet? More then likely the problem is bad
clusters on the drive which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz -
SBS Rocks [MVP]"
To:
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant and PSS have been banging on. Could not get the services
back running, changed the RPC service to local system and some
service came back up [I don't have all the details but the
consultant opened a support case of SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the
SBS newsgroup, the corruption of ntds.dit is rare to nil and an
underlying cause is hardware issues [raid, disk subsystem]. This
doesn't just happen.
The VAP asked if not properly excluding the ad databases from the
a/v would cause this/trigger this and my expectation is 'no', given
that I doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows
Server 2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you
guys in big server land you'd just slide over another box into that
server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller
is a good thing even in SBSland...but question.... many times the
second server in SBSland is a terminal server box because we do not
support TS in app mode on our PDCs. So we've established that having
a domain controller and a terminal server is a security issue [see
Windows Security resource kit, NIST Terminal services hardening
guide, etc etc....] If our second server is a member server handing
out TS externally, should that be a candidate for the additional
DC? Are the issues of TS on a DC ... true for 'any' DC? Would it
be better than to Vserver/VPC a Win2k3 inside a workstation in the
network if a third server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 12/04/2005 8:16 AM |
| Nope just confirmed SCSI ...but there's still Dell hardware to lay blame
on here ;-)
Brian Desmond wrote:
I think those are SATA only?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, December 04, 2005 2:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
Jose Medeiros wrote:
Hmm.. I have never experienced this with either McAfee or Symantec AV
on any of the DC's that I have built and or maintened. Have you had a
chance to run chkdsk /r yet? More then likely the problem is bad
clusters on the drive which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP]"
To:
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant and PSS have been banging on. Could not get the services
back running, changed the RPC service to local system and some
service came back up [I don't have all the details but the consultant
opened a support case of SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the
SBS newsgroup, the corruption of ntds.dit is rare to nil and an
underlying cause is hardware issues [raid, disk subsystem]. This
doesn't just happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that
I doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows
Server 2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys
in big server land you'd just slide over another box into that server
role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller
is a good thing even in SBSland...but question.... many times the
second server in SBSland is a terminal server box because we do not
support TS in app mode on our PDCs. So we've established that having
a domain controller and a terminal server is a security issue [see
Windows Security resource kit, NIST Terminal services hardening
guide, etc etc....] If our second server is a member server handing
out TS externally, should that be a candidate for the additional DC?
Are the issues of TS on a DC ... true for 'any' DC? Would it be
better than to Vserver/VPC a Win2k3 inside a workstation in the
network if a third server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| josemedeiros
Posts:0
| | 12/04/2005 8:44 AM |
| Even if it's SCSI on a RAID 5 Array, you can still have corrupt clusters. A
power outage or a hard reboot could have damaged the clusters on the drives.
Try running Chkdsk /r. And I have an idea, but have not tried it yet, try
running Eseutil /d after the chkdsk completes since it creates a new
database, it may repair the problem.
http://www.mcpmag.com/columns/article.asp?EditorialsID=330
Jose
----- Original Message -----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
To:
Sent: Sunday, December 04, 2005 12:13 AM
Subject: Re: [ActiveDir] Ntds.dit file corruption
Nope just confirmed SCSI ...but there's still Dell hardware to lay blame
on here ;-)
Brian Desmond wrote:
I think those are SATA only?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley,
CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, December 04, 2005 2:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
Jose Medeiros wrote:
Hmm.. I have never experienced this with either McAfee or Symantec AV on
any of the DC's that I have built and or maintened. Have you had a
chance to run chkdsk /r yet? More then likely the problem is bad clusters
on the drive which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP]"
To:
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| efleis1
Posts:0
| | 12/04/2005 10:05 AM |
| Going back to the original
post, I'm not sure I fully understand the problem yet.
Susan, can you define "ntds.dit file
corruption" for us? What sort of corruption? What errors/events lead you to
believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if
you have any.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat
12/3/2005 10:58 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]RE:
[ActiveDir] Database Corruption:http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.htmlWe
have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultantand PSS
have been banging on. Could not get the services back running,changed
the RPC service to local system and some service came back up [Idon't have
all the details but the consultant opened a support case
ofSRX051202605433].Bottom line they are about going to give up and
start a restore butbefore they do that I'd like to get the view of the AD
gods andgoddesses around here. From all that I've seen, read, seen in
the SBSnewsgroup, the corruption of ntds.dit is rare to nil and an
underlyingcause is hardware issues [raid, disk subsystem]. This
doesn't justhappen.The VAP asked if not properly excluding the ad
databases from the a/vwould cause this/trigger this and my expectation is
'no', given that Idoubt the majority of us in SBSland properly set up
exclusionsVirus scanning recommendations on a Windows 2000 or on a Windows
Server2003 domain controller:http://support.microsoft.com/default.aspx?scid=kb;en-us;822158If
this were my hardware and box, I'd be putting this sucker on theoperating
table and getting an autopsy before putting it back online.Are we right
in being paranoid now about this hardware? For you guys inbig server
land you'd just slide over another box into that server
role.---------------------------------------Stupid question
alert....Okay so we know that having a secondary/additional domain
controller isa good thing even in SBSland...but question.... many times the
secondserver in SBSland is a terminal server box because we do not support
TSin app mode on our PDCs. So we've established that having a
domaincontroller and a terminal server is a security issue [see
WindowsSecurity resource kit, NIST Terminal services hardening guide,
etcetc....] If our second server is a member server handing out
TSexternally, should that be a candidate for the additional DC? Are
theissues of TS on a DC ... true for 'any' DC? Would it be better than
toVserver/VPC a Win2k3 inside a workstation in the network if a
thirdserver box was not feasible?List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| jmedeiros@xxxx.yyy
| | 12/05/2005 4:06 AM |
| Correction. I meant to say: " Esentutl utility with the /d switch ". Not Eseutil /d.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Jose Medeiros
Sent: Sunday, December 04, 2005 12:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
Even if it's SCSI on a RAID 5 Array, you can still have corrupt clusters. A
power outage or a hard reboot could have damaged the clusters on the drives.
Try running Chkdsk /r. And I have an idea, but have not tried it yet, try
running Eseutil /d after the chkdsk completes since it creates a new
database, it may repair the problem.
http://www.mcpmag.com/columns/article.asp?EditorialsID=330
Jose
----- Original Message -----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
To:
Sent: Sunday, December 04, 2005 12:13 AM
Subject: Re: [ActiveDir] Ntds.dit file corruption
> Nope just confirmed SCSI ...but there's still Dell hardware to lay blame
> on here ;-)
>
> Brian Desmond wrote:
>
>>I think those are SATA only?
>>
>>Thanks,
>>Brian Desmond
>>brian@xxxxxxxxxxxxxxxx
>> c - 312.731.3132
>>
>>
>>-----Original Message-----
>>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley,
>>CPA
>>aka Ebitz - SBS Rocks [MVP]
>>Sent: Sunday, December 04, 2005 2:21 AM
>>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>Subject: Re: [ActiveDir] Ntds.dit file corruption
>>
>>http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf
>>
>>Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI.
>>
>>Jose Medeiros wrote:
>>
>>
>>>Hmm.. I have never experienced this with either McAfee or Symantec AV on
>>>any of the DC's that I have built and or maintened. Have you had a
>>>chance to run chkdsk /r yet? More then likely the problem is bad clusters
>>>on the drive which caused the NTDS.DIT file to become corrupt.
>>>
>>>Was this server built using IDE /ATA/SATA drives?
>>>
>>>
>>>Jose
>>>
>>>
>>>
>>>----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
>>>Rocks [MVP]"
>>>To:
>>>Sent: Saturday, December 03, 2005 10:58 PM
>>>Subject: [ActiveDir] Ntds.dit file corruption
>>>
>>>
>>>
>>>>SBS box [with Windows 2003 sp1 since September]
>>>>
>>>>RE: [ActiveDir] Database Corruption:
>>>>http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
>>>>
>>>>We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
>>>>and PSS have been banging on. Could not get the services back running,
>>>>changed the RPC service to local system and some service came back up [I
>>>>don't have all the details but the consultant opened a support case of
>>>>SRX051202605433].
>>>>Bottom line they are about going to give up and start a restore but
>>>>before they do that I'd like to get the view of the AD gods and
>>>>goddesses around here. From all that I've seen, read, seen in the SBS
>>>>newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>>>>cause is hardware issues [raid, disk subsystem]. This doesn't just
>>>>happen.
>>>>The VAP asked if not properly excluding the ad databases from the a/v
>>>>would cause this/trigger this and my expectation is 'no', given that I
>>>>doubt the majority of us in SBSland properly set up exclusions
>>>>Virus scanning recommendations on a Windows 2000 or on a Windows Server
>>>>2003 domain controller:
>>>>http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>>>
>>>>If this were my hardware and box, I'd be putting this sucker on the
>>>>operating table and getting an autopsy before putting it back online.
>>>>
>>>>Are we right in being paranoid now about this hardware? For you guys in
>>>>big server land you'd just slide over another box into that server role.
>>>>
>>>>---------------------------------------
>>>>Stupid question alert....
>>>>
>>>>Okay so we know that having a secondary/additional domain controller is
>>>>a good thing even in SBSland...but question.... many times the second
>>>>server in SBSland is a terminal server box because we do not support TS
>>>>in app mode on our PDCs. So we've established that having a domain
>>>>controller and a terminal server is a security issue [see Windows
>>>>Security resource kit, NIST Terminal services hardening guide, etc
>>>>etc....] If our second server is a member server handing out TS
>>>>externally, should that be a candidate for the additional DC? Are the
>>>>issues of TS on a DC ... true for 'any' DC? Would it be better than to
>>>>Vserver/VPC a Win2k3 inside a workstation in the network if a third
>>>>server box was not feasible?
>>>>
>>>>List info : http://www.activedir.org/List.aspx
>>>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>>>List archive:
>>>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>List info : http://www.activedir.org/List.aspx
>>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>
>>>
>>List info : http://www.activedir.org/List.aspx
>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>List info : http://www.activedir.org/List.aspx
>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| activedirsmaporg
Posts:0
| | 12/05/2005 4:09 AM |
| She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
http://blogs.technet.com/efleis/archive/2005/01.aspx
Anyway, this kind of thing is usually hardware ...
While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress. You might give that a
try. If you can reproduce the event / error with jetstress I would not
use that box in production.
If you do reproduce the issue several times (several times is key, as you
want a trend before you start playing the variable game), some things
you might vary (one at a time):
- Try making sure you have the latest driver and motherboard / controller
firmware. Then see if you can reproduce.
- Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.
- Try swapping out the hard drives, one at a time.
- Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)
- If you can reproduce it several times, you could followup with Dell.
Good luck.
I'm not sure if I answered your question ...
Cheers,
BrettSh
On Sun, 4 Dec 2005, Eric Fleischman wrote:
> Going back to the original post, I'm not sure I fully understand the
> problem yet. Susan, can you define "ntds.dit file corruption" for us?
> What sort of corruption? What errors/events lead you to believe this?
> Specifically, I'm interested in errors from NTDS ISAM or ESE if you
> have any.
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Sat 12/3/2005 10:58 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Ntds.dit file corruption
>
>
>
> SBS box [with Windows 2003 sp1 since September]
>
> RE: [ActiveDir] Database Corruption:
> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
>
> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
> and PSS have been banging on. Could not get the services back running,
> changed the RPC service to local system and some service came back up [I
> don't have all the details but the consultant opened a support case of
> SRX051202605433].
>
> Bottom line they are about going to give up and start a restore but
> before they do that I'd like to get the view of the AD gods and
> goddesses around here. From all that I've seen, read, seen in the SBS
> newsgroup, the corruption of ntds.dit is rare to nil and an underlying
> cause is hardware issues [raid, disk subsystem]. This doesn't just
> happen.
>
> The VAP asked if not properly excluding the ad databases from the a/v
> would cause this/trigger this and my expectation is 'no', given that I
> doubt the majority of us in SBSland properly set up exclusions
> Virus scanning recommendations on a Windows 2000 or on a Windows Server
> 2003 domain controller:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>
> If this were my hardware and box, I'd be putting this sucker on the
> operating table and getting an autopsy before putting it back online.
>
> Are we right in being paranoid now about this hardware? For you guys in
> big server land you'd just slide over another box into that server role.
>
> ---------------------------------------
> Stupid question alert....
>
> Okay so we know that having a secondary/additional domain controller is
> a good thing even in SBSland...but question.... many times the second
> server in SBSland is a terminal server box because we do not support TS
> in app mode on our PDCs. So we've established that having a domain
> controller and a terminal server is a security issue [see Windows
> Security resource kit, NIST Terminal services hardening guide, etc
> etc....] If our second server is a member server handing out TS
> externally, should that be a candidate for the additional DC? Are the
> issues of TS on a DC ... true for 'any' DC? Would it be better than to
> Vserver/VPC a Win2k3 inside a workstation in the network if a third
> server box was not feasible?
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 12/05/2005 4:54 AM |
| I did? :-) I think I still said all I know is what the poster said :-)
I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land goes .. oh
yeah... ntds.dit corruption... and sbsland freaks out. Either we do
indeed need to ensure we have a secondary DC or we need to park a second
copy of a system state offsite [say at the vap/var]
Brett Shirley wrote:
She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
http://blogs.technet.com/efleis/archive/2005/01.aspx
Anyway, this kind of thing is usually hardware ...
While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress. You might give that a
try. If you can reproduce the event / error with jetstress I would not
use that box in production.
If you do reproduce the issue several times (several times is key, as you
want a trend before you start playing the variable game), some things
you might vary (one at a time):
- Try making sure you have the latest driver and motherboard / controller
firmware. Then see if you can reproduce.
- Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.
- Try swapping out the hard drives, one at a time.
- Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)
- If you can reproduce it several times, you could followup with Dell.
Good luck.
I'm not sure if I answered your question ...
Cheers,
BrettSh
On Sun, 4 Dec 2005, Eric Fleischman wrote:
Going back to the original post, I'm not sure I fully understand the
problem yet. Susan, can you define "ntds.dit file corruption" for us?
What sort of corruption? What errors/events lead you to believe this?
Specifically, I'm interested in errors from NTDS ISAM or ESE if you
have any.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sat 12/3/2005 10:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 12/05/2005 5:11 AM |
| Those are fine ideas. You may want to have a closer look at that hardware.
Whichever the vendor, they usually have their own diagnostics. It's time
consuming, but often worth checking along with checking for known issues
with drivers, firmware, etc.
In my experience, I've mostly seen this type of corruption with faulty
hardware. Sometimes drive cache can hurt (not battery backed up array
controller, but on the disk) as can bad run of hardware or cracked
motherboards. Giving the machine the once-over is a great idea. And if you
can't spot it, I might still consider the machine suspect and not worth
reinstalling on. Vote of no-confidence so to speak.
Keeping good backups (by good, I mean tested) is always recommended
regardless of size of company. Keep with that any and all information
needed to recover the machine if it were to become a smoking puddle of goo
in the wiring closet. Unless the data is not worth recovering. :)
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
Date: Mon, 05 Dec 2005 08:52:48 -0800
I did? :-) I think I still said all I know is what the poster said :-)
I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land goes .. oh
yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed
need to ensure we have a secondary DC or we need to park a second copy of a
system state offsite [say at the vap/var]
Brett Shirley wrote:
She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
http://blogs.technet.com/efleis/archive/2005/01.aspx
Anyway, this kind of thing is usually hardware ...
While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress. You might give that a
try. If you can reproduce the event / error with jetstress I would not
use that box in production.
If you do reproduce the issue several times (several times is key, as you
want a trend before you start playing the variable game), some things
you might vary (one at a time):
- Try making sure you have the latest driver and motherboard /
controller
firmware. Then see if you can reproduce.
- Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.
- Try swapping out the hard drives, one at a time.
- Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)
- If you can reproduce it several times, you could followup with Dell.
Good luck.
I'm not sure if I answered your question ...
Cheers,
BrettSh
On Sun, 4 Dec 2005, Eric Fleischman wrote:
Going back to the original post, I'm not sure I fully understand the
problem yet. Susan, can you define "ntds.dit file corruption" for us?
What sort of corruption? What errors/events lead you to believe this?
Specifically, I'm interested in errors from NTDS ISAM or ESE if you
have any.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sat 12/3/2005 10:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| jmedeiros@xxxx.yyy
| | 12/05/2005 5:28 AM |
| Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.
Maybe I am just being a worry wort and this really is not an issue.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, December 05, 2005 8:53 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
I did? :-) I think I still said all I know is what the poster said :-)
I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land goes .. oh
yeah... ntds.dit corruption... and sbsland freaks out. Either we do
indeed need to ensure we have a secondary DC or we need to park a second
copy of a system state offsite [say at the vap/var]
Brett Shirley wrote:
> She replied offline, very likely a single bit flip, tragedy, they aren't
> one release later (Longhorn), where this would've probably been
> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx
>
> Anyway, this kind of thing is usually hardware ...
>
> While there are much better disk sub-system testers, one that is freely
> available to any box with Exchange is jetstress. You might give that a
> try. If you can reproduce the event / error with jetstress I would not
> use that box in production.
>
> If you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some things
> you might vary (one at a time):
>
> - Try making sure you have the latest driver and motherboard / controller
> firmware. Then see if you can reproduce.
>
> - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
> RAID5.
>
> - Try swapping out the hard drives, one at a time.
>
> - Adding the jetstress files to the exclude list in the Anti-Virus
> software. (A low probablility, I've never heard of Anit-Virus causing this
> paticular type of error, and I can't imagine the mistake an anti-virus
> product would have to have to cause this side effect)
>
> - If you can reproduce it several times, you could followup with Dell.
> Good luck.
>
> I'm not sure if I answered your question ...
>
> Cheers,
> BrettSh
>
>
> On Sun, 4 Dec 2005, Eric Fleischman wrote:
>
>
>> Going back to the original post, I'm not sure I fully understand the
>> problem yet. Susan, can you define "ntds.dit file corruption" for us?
>> What sort of corruption? What errors/events lead you to believe this?
>> Specifically, I'm interested in errors from NTDS ISAM or ESE if you
>> have any.
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Sat 12/3/2005 10:58 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>> Subject: [ActiveDir] Ntds.dit file corruption
>>
>>
>>
>> SBS box [with Windows 2003 sp1 since September]
>>
>> RE: [ActiveDir] Database Corruption:
>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
>>
>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
>> and PSS have been banging on. Could not get the services back running,
>> changed the RPC service to local system and some service came back up [I
>> don't have all the details but the consultant opened a support case of
>> SRX051202605433].
>>
>> Bottom line they are about going to give up and start a restore but
>> before they do that I'd like to get the view of the AD gods and
>> goddesses around here. From all that I've seen, read, seen in the SBS
>> newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk subsystem]. This doesn't just
>> happen.
>>
>> The VAP asked if not properly excluding the ad databases from the a/v
>> would cause this/trigger this and my expectation is 'no', given that I
>> doubt the majority of us in SBSland properly set up exclusions
>> Virus scanning recommendations on a Windows 2000 or on a Windows Server
>> 2003 domain controller:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>
>> If this were my hardware and box, I'd be putting this sucker on the
>> operating table and getting an autopsy before putting it back online.
>>
>> Are we right in being paranoid now about this hardware? For you guys in
>> big server land you'd just slide over another box into that server role.
>>
>> ---------------------------------------
>> Stupid question alert....
>>
>> Okay so we know that having a secondary/additional domain controller is
>> a good thing even in SBSland...but question.... many times the second
>> server in SBSland is a terminal server box because we do not support TS
>> in app mode on our PDCs. So we've established that having a domain
>> controller and a terminal server is a security issue [see Windows
>> Security resource kit, NIST Terminal services hardening guide, etc
>> etc....] If our second server is a member server handing out TS
>> externally, should that be a candidate for the additional DC? Are the
>> issues of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a third
>> server box was not feasible?
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 12/05/2005 7:06 AM |
| Phil
On 12/5/05, Medeiros, Jose wrote:
Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services
ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I think I still said all I know is what the poster said :-)I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah...
ntds.dit corruption... and sbsland freaks out. Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote:
> She replied offline, very likely a single bit flip, tragedy, they aren't> one release later (Longhorn), where this would've probably been> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx>> Anyway, this kind of thing is usually hardware ...>> While there are much better disk sub-system testers, one that is freely
> available to any box with Exchange is jetstress. You might give that a> try. If you can reproduce the event / error with jetstress I would not> use that box in production.>> If you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some things> you might vary (one at a time):>> - Try making sure you have the latest driver and motherboard / controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on> RAID5.>> - Try swapping out the hard drives, one at a time.>> - Adding the jetstress files to the exclude list in the Anti-Virus
> software. (A low probablility, I've never heard of Anit-Virus causing this> paticular type of error, and I can't imagine the mistake an anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you could followup with Dell.> Good luck.>> I'm not sure if I answered your question ...>> Cheers,> BrettSh>>
> On Sun, 4 Dec 2005, Eric Fleischman wrote:>>>> Going back to the original post, I'm not sure I fully understand the>> problem yet. Susan, can you define "ntds.dit file corruption" for us?
>> What sort of corruption? What errors/events lead you to believe this?>> Specifically, I'm interested in errors from NTDS ISAM or ESE if you>> have any.>>>>>>
>> ________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: [ActiveDir] Ntds.dit file corruption>>>>
>>>> SBS box [with Windows 2003 sp1 since September]>>>> RE: [ActiveDir] Database Corruption:>>
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant>> and PSS have been banging on. Could not get the services back running,
>> changed the RPC service to local system and some service came back up [I>> don't have all the details but the consultant opened a support case of>> SRX051202605433].>>>> Bottom line they are about going to give up and start a restore but
>> before they do that I'd like to get the view of the AD gods and>> goddesses around here. From all that I've seen, read, seen in the SBS>> newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk subsystem]. This doesn't just>> happen.>>>> The VAP asked if not properly excluding the ad databases from the a/v>> would cause this/trigger this and my expectation is 'no', given that I
>> doubt the majority of us in SBSland properly set up exclusions>> Virus scanning recommendations on a Windows 2000 or on a Windows Server>> 2003 domain controller:>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>> If this were my hardware and box, I'd be putting this sucker on the>> operating table and getting an autopsy before putting it back online.
>>>> Are we right in being paranoid now about this hardware? For you guys in>> big server land you'd just slide over another box into that server role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we know that having a secondary/additional domain controller is>> a good thing even in SBSland...but question.... many times the second>> server in SBSland is a terminal server box because we do not support TS
>> in app mode on our PDCs. So we've established that having a domain>> controller and a terminal server is a security issue [see Windows>> Security resource kit, NIST Terminal services hardening guide, etc
>> etc....] If our second server is a member server handing out TS>> externally, should that be a candidate for the additional DC? Are the>> issues of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a third>> server box was not feasible?>>>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List info : http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>
--Letting your vendors set your risk analysis these days?http://www.threatcode.comList info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| jmedeiros@xxxx.yyy
| | 12/05/2005 7:25 AM |
| I was
not aware that Microsoft had incorporated such a feature in AD 2003. I know for
a fact that Microsoft did not have this feature when AD 2000 was first released
because I mentioned it to several Microsoft AD & premier support
specialists and they each confirmed it was not available ( However it may have
been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea, I
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it
won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to comment
on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or
a very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other
DC's in the Forrest.Maybe I am just being a worry wort and this
really is not an issue.Sincerely,Jose MedeirosADP |
National Account Services ProBusiness Division | Information
Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is filled
with events 'post' blow up.What is interesting is that it seems to
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland
freaks out. Either we doindeed need to ensure we have a
secondary DC or we need to park a secondcopy of a system state offsite
[say at the vap/var]Brett Shirley wrote:> She replied
offline, very likely a single bit flip, tragedy, they aren't> one
release later (Longhorn), where this would've probably been>
non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you
could followup with Dell.> Good luck.>> I'm not sure if
I answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption?
What errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the
details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd like
to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding the
ad databases from the a/v>> would cause this/trigger this and my
expectation is 'no', given that I >> doubt the majority of us in
SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server land
you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we do
not support TS >> in app mode on our PDCs. So we've established
that having a domain>> controller and a terminal server is a
security issue [see Windows>> Security resource kit, NIST Terminal
services hardening guide, etc >> etc....] If our second
server is a member server handing out TS>> externally, should that
be a candidate for the additional DC? Are the>> issues
of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a
third>> server box was not feasible?>>>> List
info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| slinehan
Posts:18
| | 12/05/2005 7:29 AM |
| We do not replicate corruption so if you have local
corruption as noted below there is no worry that it would replicate around to
other servers in the environment.
Thanks,
-Steve
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 1:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it won't
try to replicate that anywhere and would only be the recipient of replication.
Anyone with more knowledge about how RO DC's will work to comment on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a DC
in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or a
very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the NTDS.DIT
file becomes corrupt it will replicate the corruption to the other DC's in the
Forrest.Maybe I am just being a worry wort and this really is not an
issue.Sincerely,Jose MedeirosADP | National Account
Services ProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster said :-)I
think I need a course in event log reading because even with the logs, and
the default size of the logs, I still don't see a smoking
gun. Thedirectory services one is filled with events 'post'
blow up.What is interesting is that it seems to me big server land
goes .. ohyeah... ntds.dit corruption... and sbsland freaks
out. Either we doindeed need to ensure we have a secondary DC
or we need to park a secondcopy of a system state offsite [say at the
vap/var]Brett Shirley wrote:> She replied offline, very likely
a single bit flip, tragedy, they aren't> one release later (Longhorn),
where this would've probably been> non-disruptively handled, logged,
and possibly self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While there
are much better disk sub-system testers, one that is freely > available
to any box with Exchange is jetstress. You might give that
a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you could
followup with Dell.> Good luck.>> I'm not sure if I
answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption? What
errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> Sent:
Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not get
the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the details
but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going to
give up and start a restore but >> before they do that I'd like to
get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk subsystem]. This
doesn't just>> happen.>>>> The VAP asked if not
properly excluding the ad databases from the a/v>> would cause
this/trigger this and my expectation is 'no', given that I >> doubt
the majority of us in SBSland properly set up exclusions>> Virus
scanning recommendations on a Windows 2000 or on a Windows Server>>
2003 domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it back
online. >>>> Are we right in being paranoid now about this
hardware? For you guys in>> big server land you'd just
slide over another box into that server role.>>>>
--------------------------------------- >> Stupid question
alert....>>>> Okay so we know that having a
secondary/additional domain controller is>> a good thing even in
SBSland...but question.... many times the second>> server in SBSland
is a terminal server box because we do not support TS >> in app mode
on our PDCs. So we've established that having a domain>> controller
and a terminal server is a security issue [see Windows>> Security
resource kit, NIST Terminal services hardening guide, etc >>
etc....] If our second server is a member server handing out
TS>> externally, should that be a candidate for the additional
DC? Are the>> issues of TS on a DC ... true for 'any'
DC? Would it be better than to >> Vserver/VPC a Win2k3
inside a workstation in the network if a third>> server box was not
feasible?>>>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 12/05/2005 8:21 AM |
| I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD & premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ).
I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of
Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that?
Phil
On 12/5/05, Medeiros, Jose wrote:
Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services
ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I think I still said all I know is what the poster said :-)I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah...
ntds.dit corruption... and sbsland freaks out. Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote:
> She replied offline, very likely a single bit flip, tragedy, they aren't> one release later (Longhorn), where this would've probably been> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx>> Anyway, this kind of thing is usually hardware ...
>> While there are much better disk sub-system testers, one that is freely > available to any box with Exchange is jetstress. You might give that a> try. If you can reproduce the event / error with jetstress I would not
> use that box in production.>> If you do reproduce the issue several times (several times is key, as you > want a trend before you start playing the variable game), some things> you might vary (one at a time):
>> - Try making sure you have the latest driver and motherboard / controller> firmware. Then see if you can reproduce. >> - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
> RAID5.>> - Try s |
|
|