| Author | Messages | |
jmedeiros@xxxx.yyy
 | | 12/05/2005 9:21 AM |
| If
that failsafe is built in then I am just being a worry wort and I have to admit,
I have yet to experience this particular problem.
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Steve
LinehanSent: Monday, December 05, 2005 11:26 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
We do not replicate corruption so if you have local
corruption as noted below there is no worry that it would replicate around to
other servers in the environment.
Thanks,
-Steve
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 1:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it
won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to comment
on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or
a very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other
DC's in the Forrest.Maybe I am just being a worry wort and this
really is not an issue.Sincerely,Jose MedeirosADP |
National Account Services ProBusiness Division | Information
Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is filled
with events 'post' blow up.What is interesting is that it seems to
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland
freaks out. Either we doindeed need to ensure we have a
secondary DC or we need to park a secondcopy of a system state offsite
[say at the vap/var]Brett Shirley wrote:> She replied
offline, very likely a single bit flip, tragedy, they aren't> one
release later (Longhorn), where this would've probably been>
non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you
could followup with Dell.> Good luck.>> I'm not sure if
I answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption?
What errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the
details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd like
to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding the
ad databases from the a/v>> would cause this/trigger this and my
expectation is 'no', given that I >> doubt the majority of us in
SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server land
you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we do
not support TS >> in app mode on our PDCs. So we've established
that having a domain>> controller and a terminal server is a
security issue [see Windows>> Security resource kit, NIST Terminal
services hardening guide, etc >> etc....] If our second
server is a member server handing out TS>> externally, should that
be a candidate for the additional DC? Are the>> issues
of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a
third>> server box was not feasible?>>>> List
info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| robert.carpenter@xxxx.yyy
| | 12/05/2005 11:37 AM |
| Novell.....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Monday, December 05, 2005 11:24 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
I was
not aware that Microsoft had incorporated such a feature in AD 2003. I know for
a fact that Microsoft did not have this feature when AD 2000 was first released
because I mentioned it to several Microsoft AD & premier support
specialists and they each confirmed it was not available ( However it may have
been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea, I
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it
won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to comment
on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or
a very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other
DC's in the Forrest.Maybe I am just being a worry wort and this
really is not an issue.Sincerely,Jose MedeirosADP |
National Account Services ProBusiness Division | Information
Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is filled
with events 'post' blow up.What is interesting is that it seems to
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland
freaks out. Either we doindeed need to ensure we have a
secondary DC or we need to park a secondcopy of a system state offsite
[say at the vap/var]Brett Shirley wrote:> She replied
offline, very likely a single bit flip, tragedy, they aren't> one
release later (Longhorn), where this would've probably been>
non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you
could followup with Dell.> Good luck.>> I'm not sure if
I answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption?
What errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the
details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd like
to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding the
ad databases from the a/v>> would cause this/trigger this and my
expectation is 'no', given that I >> doubt the majority of us in
SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server land
you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we do
not support TS >> in app mode on our PDCs. So we've established
that having a domain>> controller and a terminal server is a
security issue [see Windows>> Security resource kit, NIST Terminal
services hardening guide, etc >> etc....] If our second
server is a member server handing out TS>> externally, should that
be a candidate for the additional DC? Are the>> issues
of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a
third>> server box was not feasible?>>>> List
info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001304
Posts:0
| | 12/06/2005 3:40 AM |
| BDC....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Carpenter Robert
A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
Ntds.dit file corruption
Novell.....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Monday, December 05, 2005 11:24 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
I was
not aware that Microsoft had incorporated such a feature in AD 2003. I know for
a fact that Microsoft did not have this feature when AD 2000 was first released
because I mentioned it to several Microsoft AD & premier support
specialists and they each confirmed it was not available ( However it may have
been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea, I
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it
won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to comment
on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or
a very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other
DC's in the Forrest.Maybe I am just being a worry wort and this
really is not an issue.Sincerely,Jose MedeirosADP |
National Account Services ProBusiness Division | Information
Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is filled
with events 'post' blow up.What is interesting is that it seems to
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland
freaks out. Either we doindeed need to ensure we have a
secondary DC or we need to park a secondcopy of a system state offsite
[say at the vap/var]Brett Shirley wrote:> She replied
offline, very likely a single bit flip, tragedy, they aren't> one
release later (Longhorn), where this would've probably been>
non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you
could followup with Dell.> Good luck.>> I'm not sure if
I answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption?
What errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the
details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd like
to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding the
ad databases from the a/v>> would cause this/trigger this and my
expectation is 'no', given that I >> doubt the majority of us in
SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server land
you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we do
not support TS >> in app mode on our PDCs. So we've established
that having a domain>> controller and a terminal server is a
security issue [see Windows>> Security resource kit, NIST Terminal
services hardening guide, etc >> etc....] If our second
server is a member server handing out TS>> externally, should that
be a candidate for the additional DC? Are the>> issues
of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a
third>> server box was not feasible?>>>> List
info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:455
| | 12/06/2005 4:51 AM |
| Ack you left Alliance. Well crap.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steve
LinehanSent: Tuesday, December 06, 2005 12:49 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
For full disclosure I am no longer in the Microsoft
Services organization, I was the last time Joe talked to me where I was an
Advisory Support Engineer (AKA Alliance Support). I am now a Product
Technology Specialist for Directories and Identities in Microsoft's technical
pre-sales organization. Not that it changes the answer below.
:-)
Thanks,
-Steve
Steve
Linehan | Technology
Specialist Directories & Identities | South Central District | Microsoft
Corporation
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Monday, December 05, 2005 2:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
RODCs are a LongHorn feature. It will be one-way
replication to the RODCs. They will not replicate out anything. If you are on
the LongHorn beta you should be able to test this right now.
But as Steve (one of the really good PSS guys) said
and I can concur as I have seen my share of corrupted DITs, the corruption
doesn't replicate.
In every case I have seen it the problem has been hardware
failure or a firmware/driver matchup issue in the disk
subsystem.
Fixing them is easy, wipe the machine, do hardware tests,
if it passes, do it again. If it passes do it a third time. If it passes, reload
and repromo. If it fails one of the tests, get the hardware fixed, reload, and
repromo.
If SBS, well you have all sorts of issues in that basket as
your eggs leak.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Monday, December 05, 2005 2:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
I was
not aware that Microsoft had incorporated such a feature in AD 2003. I know for
a fact that Microsoft did not have this feature when AD 2000 was first released
because I mentioned it to several Microsoft AD & premier support
specialists and they each confirmed it was not available ( However it may have
been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea, I
wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it
won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to comment
on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or
a very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the other
DC's in the Forrest.Maybe I am just being a worry wort and this
really is not an issue.Sincerely,Jose MedeirosADP |
National Account Services ProBusiness Division | Information
Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is filled
with events 'post' blow up.What is interesting is that it seems to
me big server land goes .. ohyeah... ntds.dit corruption... and sbsland
freaks out. Either we doindeed need to ensure we have a
secondary DC or we need to park a secondcopy of a system state offsite
[say at the vap/var]Brett Shirley wrote:> She replied
offline, very likely a single bit flip, tragedy, they aren't> one
release later (Longhorn), where this would've probably been>
non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you
could followup with Dell.> Good luck.>> I'm not sure if
I answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption?
What errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the
details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd like
to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding the
ad databases from the a/v>> would cause this/trigger this and my
expectation is 'no', given that I >> doubt the majority of us in
SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server land
you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we do
not support TS >> in app mode on our PDCs. So we've established
that having a domain>> controller and a terminal server is a
security issue [see Windows>> Security resource kit, NIST Terminal
services hardening guide, etc >> etc....] If our second
server is a member server handing out TS>> externally, should that
be a candidate for the additional DC? Are the>> issues
of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a
third>> server box was not feasible?>>>> List
info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:455
| | 12/06/2005 5:04 AM |
| I may get into trouble with this post as
Brett/Eric/Dean/Steve correct me... But that will be good.
I will start with trying to differentiate between
types of corruption... My idea of AD corruption is underlying table corruption.
However some people may consider bad (really unexpected) values in AD to be
corruption. The last isn't corruption, AD is simply a store of data, it passes
no judgement on the data as long as it fits the schema guidelines for the
attribute. If you have the DN of a user in the siteObject attribute that isn't
corruption, it isn't good, but it is valid for the schema. Or if you have binary
data in a unicode string, again, not corruption (a unicode string IS binary
data). That being said, if apps (including parts of AD itself) hit unexpected
data, you will have some issues even if it isn't truly "corruption" it may as
well be in some cases. In fact, table corruption is probably better than
unexpected data in many cases.
You might be able to argue that a USN rollback is
corruption but I still don't consider it so. Valid data, just out of
step.
Again corruption to me is in the underlying tables. Since
AD doesn't replicate the table structures, you can't pass that table corruption
around. Once AD realizes that some portion of the database is corrupt which
would probably be recognized by ESE saying, "that isn't right" and not
passing info back up to higher levels, but instead passing an error.
joe
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of neil.ruston@xxxxxxxxxxxxxSent: Tuesday, December
06, 2005 3:49 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Ntds.dit file corruption
Is this guaranteed? How can we/you be sure that the system
will recognise the corruptions and therefore not replicate them? Surely this is
akin to the new feature added to e2k3 sp1, but which is (sadly) missing from
AD(?)
I must be missing a subtle point - please show me the light
:)
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steve
LinehanSent: 05 December 2005 19:26To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
We do not replicate corruption so if you have local
corruption as noted below there is no worry that it would replicate around to
other servers in the environment.
Thanks,
-Steve
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 1:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit file
corruption
Will Read Only DC's take care of this? I don't know much about them yet,
but it makes sense that if the copy of the dit that a DC has is RO that it won't
try to replicate that anywhere and would only be the recipient of replication.
Anyone with more knowledge about how RO DC's will work to comment on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a DC
in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people at
the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server or a
very old decommissioned one from their production data center ( Which is
probably close to useable life ). I am always concerned that once the NTDS.DIT
file becomes corrupt it will replicate the corruption to the other DC's in the
Forrest.Maybe I am just being a worry wort and this really is not an
issue.Sincerely,Jose MedeirosADP | National Account
Services ProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday,
December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did? :-) I
think I still said all I know is what the poster said :-)I
think I need a course in event log reading because even with the logs, and
the default size of the logs, I still don't see a smoking
gun. Thedirectory services one is filled with events 'post'
blow up.What is interesting is that it seems to me big server land
goes .. ohyeah... ntds.dit corruption... and sbsland freaks
out. Either we doindeed need to ensure we have a secondary DC
or we need to park a secondcopy of a system state offsite [say at the
vap/var]Brett Shirley wrote:> She replied offline, very likely
a single bit flip, tragedy, they aren't> one release later (Longhorn),
where this would've probably been> non-disruptively handled, logged,
and possibly self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While there
are much better disk sub-system testers, one that is freely > available
to any box with Exchange is jetstress. You might give that
a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>> If
you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a time):>> -
Try making sure you have the latest driver and motherboard /
controller> firmware. Then see if you can reproduce.
>> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on> RAID5.>> - Try
swapping out the hard drives, one at a time.>> -
Adding the jetstress files to the exclude list in the Anti-Virus >
software. (A low probablility, I've never heard of Anit-Virus causing
this> paticular type of error, and I can't imagine the mistake an
anti-virus> product would have to have to cause this side effect)
>> - If you can reproduce it several times, you could
followup with Dell.> Good luck.>> I'm not sure if I
answered your question ...>> Cheers,>
BrettSh>> > On Sun, 4 Dec 2005, Eric Fleischman
wrote:>>>> Going back to the original post, I'm not
sure I fully understand the>> problem yet. Susan, can you define
"ntds.dit file corruption" for us? >> What sort of corruption? What
errors/events lead you to believe this?>> Specifically, I'm
interested in errors from NTDS ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> Sent:
Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not get
the services back running, >> changed the RPC service to local
system and some service came back up [I>> don't have all the details
but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going to
give up and start a restore but >> before they do that I'd like to
get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the SBS>>
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk subsystem]. This
doesn't just>> happen.>>>> The VAP asked if not
properly excluding the ad databases from the a/v>> would cause
this/trigger this and my expectation is 'no', given that I >> doubt
the majority of us in SBSland properly set up exclusions>> Virus
scanning recommendations on a Windows 2000 or on a Windows Server>>
2003 domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it back
online. >>>> Are we right in being paranoid now about this
hardware? For you guys in>> big server land you'd just
slide over another box into that server role.>>>>
--------------------------------------- >> Stupid question
alert....>>>> Okay so we know that having a
secondary/additional domain controller is>> a good thing even in
SBSland...but question.... many times the second>> server in SBSland
is a terminal server box because we do not support TS >> in app mode
on our PDCs. So we've established that having a domain>> controller
and a terminal server is a security issue [see Windows>> Security
resource kit, NIST Terminal services hardening guide, etc >>
etc....] If our second server is a member server handing out
TS>> externally, should that be a candidate for the additional
DC? Are the>> issues of TS on a DC ... true for 'any'
DC? Would it be better than to >> Vserver/VPC a Win2k3
inside a workstation in the network if a third>> server box was not
feasible?>>>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies. | | | |
| jmedeiros@xxxx.yyy
| | 12/06/2005 5:09 AM |
| BDC..
Yes and no.. Yes it is read only copy of the PDC's database, but no you do
not have an option to choose.Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Sullivan
TimSent: Monday, December 05, 2005 7:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
BDC....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Carpenter
Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005
5:33 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Ntds.dit file corruption
Novell.....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Monday, December 05, 2005 11:24 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
I
was not aware that Microsoft had incorporated such a feature in AD 2003. I
know for a fact that Microsoft did not have this feature when AD 2000 was
first released because I mentioned it to several Microsoft AD &
premier support specialists and they each confirmed it was not available (
However it may have been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea,
I wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit
file corruption
Will Read Only DC's take care of this? I don't know much about them
yet, but it makes sense that if the copy of the dit that a DC has is RO that
it won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to
comment on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people
at the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server
or a very old decommissioned one from their production data center ( Which
is probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the
other DC's in the Forrest.Maybe I am just being a worry wort and
this really is not an issue.Sincerely,Jose
MedeirosADP | National Account Services ProBusiness Division |
Information Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Monday, December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did?
:-) I think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is
filled with events 'post' blow up.What is interesting is that it
seems to me big server land goes .. ohyeah... ntds.dit corruption...
and sbsland freaks out. Either we doindeed need to ensure
we have a secondary DC or we need to park a secondcopy of a system
state offsite [say at the vap/var]Brett Shirley wrote:> She
replied offline, very likely a single bit flip, tragedy, they
aren't> one release later (Longhorn), where this would've probably
been> non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>>
If you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a
time):>> - Try making sure you have the latest
driver and motherboard / controller> firmware. Then see
if you can reproduce. >> - Try a different RAID
configuration, such as RAID1/RAID1+0 if you're on>
RAID5.>> - Try swapping out the hard drives, one
at a time.>> - Adding the jetstress files to the
exclude list in the Anti-Virus > software. (A low probablility,
I've never heard of Anit-Virus causing this> paticular type of
error, and I can't imagine the mistake an anti-virus> product would
have to have to cause this side effect) >> - If
you can reproduce it several times, you could followup with Dell.>
Good luck.>> I'm not sure if I answered your question
...>> Cheers,> BrettSh>> > On
Sun, 4 Dec 2005, Eric Fleischman wrote:>>>> Going
back to the original post, I'm not sure I fully understand the>>
problem yet. Susan, can you define "ntds.dit file corruption" for us?
>> What sort of corruption? What errors/events lead you to
believe this?>> Specifically, I'm interested in errors from NTDS
ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to
local system and some service came back up [I>> don't have all
the details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd
like to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the
SBS>> newsgroup, the corruption of ntds.dit is rare to nil and
an underlying >> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding
the ad databases from the a/v>> would cause this/trigger this
and my expectation is 'no', given that I >> doubt the majority
of us in SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server
land you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we
do not support TS >> in app mode on our PDCs. So we've
established that having a domain>> controller and a terminal
server is a security issue [see Windows>> Security resource kit,
NIST Terminal services hardening guide, etc >>
etc....] If our second server is a member server handing out
TS>> externally, should that be a candidate for the additional
DC? Are the>> issues of TS on a DC ... true for 'any'
DC? Would it be better than to >> Vserver/VPC a
Win2k3 inside a workstation in the network if a third>> server
box was not feasible?>>>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:455
| | 12/06/2005 5:31 AM |
| Well you have the option to chose what DCs will be RODCs or
which will be normal, you just don't have the ability to switch on the fly.
Also the replication mechanism isn't the same as the NT4
PDC/BDC relationship. It is the AD replication, but nothing can pull from an
RODC.
Also, you will be probably be able to make someone an Admin
on an RODC for local server stuff who doesn't have admin rights on other
DCs.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Tuesday, December 06, 2005 11:57 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
BDC..
Yes and no.. Yes it is read only copy of the PDC's database, but no you do
not have an option to choose.Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Sullivan
TimSent: Monday, December 05, 2005 7:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
BDC....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Carpenter
Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005
5:33 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Ntds.dit file corruption
Novell.....
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros,
JoseSent: Monday, December 05, 2005 11:24 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Ntds.dit file
corruption
I
was not aware that Microsoft had incorporated such a feature in AD 2003. I
know for a fact that Microsoft did not have this feature when AD 2000 was
first released because I mentioned it to several Microsoft AD &
premier support specialists and they each confirmed it was not available (
However it may have been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea,
I wonder who thought of it. :-)
Sincerely,Jose MedeirosADP | National Account
ServicesProBusiness Division | Information Services925.737.7967 |
408-449-6621 CELL
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Phil
RenoufSent: Monday, December 05, 2005 11:04 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Ntds.dit
file corruption
Will Read Only DC's take care of this? I don't know much about them
yet, but it makes sense that if the copy of the dit that a DC has is RO that
it won't try to replicate that anywhere and would only be the recipient of
replication. Anyone with more knowledge about how RO DC's will work to
comment on that?
Phil
On 12/5/05, Medeiros,
Jose jmedeiros@xxxxxxxxxxxxxxx>
wrote:
Well
at least the corruption occurred on just a single DC. One thing that has
bugged me about Active Directory is not being able to select if you want a
DC in a remote office to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only have a few people
at the location and a DC is usually placed for improvised logon and
authentication time, many companies will either use a very low end server
or a very old decommissioned one from their production data center ( Which
is probably close to useable life ). I am always concerned that once the
NTDS.DIT file becomes corrupt it will replicate the corruption to the
other DC's in the Forrest.Maybe I am just being a worry wort and
this really is not an issue.Sincerely,Jose
MedeirosADP | National Account Services ProBusiness Division |
Information Services925.737.7967 | 408-449-6621
CELL-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On
Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent:
Monday, December 05, 2005 8:53 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Ntds.dit file corruptionI did?
:-) I think I still said all I know is what the poster
said :-)I think I need a course in event log reading
because even with the logs, and the default size of the logs, I still
don't see a smoking gun. Thedirectory services one is
filled with events 'post' blow up.What is interesting is that it
seems to me big server land goes .. ohyeah... ntds.dit corruption...
and sbsland freaks out. Either we doindeed need to ensure
we have a secondary DC or we need to park a secondcopy of a system
state offsite [say at the vap/var]Brett Shirley wrote:> She
replied offline, very likely a single bit flip, tragedy, they
aren't> one release later (Longhorn), where this would've probably
been> non-disruptively handled, logged, and possibly
self-healed:> http://blogs.technet.com/efleis/archive/2005/01.aspx>>
Anyway, this kind of thing is usually hardware ...>> While
there are much better disk sub-system testers, one that is freely >
available to any box with Exchange is jetstress. You might give
that a> try. If you can reproduce the event / error with
jetstress I would not> use that box in production.>>
If you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some
things> you might vary (one at a
time):>> - Try making sure you have the latest
driver and motherboard / controller> firmware. Then see
if you can reproduce. >> - Try a different RAID
configuration, such as RAID1/RAID1+0 if you're on>
RAID5.>> - Try swapping out the hard drives, one
at a time.>> - Adding the jetstress files to the
exclude list in the Anti-Virus > software. (A low probablility,
I've never heard of Anit-Virus causing this> paticular type of
error, and I can't imagine the mistake an anti-virus> product would
have to have to cause this side effect) >> - If
you can reproduce it several times, you could followup with Dell.>
Good luck.>> I'm not sure if I answered your question
...>> Cheers,> BrettSh>> > On
Sun, 4 Dec 2005, Eric Fleischman wrote:>>>> Going
back to the original post, I'm not sure I fully understand the>>
problem yet. Susan, can you define "ntds.dit file corruption" for us?
>> What sort of corruption? What errors/events lead you to
believe this?>> Specifically, I'm interested in errors from NTDS
ISAM or ESE if you>> have
any.>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >>
Sent: Sat 12/3/2005 10:58 PM>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>>
Subject: [ActiveDir] Ntds.dit file
corruption>>>>>>>> SBS box [with
Windows 2003 sp1 since September]>>>> RE: [ActiveDir]
Database Corruption:>> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html>>>>
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the
Consultant>> and PSS have been banging on. Could not
get the services back running, >> changed the RPC service to
local system and some service came back up [I>> don't have all
the details but the consultant opened a support case of>>
SRX051202605433].>>>> Bottom line they are about going
to give up and start a restore but >> before they do that I'd
like to get the view of the AD gods and>> goddesses around
here. From all that I've seen, read, seen in the
SBS>> newsgroup, the corruption of ntds.dit is rare to nil and
an underlying >> cause is hardware issues [raid, disk
subsystem]. This doesn't just>>
happen.>>>> The VAP asked if not properly excluding
the ad databases from the a/v>> would cause this/trigger this
and my expectation is 'no', given that I >> doubt the majority
of us in SBSland properly set up exclusions>> Virus scanning
recommendations on a Windows 2000 or on a Windows Server>> 2003
domain controller:>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158>>>>
If this were my hardware and box, I'd be putting this sucker on
the>> operating table and getting an autopsy before putting it
back online. >>>> Are we right in being paranoid now
about this hardware? For you guys in>> big server
land you'd just slide over another box into that server
role.>>>> ---------------------------------------
>> Stupid question alert....>>>> Okay so we
know that having a secondary/additional domain controller is>> a
good thing even in SBSland...but question.... many times the
second>> server in SBSland is a terminal server box because we
do not support TS >> in app mode on our PDCs. So we've
established that having a domain>> controller and a terminal
server is a security issue [see Windows>> Security resource kit,
NIST Terminal services hardening guide, etc >>
etc....] If our second server is a member server handing out
TS>> externally, should that be a candidate for the additional
DC? Are the>> issues of TS on a DC ... true for 'any'
DC? Would it be better than to >> Vserver/VPC a
Win2k3 inside a workstation in the network if a third>> server
box was not feasible?>>>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>>>>>>>> List
info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>--Letting
your vendors set your risk analysis these days?http://www.threatcode.comList
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:317
| | 12/06/2005 5:33 AM |
| "Additional Domain controller"
BDC is a nt4 concept and in my book NT4 is dead ;-)
Medeiros, Jose wrote:
BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but
no you do not have an option to choose.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]*On Behalf Of *Sullivan Tim
*Sent:* Monday, December 05, 2005 7:38 PM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
BDC....
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of
*Carpenter Robert A Contr WROCI/Enterprise IT
*Sent:* Monday, December 05, 2005 5:33 PM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
Novell.....
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of
*Medeiros, Jose
*Sent:* Monday, December 05, 2005 11:24 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
I was not aware that Microsoft had incorporated such a feature in
AD 2003. I know for a fact that Microsoft did not have this
feature when AD 2000 was first released because I mentioned it to
several Microsoft AD & premier support specialists and they each
confirmed it was not available ( However it may have been added in
a service pack ).
I would love to know how to enable a read only DC. I think that is
a great idea, I wonder who thought of it. :-)
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]*On Behalf Of *Phil
Renouf
*Sent:* Monday, December 05, 2005 11:04 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about
them yet, but it makes sense that if the copy of the dit that
a DC has is RO that it won't try to replicate that anywhere
and would only be the recipient of replication. Anyone with
more knowledge about how RO DC's will work to comment on that?
Phil
On 12/5/05, *Medeiros, Jose* > wrote:
Well at least the corruption occurred on just a single DC.
One thing that has bugged me about Active Directory is not
being able to select if you want a DC in a remote office
to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only
have a few people at the location and a DC is usually
placed for improvised logon and authentication time, many
companies will either use a very low end server or a very
old decommissioned one from their production data center (
Which is probably close to useable life ). I am always
concerned that once the NTDS.DIT file becomes corrupt it
will replicate the corruption to the other DC's in the
Forrest.
Maybe I am just being a worry wort and this really is not
an issue.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
]On Behalf Of
Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, December 05, 2005 8:53 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
I did? :-) I think I still said all I know is what the
poster said :-)
I think I need a course in event log reading because even
with the logs,
and the default size of the logs, I still don't see a
smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land
goes .. oh
yeah... ntds.dit corruption... and sbsland freaks
out. Either we do
indeed need to ensure we have a secondary DC or we need to
park a second
copy of a system state offsite [say at the vap/var]
Brett Shirley wrote:
> She replied offline, very likely a single bit flip,
tragedy, they aren't
> one release later (Longhorn), where this would've
probably been
> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx
>
> Anyway, this kind of thing is usually hardware ...
>
> While there are much better disk sub-system testers, one
that is freely
> available to any box with Exchange is jetstress. You
might give that a
> try. If you can reproduce the event / error with
jetstress I would not
> use that box in production.
>
> If you do reproduce the issue several times (several
times is key, as you
> want a trend before you start playing the variable
game), some things
> you might vary (one at a time):
>
> - Try making sure you have the latest driver and
motherboard / controller
> firmware. Then see if you can reproduce.
>
> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on
> RAID5.
>
> - Try swapping out the hard drives, one at a time.
>
> - Adding the jetstress files to the exclude list in the
Anti-Virus
> software. (A low probablility, I've never heard of
Anit-Virus causing this
> paticular type of error, and I can't imagine the mistake
an anti-virus
> product would have to have to cause this side effect)
>
> - If you can reproduce it several times, you could
followup with Dell.
> Good luck.
>
> I'm not sure if I answered your question ...
>
> Cheers,
> BrettSh
>
>
> On Sun, 4 Dec 2005, Eric Fleischman wrote:
>
>
>> Going back to the original post, I'm not sure I fully
understand the
>> problem yet. Susan, can you define "ntds.dit file
corruption" for us?
>> What sort of corruption? What errors/events lead you to
believe this?
>> Specifically, I'm interested in errors from NTDS ISAM
or ESE if you
>> have any.
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Sat 12/3/2005 10:58 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>> Subject: [ActiveDir] Ntds.dit file corruption
>>
>>
>>
>> SBS box [with Windows 2003 sp1 since September]
>>
>> RE: [ActiveDir] Database Corruption:
>>
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
>>
>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that
the Consultant
>> and PSS have been banging on. Could not get the
services back running,
>> changed the RPC service to local system and some
service came back up [I
>> don't have all the details but the consultant opened a
support case of
>> SRX051202605433].
>>
>> Bottom line they are about going to give up and start a
restore but
>> before they do that I'd like to get the view of the AD
gods and
>> goddesses around here. From all that I've seen, read,
seen in the SBS
>> newsgroup, the corruption of ntds.dit is rare to nil
and an underlying
>> cause is hardware issues [raid, disk subsystem]. This
doesn't just
>> happen.
>>
>> The VAP asked if not properly excluding the ad
databases from the a/v
>> would cause this/trigger this and my expectation is
'no', given that I
>> doubt the majority of us in SBSland properly set up
exclusions
>> Virus scanning recommendations on a Windows 2000 or on
a Windows Server
>> 2003 domain controller:
>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>
>> If this were my hardware and box, I'd be putting this
sucker on the
>> operating table and getting an autopsy before putting
it back online.
>>
>> Are we right in being paranoid now about this
hardware? For you guys in
>> big server land you'd just slide over another box into
that server role.
>>
>> ---------------------------------------
>> Stupid question alert....
>>
>> Okay so we know that having a secondary/additional
domain controller is
>> a good thing even in SBSland...but question.... many
times the second
>> server in SBSland is a terminal server box because we
do not support TS
>> in app mode on our PDCs. So we've established that
having a domain
>> controller and a terminal server is a security issue
[see Windows
>> Security resource kit, NIST Terminal services hardening
guide, etc
>> etc....] If our second server is a member server
handing out TS
>> externally, should that be a candidate for the
additional DC? Are the
>> issues of TS on a DC ... true for 'any' DC? Would it
be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the
network if a third
>> server box was not feasible?
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001286
Posts:0
| | 12/06/2005 5:48 AM |
| In the Microsoft book it is dead too.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, December 06, 2005 12:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ntds.dit file corruption
"Additional Domain controller"
BDC is a nt4 concept and in my book NT4 is dead ;-)
Medeiros, Jose wrote:
> BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but
> no you do not have an option to choose.
>
> Sincerely,
> Jose Medeiros
> ADP | National Account Services
> ProBusiness Division | Information Services
> 925.737.7967 | 408-449-6621 CELL
>
>
> -----Original Message-----
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]*On Behalf Of *Sullivan
Tim
> *Sent:* Monday, December 05, 2005 7:38 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Ntds.dit file corruption
>
> BDC....
>
>
------------------------------------------------------------------------
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of
> *Carpenter Robert A Contr WROCI/Enterprise IT
> *Sent:* Monday, December 05, 2005 5:33 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Ntds.dit file corruption
>
> Novell.....
>
>
------------------------------------------------------------------------
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of
> *Medeiros, Jose
> *Sent:* Monday, December 05, 2005 11:24 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Ntds.dit file corruption
>
> I was not aware that Microsoft had incorporated such a feature in
> AD 2003. I know for a fact that Microsoft did not have this
> feature when AD 2000 was first released because I mentioned it to
> several Microsoft AD & premier support specialists and they each
> confirmed it was not available ( However it may have been added in
> a service pack ).
>
> I would love to know how to enable a read only DC. I think that is
> a great idea, I wonder who thought of it. :-)
>
> Sincerely,
> Jose Medeiros
> ADP | National Account Services
> ProBusiness Division | Information Services
> 925.737.7967 | 408-449-6621 CELL
>
>
> -----Original Message-----
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]*On Behalf Of *Phil
> Renouf
> *Sent:* Monday, December 05, 2005 11:04 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* Re: [ActiveDir] Ntds.dit file corruption
>
> Will Read Only DC's take care of this? I don't know much about
> them yet, but it makes sense that if the copy of the dit that
> a DC has is RO that it won't try to replicate that anywhere
> and would only be the recipient of replication. Anyone with
> more knowledge about how RO DC's will work to comment on that?
>
> Phil
>
>
> On 12/5/05, *Medeiros, Jose* > wrote:
>
> Well at least the corruption occurred on just a single DC.
> One thing that has bugged me about Active Directory is not
> being able to select if you want a DC in a remote office
> to not have the ability to replicate back in a large
> enterprise environment. Since most remote offices only
> have a few people at the location and a DC is usually
> placed for improvised logon and authentication time, many
> companies will either use a very low end server or a very
> old decommissioned one from their production data center (
> Which is probably close to useable life ). I am always
> concerned that once the NTDS.DIT file becomes corrupt it
> will replicate the corruption to the other DC's in the
> Forrest.
>
> Maybe I am just being a worry wort and this really is not
> an issue.
>
>
>
> Sincerely,
> Jose Medeiros
> ADP | National Account Services
> ProBusiness Division | Information Services
> 925.737.7967 | 408-449-6621 CELL
>
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ]On Behalf Of
> Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, December 05, 2005 8:53 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>
> Subject: Re: [ActiveDir] Ntds.dit file corruption
>
>
> I did? :-) I think I still said all I know is what the
> poster said :-)
>
> I think I need a course in event log reading because even
> with the logs,
> and the default size of the logs, I still don't see a
> smoking gun. The
> directory services one is filled with events 'post' blow
up.
>
> What is interesting is that it seems to me big server land
> goes .. oh
> yeah... ntds.dit corruption... and sbsland freaks
> out. Either we do
> indeed need to ensure we have a secondary DC or we need to
> park a second
> copy of a system state offsite [say at the vap/var]
>
> Brett Shirley wrote:
> > She replied offline, very likely a single bit flip,
> tragedy, they aren't
> > one release later (Longhorn), where this would've
> probably been
> > non-disruptively handled, logged, and possibly
self-healed:
> > http://blogs.technet.com/efleis/archive/2005/01.aspx
> >
> > Anyway, this kind of thing is usually hardware ...
> >
> > While there are much better disk sub-system testers, one
> that is freely
> > available to any box with Exchange is jetstress. You
> might give that a
> > try. If you can reproduce the event / error with
> jetstress I would not
> > use that box in production.
> >
> > If you do reproduce the issue several times (several
> times is key, as you
> > want a trend before you start playing the variable
> game), some things
> > you might vary (one at a time):
> >
> > - Try making sure you have the latest driver and
> motherboard / controller
> > firmware. Then see if you can reproduce.
> >
> > - Try a different RAID configuration, such as
> RAID1/RAID1+0 if you're on
> > RAID5.
> >
> > - Try swapping out the hard drives, one at a time.
> >
> > - Adding the jetstress files to the exclude list in the
> Anti-Virus
> > software. (A low probablility, I've never heard of
> Anit-Virus causing this
> > paticular type of error, and I can't imagine the mistake
> an anti-virus
> > product would have to have to cause this side effect)
> >
> > - If you can reproduce it several times, you could
> followup with Dell.
> > Good luck.
> >
> > I'm not sure if I answered your question ...
> >
> > Cheers,
> > BrettSh
> >
> >
> > On Sun, 4 Dec 2005, Eric Fleischman wrote:
> >
> >
> >> Going back to the original post, I'm not sure I fully
> understand the
> >> problem yet. Susan, can you define "ntds.dit file
> corruption" for us?
> >> What sort of corruption? What errors/events lead you to
> believe this?
> >> Specifically, I'm interested in errors from NTDS ISAM
> or ESE if you
> >> have any.
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> on behalf of
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> >> Sent: Sat 12/3/2005 10:58 PM
> >> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>
> >> Subject: [ActiveDir] Ntds.dit file corruption
> >>
> >>
> >>
> >> SBS box [with Windows 2003 sp1 since September]
> >>
> >> RE: [ActiveDir] Database Corruption:
> >>
>
http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg32676.html
> >>
> >> We have a SBS 2003 sp1 box with a corrupt ntds.dit that
> the Consultant
> >> and PSS have been banging on. Could not get the
> services back running,
> >> changed the RPC service to local system and some
> service came back up [I
> >> don't have all the details but the consultant opened a
> support case of
> >> SRX051202605433].
> >>
> >> Bottom line they are about going to give up and start a
> restore but
> >> before they do that I'd like to get the view of the AD
> gods and
> >> goddesses around here. From all that I've seen, read,
> seen in the SBS
> >> newsgroup, the corruption of ntds.dit is rare to nil
> and an underlying
> >> cause is hardware issues [raid, disk subsystem]. This
> doesn't just
> >> happen.
> >>
> >> The VAP asked if not properly excluding the ad
> databases from the a/v
> >> would cause this/trigger this and my expectation is
> 'no', given that I
> >> doubt the majority of us in SBSland properly set up
> exclusions
> >> Virus scanning recommendations on a Windows 2000 or on
> a Windows Server
> >> 2003 domain controller:
> >>
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
> >>
> >> If this were my hardware and box, I'd be putting this
> sucker on the
> >> operating table and getting an autopsy before putting
> it back online.
> >>
> >> Are we right in being paranoid now about this
> hardware? For you guys in
> >> big server land you'd just slide over another box into
> that server role.
> >>
> >> ---------------------------------------
> >> Stupid question alert....
> >>
> >> Okay so we know that having a secondary/additional
> domain controller is
> >> a good thing even in SBSland...but question.... many
> times the second
> >> server in SBSland is a terminal server box because we
> do not support TS
> >> in app mode on our PDCs. So we've established that
> having a domain
> >> controller and a terminal server is a security issue
> [see Windows
> >> Security resource kit, NIST Terminal services hardening
> guide, etc
> >> etc....] If our second server is a member server
> handing out TS
> >> externally, should that be a candidate for the
> additional DC? Are the
> >> issues of TS on a DC ... true for 'any' DC? Would it
> be better than to
> >> Vserver/VPC a Win2k3 inside a workstation in the
> network if a third
> >> server box was not feasible?
> >>
> >> List info : http://www.activedir.org/List.aspx
>
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> >>
> >>
> >>
> >>
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
>
> --
> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
> List archive:
>
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
|
|
|