| Author | Messages | |
AD000001012
Posts:0
 | | 09/09/2005 1:20 AM |
| Hi All,
Is there a tool that would create a group and allows you to specify the SID for the group? The domain part of the SID would match the domain, so actually only the RID would need to be specified.
A short background: I was told about a case, where an NT domain was in-place upgraded to WS2003. During the upgrade, 75 % of the global groups disappeared. Unfortunately, this was noticed only a couple of weeks later, so it would be quite impossible to do the upgrade again from the roll-back BDC. Also, re-ACLing those groups with SubInACL in 50 servers would be quite laborous.
An interesting side-note: The missing groups don't show in ADUC, NT User Manager, or an NTDS dump in any of the DCs, so you obviously cannot add any new members in them. On the other hand, they still continue to work, so that the old members can access resources based on these missing groups. I wonder where they could be cached, and how to track them.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:389
| | 09/09/2005 1:43 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 3:19 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Create a group with a specified SID
Hi All,
Is there a tool that would create a group and allows you to specify the SID for the group? The domain part of the SID would match the domain, so actually only the RID would need to be specified.
A short background: I was told about a case, where an NT domain was in-place upgraded to WS2003. During the upgrade, 75 % of the global groups disappeared. Unfortunately, this was noticed only a couple of weeks later, so it would be quite impossible to do the upgrade again from the roll-back BDC. Also, re-ACLing those groups with SubInACL in 50 servers would be quite laborous.
An interesting side-note: The missing groups don't show in ADUC, NT User Manager, or an NTDS dump in any of the DCs, so you obviously cannot add any new members in them. On the other hand, they still continue to work, so that the old members can access resources based on these missing groups. I wonder where they could be cached, and how to track them.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| dwells
Posts:53
| | 09/09/2005 2:36 AM |
| You mention that this is a case you were told about, I take it you've not
confirmed what you're being told?
That aside, when you say NTDS dump, specifically what are you referring to?
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Friday, September 09, 2005 9:19 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Create a group with a specified SID
Hi All,
Is there a tool that would create a group and allows you to specify the SID
for the group? The domain part of the SID would match the domain, so
actually only the RID would need to be specified.
A short background: I was told about a case, where an NT domain was in-place
upgraded to WS2003. During the upgrade, 75 % of the global groups
disappeared. Unfortunately, this was noticed only a couple of weeks later,
so it would be quite impossible to do the upgrade again from the roll-back
BDC. Also, re-ACLing those groups with SubInACL in 50 servers would be quite
laborous.
An interesting side-note: The missing groups don't show in ADUC, NT User
Manager, or an NTDS dump in any of the DCs, so you obviously cannot add any
new members in them. On the other hand, they still continue to work, so that
the old members can access resources based on these missing groups. I wonder
where they could be cached, and how to track them.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/09/2005 4:05 AM |
| Hi Jorge and Dean,
Answers and more description:
- I don't have personal access to the network in question, but I trust the guys over there to give me quite correct information. Of course, it's never the same as seeing yourself.
- The NTDS dump I mentioned is by using the operational dumpDatabase attribute of RootDSE.
- The missing groups are not visible with any of the following:
- The previously mentioned NTDS dump
- NET LOCALGROUP or NET GROUP
- NT User Manager
- ADSI Edit
- ADUC search feature
- The Member Of tab of a user in ADUC does not list the missing groups.
- The old members of the groups can access the resources (even though they don't show in the Member Of tab).
- In ACL Editor, the missing groups show as names, not SIDs
- You can create a new group in NT User Manager with the same SAM name as the missing one. After that, it also shows in ADUC. And after that, the missing group shows as a SID in ACL Editor, and not by name anymore.
- The forest has a root and three child domains, and this problem appears in one of the child domains.
- The problem domain has 3 DCs.
- The missing groups are global groups.
- I have to ask them to check the WHOAMI/SECTOK thing.
It seems that the groups are gone from the DCs but are still cached in the member servers. But its funny that this caching still applies after several weeks. But still the question remains how do the missing groups get in the users' access tokens.
Because they cannot add users to the missing groups, they could create a new group for each missing group, which the suffix NEW, for example. And add all the correct users to these new groups (the member information is available). But those new groups would need to be added to all the resources in all the 50 member servers.
They could also try the following:
- perform the in-place upgrade again from the roll-back BDC to a new empty forest/domain
- migrate (with ADMT) the groups in question to another empty forest/domain
- then migrate (with ADMT) the groups in question to the current production domain (if ADMT allows this, and if the RIDs of the incoming missing groups are not already reused in the production domain
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/09/2005 4:08 AM |
| If they work, they are there, they are just not finding them.
Does the NET GROUP command work?
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Friday, September 09, 2005 9:19 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Create a group with a specified SID
Hi All,
Is there a tool that would create a group and allows you to specify the SID
for the group? The domain part of the SID would match the domain, so
actually only the RID would need to be specified.
A short background: I was told about a case, where an NT domain was in-place
upgraded to WS2003. During the upgrade, 75 % of the global groups
disappeared. Unfortunately, this was noticed only a couple of weeks later,
so it would be quite impossible to do the upgrade again from the roll-back
BDC. Also, re-ACLing those groups with SubInACL in 50 servers would be quite
laborous.
An interesting side-note: The missing groups don't show in ADUC, NT User
Manager, or an NTDS dump in any of the DCs, so you obviously cannot add any
new members in them. On the other hand, they still continue to work, so that
the old members can access resources based on these missing groups. I wonder
where they could be cached, and how to track them.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| dwells
Posts:53
| | 09/09/2005 4:17 AM |
| Thanks for the info.
I'm not sure I'd agree that the groups are cached on the members, they're
Global Groups whose SID is making it into the user's token (I'm assuming
this is not occurring due to cached creds.). In addition, the SIDs are
being resolved within the ACL editor, as such, it seems more likely to me
that they do still exist in some way, shape or form on the DCs in the child
domain. What attributes were you dumping? Is or has Universal group
caching being or been used? Does the same result occur if the user's log on
a workstation they've previously never visited (cached creds.)?
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Friday, September 09, 2005 11:45 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
Hi Jorge and Dean,
Answers and more description:
- I don't have personal access to the network in question, but I trust the
guys over there to give me quite correct information. Of course, it's never
the same as seeing yourself.
- The NTDS dump I mentioned is by using the operational dumpDatabase
attribute of RootDSE.
- The missing groups are not visible with any of the following:
- The previously mentioned NTDS dump
- NET LOCALGROUP or NET GROUP
- NT User Manager
- ADSI Edit
- ADUC search feature
- The Member Of tab of a user in ADUC does not list the missing groups.
- The old members of the groups can access the resources (even though they
don't show in the Member Of tab).
- In ACL Editor, the missing groups show as names, not SIDs
- You can create a new group in NT User Manager with the same SAM name as
the missing one. After that, it also shows in ADUC. And after that, the
missing group shows as a SID in ACL Editor, and not by name anymore.
- The forest has a root and three child domains, and this problem appears in
one of the child domains.
- The problem domain has 3 DCs.
- The missing groups are global groups.
- I have to ask them to check the WHOAMI/SECTOK thing.
It seems that the groups are gone from the DCs but are still cached in the
member servers. But its funny that this caching still applies after several
weeks. But still the question remains how do the missing groups get in the
users' access tokens.
Because they cannot add users to the missing groups, they could create a new
group for each missing group, which the suffix NEW, for example. And add all
the correct users to these new groups (the member information is available).
But those new groups would need to be added to all the resources in all the
50 member servers.
They could also try the following:
- perform the in-place upgrade again from the roll-back BDC to a new empty
forest/domain
- migrate (with ADMT) the groups in question to another empty forest/domain
- then migrate (with ADMT) the groups in question to the current production
domain (if ADMT allows this, and if the RIDs of the incoming missing groups
are not already reused in the production domain
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:389
| | 09/09/2005 4:56 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 5:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
Hi Jorge and Dean,
Answers and more description:
- I don't have personal access to the network in question, but I trust the guys over there to give me quite correct information. Of course, it's never the same as seeing yourself.
- The NTDS dump I mentioned is by using the operational dumpDatabase attribute of RootDSE.
- The missing groups are not visible with any of the following:
- The previously mentioned NTDS dump
- NET LOCALGROUP or NET GROUP
- NT User Manager
- ADSI Edit
- ADUC search feature
- The Member Of tab of a user in ADUC does not list the missing groups.
- The old members of the groups can access the resources (even though they don't show in the Member Of tab).
- In ACL Editor, the missing groups show as names, not SIDs
- You can create a new group in NT User Manager with the same SAM name as the missing one. After that, it also shows in ADUC. And after that, the missing group shows as a SID in ACL Editor, and not by name anymore.
- The forest has a root and three child domains, and this problem appears in one of the child domains.
- The problem domain has 3 DCs.
- The missing groups are global groups.
- I have to ask them to check the WHOAMI/SECTOK thing.
It seems that the groups are gone from the DCs but are still cached in the member servers. But its funny that this caching still applies after several weeks. But still the question remains how do the missing groups get in the users' access tokens.
Because they cannot add users to the missing groups, they could create a new group for each missing group, which the suffix NEW, for example. And add all the correct users to these new groups (the member information is available). But those new groups would need to be added to all the resources in all the 50 member servers.
They could also try the following:
- perform the in-place upgrade again from the roll-back BDC to a new empty forest/domain
- migrate (with ADMT) the groups in question to another empty forest/domain
- then migrate (with ADMT) the groups in question to the current production domain (if ADMT allows this, and if the RIDs of the incoming missing groups are not already reused in the production domain
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| listmail
Posts:824
| | 09/09/2005 6:06 AM |
| I would definitely use sectok to get the list of groups.
If using whoami /groups, add the /sid switch to get SIDs as well and verify
them against the domain SID.
Once I had the SID, I would execute the following query
adfind -gc -b -binenc -f
"|(objectsid=S-blah-blah)(sidhistory=S-1-blah-blah)" -dn
If that didn't return anything, I would try
adfind -gc -b -binenc -f
"|(objectsid=S-blah-blah)(sidhistory=S-1-blah-blah)" -dn -showdel
If that didn't return anything, I would launch a process on a DC as
localsystem and rerun the first query.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Friday, September 09, 2005 11:45 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
Hi Jorge and Dean,
Answers and more description:
- I don't have personal access to the network in question, but I trust the
guys over there to give me quite correct information. Of course, it's never
the same as seeing yourself.
- The NTDS dump I mentioned is by using the operational dumpDatabase
attribute of RootDSE.
- The missing groups are not visible with any of the following:
- The previously mentioned NTDS dump
- NET LOCALGROUP or NET GROUP
- NT User Manager
- ADSI Edit
- ADUC search feature
- The Member Of tab of a user in ADUC does not list the missing groups.
- The old members of the groups can access the resources (even though they
don't show in the Member Of tab).
- In ACL Editor, the missing groups show as names, not SIDs
- You can create a new group in NT User Manager with the same SAM name as
the missing one. After that, it also shows in ADUC. And after that, the
missing group shows as a SID in ACL Editor, and not by name anymore.
- The forest has a root and three child domains, and this problem appears in
one of the child domains.
- The problem domain has 3 DCs.
- The missing groups are global groups.
- I have to ask them to check the WHOAMI/SECTOK thing.
It seems that the groups are gone from the DCs but are still cached in the
member servers. But its funny that this caching still applies after several
weeks. But still the question remains how do the missing groups get in the
users' access tokens.
Because they cannot add users to the missing groups, they could create a new
group for each missing group, which the suffix NEW, for example. And add all
the correct users to these new groups (the member information is available).
But those new groups would need to be added to all the resources in all the
50 member servers.
They could also try the following:
- perform the in-place upgrade again from the roll-back BDC to a new empty
forest/domain
- migrate (with ADMT) the groups in question to another empty forest/domain
- then migrate (with ADMT) the groups in question to the current production
domain (if ADMT allows this, and if the RIDs of the incoming missing groups
are not already reused in the production domain
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/09/2005 9:36 AM |
| No, NET GROUP doesn't show the missing groups.
Yours, Sakari
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, September 09, 2005 6:46 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Create a group with a specified SID
>
> If they work, they are there, they are just not finding them.
>
> Does the NET GROUP command work?
>
> joe
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/09/2005 9:51 AM |
| There is an offline thread about these mysterious missing groups. If something comes up in the next few days, I'll let you know.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:389
| | 09/09/2005 11:32 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 11:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
There is an offline thread about these mysterious missing groups. If something comes up in the next few days, I'll let you know.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| GuidoG
Posts:114
| | 09/10/2005 11:56 AM |
| certainly awkward - I've never heard of anything alike and I've done
quite a few migrations and inplace upgrades. I first read the mail and
thought, gee - someone really doesn't know what they're talking about.
Then I saw it was from you, Sakari, and though - oh no, you wouldn't
joke around with this.
> It seems that the groups are gone from the DCs but are still
> cached in the member servers. But its funny that this caching
> still applies after several weeks.
there is no such thing as a group-membership-cache on member-servers so
I highly doubt you're dealing with any issue that will go away or fix
itself in time. More likely there's a name-cache (not sure) which could
explain why the groups display in the ACL editor (can you check how the
name is displayed - i.e. with or without the domainname?)
> The old members of the groups can access the resources
> (even though they don't show in the Member Of tab)
the first thing to do is obviously to validate how the users are granted
access to those resources - they could very easily have access to the
resource via membership to some other group which is totally unrelated
to these missing groups (as mentioned by joe and Jorge, check the user's
token and compare to the permissions on the resource).
Naturally server local groups wouldn't show up in the memberOf tab on a
user in AD - but this is no different than it was with WinNT. How about
bringing that old BDC back online and checking what memberships it
displays for the users and if the groups really are global groups.
If at last all of this stuff is true afterall, your friends must have
really whitnessed a highly unlikely domain-upgrade failure. At least
it's good that they know the memberships of the groups and could
recreate them. Also you know the old SID of the missing group, which is
also good.
Do they also know where these global groups where used at all? If they
are sure that it's "only" those 50 member servers mentioned, then
re-creating the groups and re-acling the memberserver would be my
preferred approach over trying to get those old SIDs into the SIDhistory
of another group. You can easily reacl the servers with just a list of
the SIDs for those missing/re-created groups.
If they're unsure about the usage of the groups, then getting their SID
into the SIDhistory of new groups could be a valid approach. To make
this work in your situation, you don't have to first perform an
inplace-upgrade from the roll-back BDC - you could migrate the groups
staight away to a new interims forest and then migrate them from the
interims to the production forest. Their RIDs wouldn't have been reused,
since the RIDs only could upward (and old RID will never be reused by
AD).
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Freitag, 9. September 2005 17:45
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
Hi Jorge and Dean,
Answers and more description:
- I don't have personal access to the network in question, but I trust
the guys over there to give me quite correct information. Of course,
it's never the same as seeing yourself.
- The NTDS dump I mentioned is by using the operational dumpDatabase
attribute of RootDSE.
- The missing groups are not visible with any of the following:
- The previously mentioned NTDS dump
- NET LOCALGROUP or NET GROUP
- NT User Manager
- ADSI Edit
- ADUC search feature
- The Member Of tab of a user in ADUC does not list the missing groups.
- The old members of the groups can access the resources (even though
they don't show in the Member Of tab).
- In ACL Editor, the missing groups show as names, not SIDs
- You can create a new group in NT User Manager with the same SAM name
as the missing one. After that, it also shows in ADUC. And after that,
the missing group shows as a SID in ACL Editor, and not by name anymore.
- The forest has a root and three child domains, and this problem
appears in one of the child domains.
- The problem domain has 3 DCs.
- The missing groups are global groups.
- I have to ask them to check the WHOAMI/SECTOK thing.
It seems that the groups are gone from the DCs but are still cached in
the member servers. But its funny that this caching still applies after
several weeks. But still the question remains how do the missing groups
get in the users' access tokens.
Because they cannot add users to the missing groups, they could create a
new group for each missing group, which the suffix NEW, for example. And
add all the correct users to these new groups (the member information is
available). But those new groups would need to be added to all the
resources in all the 50 member servers.
They could also try the following:
- perform the in-place upgrade again from the roll-back BDC to a new
empty forest/domain
- migrate (with ADMT) the groups in question to another empty
forest/domain
- then migrate (with ADMT) the groups in question to the current
production domain (if ADMT allows this, and if the RIDs of the incoming
missing groups are not already reused in the production domain
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/14/2005 6:55 AM |
| Sakari wrote:
> > It seems that the groups are gone from the DCs but are still
> > cached in the member servers. But its funny that this caching
> > still applies after several weeks.
Guido wrote:
> there is no such thing as a group-membership-cache on
> member-servers so I highly doubt you're dealing with any issue
> that will go away or fix itself in time. More likely there's
> a name-cache (not sure) which could explain why the groups
> display in the ACL editor (can you check how the
> name is displayed - i.e. with or without the domainname?)
Yes, I actually meant group name caching to resolve SIDs, but my wording was quite vague.
Yours, Sakari
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/14/2005 7:04 AM |
| Hi All,
Now I drove to the "missing group site" to see the things with my own eyes.
I found out a slight detail that affects the case :-). In addition to the three WS2003 DCs, there were also some NT4 BDCs left. So the problem of where the missing groups existed turned out to have quite an obvious solution... (Actually, a little too obvious, because we all missed it. Not that I can blame anyone, because I told you that the the problem domain has three DCs, and I should have known about the NT4 ones...)
Two things remained a mystery, though.
A) Why they had disappeared from the WS2003 DCs in the first place. My guess is that because a replication issue they didn't replicate out of the upgraded PDC before those guys removed and formatted the upgraded PDC. (this I already knew but forgot to include in the case description of my previous message, sorry) They did check that replication was ok, before they removed the DC, though.
B) From the in-place upgrade in July until last week (about six weeks, that is) the groups still existed in the NT4 BDC, although NT replication should have removed them. So why didn't this work. My guess is a WINS (or name resolution) problem, so that the NT4 BDCs didn't find their new PDC (emulator).
Yours, Sakari
PS. Even thought the explanation turned out to be quite obvious, this was still an interesting case.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:114
| | 09/14/2005 7:15 AM |
| rgd question B)
why should these groups have been removed from the NT4 BDCs if the other
2003 DCs (incl. the new PDCE after the upgraded one was removed)
apparently never knew of them? They would not have had a tombstone
either and as such the PDCE would not remove the groups from the BDCs
either.
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
Sent: Mittwoch, 14. September 2005 21:03
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Create a group with a specified SID
Hi All,
Now I drove to the "missing group site" to see the things with my own
eyes.
I found out a slight detail that affects the case :-). In addition to
the three WS2003 DCs, there were also some NT4 BDCs left. So the problem
of where the missing groups existed turned out to have quite an obvious
solution... (Actually, a little too obvious, because we all missed it.
Not that I can blame anyone, because I told you that the the problem
domain has three DCs, and I should have known about the NT4 ones...)
Two things remained a mystery, though.
A) Why they had disappeared from the WS2003 DCs in the first place. My
guess is that because a replication issue they didn't replicate out of
the upgraded PDC before those guys removed and formatted the upgraded
PDC. (this I already knew but forgot to include in the case description
of my previous message, sorry) They did check that replication was ok,
before they removed the DC, though.
B) From the in-place upgrade in July until last week (about six weeks,
that is) the groups still existed in the NT4 BDC, although NT
replication should have removed them. So why didn't this work. My guess
is a WINS (or name resolution) problem, so that the NT4 BDCs didn't find
their new PDC (emulator).
Yours, Sakari
PS. Even thought the explanation turned out to be quite obvious, this
was still an interesting case.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/15/2005 9:06 AM |
| Hi Guido,
What you write sounds good to me.
Yours, Sakari
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Grillenmeier, Guido
> Sent: Wednesday, September 14, 2005 10:13 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Create a group with a specified SID
>
> rgd question B)
> why should these groups have been removed from the NT4 BDCs
> if the other
> 2003 DCs (incl. the new PDCE after the upgraded one was removed)
> apparently never knew of them? They would not have had a tombstone
> either and as such the PDCE would not remove the groups from the BDCs
> either.
>
> /Guido
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari Kouti
> Sent: Mittwoch, 14. September 2005 21:03
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Create a group with a specified SID
>
> Hi All,
>
> Now I drove to the "missing group site" to see the things with my own
> eyes.
>
> I found out a slight detail that affects the case :-). In addition to
> the three WS2003 DCs, there were also some NT4 BDCs left. So
> the problem
> of where the missing groups existed turned out to have quite
> an obvious
> solution... (Actually, a little too obvious, because we all missed it.
> Not that I can blame anyone, because I told you that the the problem
> domain has three DCs, and I should have known about the NT4 ones...)
>
> Two things remained a mystery, though.
>
> A) Why they had disappeared from the WS2003 DCs in the first place. My
> guess is that because a replication issue they didn't replicate out of
> the upgraded PDC before those guys removed and formatted the upgraded
> PDC. (this I already knew but forgot to include in the case
> description
> of my previous message, sorry) They did check that replication was ok,
> before they removed the DC, though.
>
> B) From the in-place upgrade in July until last week (about six weeks,
> that is) the groups still existed in the NT4 BDC, although NT
> replication should have removed them. So why didn't this
> work. My guess
> is a WINS (or name resolution) problem, so that the NT4 BDCs
> didn't find
> their new PDC (emulator).
>
> Yours, Sakari
>
> PS. Even thought the explanation turned out to be quite obvious, this
> was still an interesting case.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|