| Author | Messages | |
rmscheck
Posts:245
 | | 12/01/2008 12:27 PM |
| Hey guys,
I am running some health checks on AD, and have seen this reported in a
bunch of places. What does it mean, retired invocation? I am currently
doing some googling on it, but wanted to hedge my bets here :p
* Replication Latency Check
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 11 entries in the vector were
ignored.
11 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
Thanks!!
Rand.
| | | |
| rmscheck
Posts:245
| | 12/01/2008 12:46 PM |
| Ahh, so not necessarily bad then.. its just saying the Invo ID has changed
X amount of times? Funny though, these DCs have havent been touched much (
as in never deleted or demoted, etc..) so I wonder why the frequency of the
changes. Guess I'll need to look up deeper what would cause an ID change..
On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
> Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
> world... a DC (for Active Directory) or ADAM instance. Invocation ID also
> changes for restores as well.
>
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Rand Salazar
> *Sent:* Monday, December 01, 2008 12:24 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] DCDIAG - Latency Check, retired invocations??
>
> Hey guys,
>
> I am running some health checks on AD, and have seen this reported in a
> bunch of places. What does it mean, retired invocation? I am currently
> doing some googling on it, but wanted to hedge my bets here :p
>
> * Replication Latency Check
> CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
> Latency information for 11 entries in the vector were
> ignored.
> 11 were retired Invocations. 0 were either: read-only
> replicas and are not verifiably latent, or dc's no longer replicating this
> nc. 0 had no latency information (Win2K DC).
>
> Thanks!!
> Rand.
>
>
| | | |
| rmscheck
Posts:245
| | 12/01/2008 12:58 PM |
| Hmm.. not really. at least not 11 times that I know... I can't really
think of any that we removed for good. It could be before my time.. but
still hard to imagine.
On Mon, Dec 1, 2008 at 11:49 AM, joe <listmail@joeware.net> wrote:
> But have you ever removed DCs? Those invocation IDs will always sit out
> there in the replication tables.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Rand Salazar
> *Sent:* Monday, December 01, 2008 12:42 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
>
> Ahh, so not necessarily bad then.. its just saying the Invo ID has changed
> X amount of times? Funny though, these DCs have havent been touched much (
> as in never deleted or demoted, etc..) so I wonder why the frequency of the
> changes. Guess I'll need to look up deeper what would cause an ID change..
>
>
>
> On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
>
>> Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
>> world... a DC (for Active Directory) or ADAM instance. Invocation ID also
>> changes for restores as well.
>>
>>
>> joe
>>
>> --
>> O'Reilly Active Directory Third Edition -
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> ------------------------------
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Rand Salazar
>> *Sent:* Monday, December 01, 2008 12:24 PM
>> *To:* activedir@mail.activedir.org
>> *Subject:* [ActiveDir] DCDIAG - Latency Check, retired invocations??
>>
>> Hey guys,
>>
>> I am running some health checks on AD, and have seen this reported in a
>> bunch of places. What does it mean, retired invocation? I am currently
>> doing some googling on it, but wanted to hedge my bets here :p
>>
>> * Replication Latency Check
>> CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
>> Latency information for 11 entries in the vector were
>> ignored.
>> 11 were retired Invocations. 0 were either: read-only
>> replicas and are not verifiably latent, or dc's no longer replicating this
>> nc. 0 had no latency information (Win2K DC).
>>
>> Thanks!!
>> Rand.
>>
>>
>
| | | |
| listmail
Posts:821
| | 12/01/2008 1:04 PM |
| Demoted and repromoted?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hmm.. not really. at least not 11 times that I know... I can't really
think of any that we removed for good. It could be before my time.. but
still hard to imagine.
On Mon, Dec 1, 2008 at 11:49 AM, joe <listmail@joeware.net> wrote:
But have you ever removed DCs? Those invocation IDs will always sit out
there in the replication tables.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Ahh, so not necessarily bad then.. its just saying the Invo ID has changed
X amount of times? Funny though, these DCs have havent been touched much (
as in never deleted or demoted, etc..) so I wonder why the frequency of the
changes. Guess I'll need to look up deeper what would cause an ID change..
On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
world... a DC (for Active Directory) or ADAM instance. Invocation ID also
changes for restores as well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:24 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hey guys,
I am running some health checks on AD, and have seen this reported in a
bunch of places. What does it mean, retired invocation? I am currently
doing some googling on it, but wanted to hedge my bets here :p
* Replication Latency Check
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 11 entries in the vector were
ignored.
11 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
Thanks!!
Rand.
| | | |
| austin
Posts:49
| | 12/01/2008 1:08 PM |
| Hi You need not "delete or demote" a DC for the invocationID to be
retired.
As Jorge's Article says:
<Snip>
Invocation ID:
* ID for the database instance on the domain controller
* Initially EXACTLY the same as the DC-GUID for the first DC in
the AD forest until it changes (see below when). For all other DCs in
the AD forest it will change right away during the promotion to a DC.
After that it changes as mentioned in the next bullit.
* Changes during the lifetime of a domain controller when the
domain controller has been restored from a VALID backup using a VALID
backup method and tool OR when a writable (application) partition has
been instantiated (added or re-added) on the domain controller (re-added
means remove existing partition from the DB and add it back later on)
REMARK:
* Wanna know why 'VALID' is written in uppercase?
* --> Read: "Backup and restore of Active
Directory
<http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx> "
* Created the first time during promotion and changes after
restore, NC instantiating, demotion, etc.
* Stored within the attribute called "invocationID" on the "NTDS
Settings" object (which identifies the DC within AD)
* OLD "invocationIDs" are stored in the attribute called
"retiredReplDSASignatures" on the "NTDS Settings" object (which
identifies the DC within AD)
* Used to identify database instances on domain controllers where
changes CAN/WILL originate for a certain naming context (partition)
</Snip>
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: 01 December 2008 17:55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hmm.. not really. at least not 11 times that I know... I can't really
think of any that we removed for good. It could be before my time..
but still hard to imagine.
On Mon, Dec 1, 2008 at 11:49 AM, joe <listmail@joeware.net> wrote:
But have you ever removed DCs? Those invocation IDs will always sit out
there in the replication tables.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Ahh, so not necessarily bad then.. its just saying the Invo ID has
changed X amount of times? Funny though, these DCs have havent been
touched much ( as in never deleted or demoted, etc..) so I wonder why
the frequency of the changes. Guess I'll need to look up deeper what
would cause an ID change..
On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
world... a DC (for Active Directory) or ADAM instance. Invocation ID
also changes for restores as well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:24 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hey guys,
I am running some health checks on AD, and have seen this reported in a
bunch of places. What does it mean, retired invocation? I am
currently doing some googling on it, but wanted to hedge my bets here :p
* Replication Latency Check
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 11 entries in the vector were
ignored.
11 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
Thanks!!
Rand.
This message may contain confidential information and is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
If verification is required please request a digitally signed version.
| | | |
| listmail
Posts:821
| | 12/01/2008 2:13 PM |
| Yeah I mentioned the restore in I think my first response.
The addition of an App NC is incorrect though. There would be no reason to
change the invID for the addition of an app NC. If you removed it and then
READDED it yes... That would be similar to a restore or a demote/repromote.
The whole point about the invIDs is to get around the question of "what
updates have been seen by what DBs" for replication dampening. Without it
you would have rampant cyclical replication. And if you didn't change the
invID then changes that occurred prior to the removal and readdition of the
NC wouldn't be replicated back to the NC once it was reinstantiated because
it would appear that it was all already seen based on the internal
replication tables.
Jorge... fix your blog post. 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin Osuide
Sent: Monday, December 01, 2008 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hi You need not "delete or demote" a DC for the invocationID to be retired.
As Jorge's Article says:
<Snip>
Invocation ID:
* ID for the database instance on the domain controller
* Initially EXACTLY the same as the DC-GUID for the first DC in the AD
forest until it changes (see below when). For all other DCs in the AD forest
it will change right away during the promotion to a DC. After that it
changes as mentioned in the next bullit.
* Changes during the lifetime of a domain controller when the domain
controller has been restored from a VALID backup using a VALID backup method
and tool OR when a writable (application) partition has been instantiated
(added or re-added) on the domain controller (re-added means remove existing
partition from the DB and add it back later on)
REMARK:
* Wanna know why 'VALID' is written in uppercase?
* --> Read: "Backup
<http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx> and
restore of Active Directory"
* Created the first time during promotion and changes after restore,
NC instantiating, demotion, etc.
* Stored within the attribute called "invocationID" on the "NTDS
Settings" object (which identifies the DC within AD)
* OLD "invocationIDs" are stored in the attribute called
"retiredReplDSASignatures" on the "NTDS Settings" object (which identifies
the DC within AD)
* Used to identify database instances on domain controllers where
changes CAN/WILL originate for a certain naming context (partition)
</Snip>
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: 01 December 2008 17:55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hmm.. not really. at least not 11 times that I know... I can't really
think of any that we removed for good. It could be before my time.. but
still hard to imagine.
On Mon, Dec 1, 2008 at 11:49 AM, joe <listmail@joeware.net> wrote:
But have you ever removed DCs? Those invocation IDs will always sit out
there in the replication tables.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Ahh, so not necessarily bad then.. its just saying the Invo ID has changed
X amount of times? Funny though, these DCs have havent been touched much (
as in never deleted or demoted, etc..) so I wonder why the frequency of the
changes. Guess I'll need to look up deeper what would cause an ID change..
On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
world... a DC (for Active Directory) or ADAM instance. Invocation ID also
changes for restores as well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:24 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hey guys,
I am running some health checks on AD, and have seen this reported in a
bunch of places. What does it mean, retired invocation? I am currently
doing some googling on it, but wanted to hedge my bets here :p
* Replication Latency Check
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 11 entries in the vector were
ignored.
11 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
Thanks!!
Rand.
_____
This message may contain confidential information and is intended only for
the individual named.
If you are not the named addressee you should not disseminate, distribute or
copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission.
If verification is required please request a digitally signed version.
_____
| | | |
| austin
Posts:49
| | 12/01/2008 3:10 PM |
| Thanks for the clarification joe.
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: 01 December 2008 19:10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Yeah I mentioned the restore in I think my first response.
The addition of an App NC is incorrect though. There would be no reason
to change the invID for the addition of an app NC. If you removed it and
then READDED it yes... That would be similar to a restore or a
demote/repromote. The whole point about the invIDs is to get around the
question of "what updates have been seen by what DBs" for replication
dampening. Without it you would have rampant cyclical replication. And
if you didn't change the invID then changes that occurred prior to the
removal and readdition of the NC wouldn't be replicated back to the NC
once it was reinstantiated because it would appear that it was all
already seen based on the internal replication tables.
Jorge... fix your blog post.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Austin Osuide
Sent: Monday, December 01, 2008 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hi You need not "delete or demote" a DC for the invocationID to be
retired.
As Jorge's Article says:
<Snip>
Invocation ID:
* ID for the database instance on the domain controller
* Initially EXACTLY the same as the DC-GUID for the first DC in
the AD forest until it changes (see below when). For all other DCs in
the AD forest it will change right away during the promotion to a DC.
After that it changes as mentioned in the next bullit.
* Changes during the lifetime of a domain controller when the
domain controller has been restored from a VALID backup using a VALID
backup method and tool OR when a writable (application) partition has
been instantiated (added or re-added) on the domain controller (re-added
means remove existing partition from the DB and add it back later on)
REMARK:
* Wanna know why 'VALID' is written in uppercase?
* --> Read: "Backup and restore of Active
Directory
<http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx> "
* Created the first time during promotion and changes after
restore, NC instantiating, demotion, etc.
* Stored within the attribute called "invocationID" on the "NTDS
Settings" object (which identifies the DC within AD)
* OLD "invocationIDs" are stored in the attribute called
"retiredReplDSASignatures" on the "NTDS Settings" object (which
identifies the DC within AD)
* Used to identify database instances on domain controllers where
changes CAN/WILL originate for a certain naming context (partition)
</Snip>
Regards,
/Austin
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: 01 December 2008 17:55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hmm.. not really. at least not 11 times that I know... I can't really
think of any that we removed for good. It could be before my time..
but still hard to imagine.
On Mon, Dec 1, 2008 at 11:49 AM, joe <listmail@joeware.net> wrote:
But have you ever removed DCs? Those invocation IDs will always sit out
there in the replication tables.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Ahh, so not necessarily bad then.. its just saying the Invo ID has
changed X amount of times? Funny though, these DCs have havent been
touched much ( as in never deleted or demoted, etc..) so I wonder why
the frequency of the changes. Guess I'll need to look up deeper what
would cause an ID change..
On Mon, Dec 1, 2008 at 11:28 AM, joe <listmail@joeware.net> wrote:
Generally it is a deleted DSA (Directory Service Agent) or in the MSFT
world... a DC (for Active Directory) or ADAM instance. Invocation ID
also changes for restores as well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, December 01, 2008 12:24 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DCDIAG - Latency Check, retired invocations??
Hey guys,
I am running some health checks on AD, and have seen this reported in a
bunch of places. What does it mean, retired invocation? I am
currently doing some googling on it, but wanted to hedge my bets here :p
* Replication Latency Check
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 11 entries in the vector were
ignored.
11 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
Thanks!!
Rand.
________________________________
This message may contain confidential information and is intended only
for the individual named.
If you are not the named addressee you should not disseminate,
distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a result of
e-mail transmission.
If verification is required please request a digitally signed version.
________________________________
| | | |
|
|