| Author | Messages | |
joe1
Posts:27
 | | 06/30/2010 6:19 PM |
| Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently
amended the Restricted Groups GPO that controls our Domain Admins and
Exchange Full Admins group, and this has highlighted that we have some
issues. Membership of the group yo-yo's between how it was before, and
after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm
getting alerts from that Site constantly about changes to the group
membership. However, when I look at the event logs, there are no errors
for NTFRS. DCDiag shows that all Domain Partitions are up to date.
I've restarted the NTFRS service on all three DC's, and forced a manual
AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I
have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a
DC exhibiting the problem described in the link below, and
decommissioned it:
http://support.microsoft.com/kb/325473
| | | |
| RobSilver
Posts:0
| | 06/30/2010 7:04 PM |
| Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
| | | |
| pbbergs
Posts:281
| | 06/30/2010 7:59 PM |
| Remember that NTFRS and NTDS are replicated separately and group policy relies on both pieces to work correctly. So just because dcdiag shows no issues, I don't believe it will evaluated your sysvol. This is the point I believe Rob was trying to make, the DIT and sysvol are two separate systems so you need to use a separate diagnostic utility to evaluate its health.
FRSDiag
http://www.microsoft.com/downloads/details.aspx?FamilyID=43cb658e-8553-4de7-811a-562563eb5ebf&DisplayLang=en
http://blogs.technet.com/b/askds/archive/2008/05/30/how-to-get-the-most-from-your-frsdiag.aspx
Thank-You
Paul Bergson
Sr Systems Programmer
MCITP - Enterprise Administrator
MVP - Active Directory
MCTS, MCT, MCSE, MCSA, Security+, BS C. Sci.
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month for June 2009
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: Wednesday, June 30, 2010 12:58 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
| | | |
| bijubabuk
Posts:109
| | 07/01/2010 5:24 AM |
| I remember reading somewhere it's not a good idea to put DA and EA in
restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder
replication.
Rob
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently
amended the Restricted Groups GPO that controls our Domain Admins and
Exchange Full Admins group, and this has highlighted that we have some
issues. Membership of the group yo-yo's between how it was before, and
after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm
getting alerts from that Site constantly about changes to the group
membership. However, when I look at the event logs, there are no errors
for NTFRS. DCDiag shows that all Domain Partitions are up to date.
I've restarted the NTFRS service on all three DC's, and forced a manual
AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I
have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a
DC exhibiting the problem described in the link below, and
decommissioned it:
http://support.microsoft.com/kb/325473
| | | |
| PARRIS
Posts:291
| | 07/01/2010 5:53 AM |
| Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario.
Restricted Groups is a client configuration means and cannot be used with
Domain Groups. Restricted Groups is designed specifically to work with Local
Groups. Domain objects have to be managed within traditional AD tools.
Therefore, we do not plan currently to add or support using Restricted
Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in
restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : <mailto:biju_babu@cargill.com> biju_babu@cargill.com
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently
amended the Restricted Groups GPO that controls our Domain Admins and
Exchange Full Admins group, and this has highlighted that we have some
issues. Membership of the group yo-yo's between how it was before, and
after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm
getting alerts from that Site constantly about changes to the group
membership. However, when I look at the event logs, there are no errors for
NTFRS. DCDiag shows that all Domain Partitions are up to date. I've
restarted the NTFRS service on all three DC's, and forced a manual AD
replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no
error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC
exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| darren
Posts:386
| | 07/01/2010 6:01 AM |
| Yea, this is generally a bad idea. I definitely don't recommend using Restricted Groups policy to manage AD groups. If you think about how GP applies policy, and the fact that each DC is going to process the identical restricted groups policies, but at potentially different times, you can imagine something like a ping-pong effect on AD group memberships. The underlying problem here is that each DC is writeable, which is not an ideal scenario for GP, for managing what should essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| SaucyWrong
Posts:54
| | 07/01/2010 3:58 PM |
| Wouldn't the ping-ponging eventually stop once AD converges and all DCs are
processing the same GPO? That's interesting though, I didn't know that
Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com>wrote:
> Yea, this is generally a bad idea. I definitely don’t recommend using
> Restricted Groups policy to manage AD groups. If you think about how GP
> applies policy, and the fact that each DC is going to process the identical
> restricted groups policies, but at potentially different times, you can
> imagine something like a ping-pong effect on AD group memberships. The
> underlying problem here is that each DC is writeable, which is not an ideal
> scenario for GP, for managing what should essentially be a single-master
> change.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Mark Parris
> *Sent:* Wednesday, June 30, 2010 9:52 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> Perhaps you are referring to this KB
> http://support.microsoft.com/kb/279301
>
> *Managing membership of Domain Groups by using Restricted Groups*
>
>
> Microsoft does not support using Restricted Groups in this scenario.
> Restricted Groups is a client configuration means and cannot be used with
> Domain Groups. Restricted Groups is designed specifically to work with Local
> Groups. Domain objects have to be managed within traditional AD tools.
> Therefore, we do not plan currently to add or support using Restricted
> Groups as a way to manage Domain Groups.
>
>
>
> Regards,
>
>
>
> Mark Parris
> MVP-DS
>
>
>
> m.07801 690596
>
>
>
> Blog: http://markparris.co.uk
>
> Facebook: http://facebook.com/markparris
>
> Twitter: http://twitter.com/markparris
>
> LinkedIn: http://uk.linkedin.com/in/markparris
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Biju_babu@cargill.com
> *Sent:* 01 July 2010 05:22
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> I remember reading somewhere it’s not a good idea to put DA and EA in
> restricted group membership.
>
>
>
> Isn’t that so ?
>
>
>
> Regards
>
>
>
> Biju Babu
>
> IT Technical Analyst, Identity and Service Management
>
>
> Phone : +91-124-4090264
>
> Rnet : 791-345
>
> Email : biju_babu@cargill.com
>
>
>
> *My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)*
>
>
>
> *P** **Please consider our environmental responsibility before printing
> this e-mail*
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *rob@infraspec.net
> *Sent:* Wednesday, June 30, 2010 11:28 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> Have a look at Sonar to assess the health of the Sysvol folder replication.
>
>
>
> Rob
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Joe McNicholas
> *Sent:* 30 June 2010 6:15 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] NTFRS & restricted Groups
>
>
>
> Hi Guys
>
>
>
> I have an environment of 150 Win 2003 R2 Domain controllers. I recently
> amended the Restricted Groups GPO that controls our Domain Admins and
> Exchange Full Admins group, and this has highlighted that we have some
> issues. Membership of the group yo-yo’s between how it was before, and
> after the new GPO was applied.
>
>
>
> I think I’ve traced the changes to 3 DC’s in a site in Europe, since I’m
> getting alerts from that Site constantly about changes to the group
> membership. However, when I look at the event logs, there are no errors for
> NTFRS. DCDiag shows that all Domain Partitions are up to date. I’ve
> restarted the NTFRS service on all three DC’s, and forced a manual AD
> replication from a good DC.
>
>
>
> I’m at a bit of a loss to work out how to troubleshoot this, since I have
> no error messages to work from.
>
>
>
> Any suggestions?
>
>
>
> Thanks
>
> Joe
>
>
>
> Maybe related, maybe not – As part of the same exercise, I also traced a DC
> exhibiting the problem described in the link below, and decommissioned it:
>
> http://support.microsoft.com/kb/325473
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
| | | |
| bijubabuk
Posts:109
| | 07/01/2010 4:12 PM |
| Coincidently yesterday night I got a similar issue where one of the DCs
SYSVOL was in journal wrap error and wasn't replicating. So the GPO
version in DS and SYSVOL was wrong, I m in process to fix it.
But I came across this tool where you can easily find out the version
mismatch of GPOs in a DC quite easily
"gpotool /domain:<FQDN> /dc:<dcname>"
Result looks like
DC: <dcname>
Friendly name: Default Domain Controllers Policy
Created: 2/3/2001 5:18:54 AM
Changed: 6/11/2010 1:52:40 PM
DS version: 7(user) 5827(machine)
Sysvol version: 7(user) 5785(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F875
71E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F875
71E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00
C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A
4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
saucy.wrong@gmail.com
Sent: Thursday, July 01, 2010 8:26 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs
are processing the same GPO? That's interesting though, I didn't know
that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
Yea, this is generally a bad idea. I definitely don't recommend using
Restricted Groups policy to manage AD groups. If you think about how GP
applies policy, and the fact that each DC is going to process the
identical restricted groups policies, but at potentially different
times, you can imagine something like a ping-pong effect on AD group
memberships. The underlying problem here is that each DC is writeable,
which is not an ideal scenario for GP, for managing what should
essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB
http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario.
Restricted Groups is a client configuration means and cannot be used
with Domain Groups. Restricted Groups is designed specifically to work
with Local Groups. Domain objects have to be managed within traditional
AD tools. Therefore, we do not plan currently to add or support using
Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in
restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder
replication.
Rob
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently
amended the Restricted Groups GPO that controls our Domain Admins and
Exchange Full Admins group, and this has highlighted that we have some
issues. Membership of the group yo-yo's between how it was before, and
after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm
getting alerts from that Site constantly about changes to the group
membership. However, when I look at the event logs, there are no errors
for NTFRS. DCDiag shows that all Domain Partitions are up to date.
I've restarted the NTFRS service on all three DC's, and forced a manual
AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I
have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a
DC exhibiting the problem described in the link below, and
decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| darren
Posts:386
| | 07/01/2010 5:50 PM |
| Matt-
I suspect eventually it would, although keep in mind that security policy (including restricted groups) refreshes automatically every 16 hours by default, so the ping-ponging would be never ending. I think you have to ask, if I was doing this manually, would it be best practice to make the same AD group membership change to multiple DCs at roughly the same time? We always try to avoid that in practice, but that is exactly what GP is doing. At some point in the past, I had considered the idea of constraining this by permissioning the GPO delivering the group memberships such that only one DC at a time could process it. It seemed like an awful lot of work to go through to manage AD groups and probably not the right approach in the big, but it would probably work. GP is good for a lot of things, but I'm the first to admit that sometimes it looks like the proverbial hammer trying to make everything a nail.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Matt Quinn
Sent: Thursday, July 01, 2010 7:56 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs are processing the same GPO? That's interesting though, I didn't know that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>> wrote:
Yea, this is generally a bad idea. I definitely don't recommend using Restricted Groups policy to manage AD groups. If you think about how GP applies policy, and the fact that each DC is going to process the identical restricted groups policies, but at potentially different times, you can imagine something like a ping-pong effect on AD group memberships. The underlying problem here is that each DC is writeable, which is not an ideal scenario for GP, for managing what should essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Biju_babu@cargill.com<mailto:Biju_babu@cargill.com>
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of rob@infraspec.net<mailto:rob@infraspec.net>
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| joe1
Posts:27
| | 07/01/2010 6:04 PM |
| Exactly - we've run this GPO for a couple of years without incident - eventually everything lines up. But recently this GPO just won't get straight, so I think that SYSVOL replication is having trouble with a couple of DC's, but there are any errors to give me a lead.
I've been busy cleaning up deleted DC's from the replica set, and removing some dead DC objects from the Sites\Servers tool, but with no effect so far.
________________________________
From: activedir-owner@mail.activedir.org on behalf of Matt Quinn
Sent: Thu 01/07/2010 10:56
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs are processing the same GPO? That's interesting though, I didn't know that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Yea, this is generally a bad idea. I definitely don't recommend using Restricted Groups policy to manage AD groups. If you think about how GP applies policy, and the fact that each DC is going to process the identical restricted groups policies, but at potentially different times, you can imagine something like a ping-pong effect on AD group memberships. The underlying problem here is that each DC is writeable, which is not an ideal scenario for GP, for managing what should essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk <http://markparris.co.uk/>
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| bijubabuk
Posts:109
| | 07/02/2010 7:08 AM |
| I would suggest you to check the event id 632/633 or 636/637 (Global
group member added/removed or Local group member added/removed according
to your group scope) then you can see which DC is modifying the group
(you can see caller user name as DCNAME$) and then you can go and run
gpotool /domain:<FQDN> /DC:<DCNAME> which will give you if the SYSVOL
and DS version of the GPO is different in that DC.
Or
you can run gpotool /domain:<FQDN> and omit /dc parameter and it will
contact all the DCs in the domain to verify the GPO DS and SYSVOL
version.
Both are intensive time taking operations
Gpotool.exe is a windows 2003 resource kit tool
You can use eventcombmt.exe to search events in multiple DCs. (if you
have any audit log capturing solution ,then it should have the log
details)
And I have done this in Windows 2003 boxes, in 2008 event ids are
different for group modification and also it contains better details (no
hands on experiance)
Hope this helps
Regards
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
joe@joemcnicholas.com
Sent: Thursday, July 01, 2010 10:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Exactly - we've run this GPO for a couple of years without incident -
eventually everything lines up. But recently this GPO just won't get
straight, so I think that SYSVOL replication is having trouble with a
couple of DC's, but there are any errors to give me a lead.
I've been busy cleaning up deleted DC's from the replica set, and
removing some dead DC objects from the Sites\Servers tool, but with no
effect so far.
________________________________
From: activedir-owner@mail.activedir.org on behalf of Matt Quinn
Sent: Thu 01/07/2010 10:56
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs
are processing the same GPO? That's interesting though, I didn't know
that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
Yea, this is generally a bad idea. I definitely don't recommend using
Restricted Groups policy to manage AD groups. If you think about how GP
applies policy, and the fact that each DC is going to process the
identical restricted groups policies, but at potentially different
times, you can imagine something like a ping-pong effect on AD group
memberships. The underlying problem here is that each DC is writeable,
which is not an ideal scenario for GP, for managing what should
essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB
http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario.
Restricted Groups is a client configuration means and cannot be used
with Domain Groups. Restricted Groups is designed specifically to work
with Local Groups. Domain objects have to be managed within traditional
AD tools. Therefore, we do not plan currently to add or support using
Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk <http://markparris.co.uk/>
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in
restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder
replication.
Rob
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently
amended the Restricted Groups GPO that controls our Domain Admins and
Exchange Full Admins group, and this has highlighted that we have some
issues. Membership of the group yo-yo's between how it was before, and
after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm
getting alerts from that Site constantly about changes to the group
membership. However, when I look at the event logs, there are no errors
for NTFRS. DCDiag shows that all Domain Partitions are up to date.
I've restarted the NTFRS service on all three DC's, and forced a manual
AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I
have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a
DC exhibiting the problem described in the link below, and
decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| SaucyWrong
Posts:54
| | 07/02/2010 4:39 PM |
| Darren,
That definitely makes sense. In practice, we use them to manage some AD
groups (none of the privileged groups though). I've never seen an issue
come up, but once you think about it, it is a really unstable way to
restrict group membership. Does GPP offer a better way? I know you can do
some sort of group management, but I've never really delved into it.
Thanks,
Matt
On Thu, Jul 1, 2010 at 12:49 PM, Darren Mar-Elia <darren@sdmsoftware.com>wrote:
> Matt-
>
> I suspect eventually it would, although keep in mind that security policy
> (including restricted groups) refreshes automatically every 16 hours by
> default, so the ping-ponging would be never ending. I think you have to ask,
> if I was doing this manually, would it be best practice to make the same AD
> group membership change to multiple DCs at roughly the same time? We always
> try to avoid that in practice, but that is exactly what GP is doing. At
> some point in the past, I had considered the idea of constraining this by
> permissioning the GPO delivering the group memberships such that only one DC
> at a time could process it. It seemed like an awful lot of work to go
> through to manage AD groups and probably not the right approach in the big,
> but it would probably work. GP is good for a lot of things, but I’m the
> first to admit that sometimes it looks like the proverbial hammer trying to
> make everything a nail.
>
>
>
> Darren
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Matt Quinn
> *Sent:* Thursday, July 01, 2010 7:56 AM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] NTFRS & restricted Groups
>
>
>
> Wouldn't the ping-ponging eventually stop once AD converges and all DCs are
> processing the same GPO? That's interesting though, I didn't know that
> Microsoft didn't support this.
>
>
>
> Matt
>
> On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com>
> wrote:
>
> Yea, this is generally a bad idea. I definitely don’t recommend using
> Restricted Groups policy to manage AD groups. If you think about how GP
> applies policy, and the fact that each DC is going to process the identical
> restricted groups policies, but at potentially different times, you can
> imagine something like a ping-pong effect on AD group memberships. The
> underlying problem here is that each DC is writeable, which is not an ideal
> scenario for GP, for managing what should essentially be a single-master
> change.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Mark Parris
> *Sent:* Wednesday, June 30, 2010 9:52 PM
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> Perhaps you are referring to this KB
> http://support.microsoft.com/kb/279301
>
> *Managing membership of Domain Groups by using Restricted Groups*
>
>
> Microsoft does not support using Restricted Groups in this scenario.
> Restricted Groups is a client configuration means and cannot be used with
> Domain Groups. Restricted Groups is designed specifically to work with Local
> Groups. Domain objects have to be managed within traditional AD tools.
> Therefore, we do not plan currently to add or support using Restricted
> Groups as a way to manage Domain Groups.
>
>
>
> Regards,
>
>
>
> Mark Parris
> MVP-DS
>
>
>
> m.07801 690596
>
>
>
> Blog: http://markparris.co.uk
>
> Facebook: http://facebook.com/markparris
>
> Twitter: http://twitter.com/markparris
>
> LinkedIn: http://uk.linkedin.com/in/markparris
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Biju_babu@cargill.com
> *Sent:* 01 July 2010 05:22
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> I remember reading somewhere it’s not a good idea to put DA and EA in
> restricted group membership.
>
>
>
> Isn’t that so ?
>
>
>
> Regards
>
>
>
> Biju Babu
>
> IT Technical Analyst, Identity and Service Management
>
>
> Phone : +91-124-4090264
>
> Rnet : 791-345
>
> Email : biju_babu@cargill.com
>
>
>
> *My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)*
>
>
>
> *P** **Please consider our environmental responsibility before printing
> this e-mail*
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *rob@infraspec.net
> *Sent:* Wednesday, June 30, 2010 11:28 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] NTFRS & restricted Groups
>
>
>
> Have a look at Sonar to assess the health of the Sysvol folder replication.
>
>
>
> Rob
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Joe McNicholas
> *Sent:* 30 June 2010 6:15 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] NTFRS & restricted Groups
>
>
>
> Hi Guys
>
>
>
> I have an environment of 150 Win 2003 R2 Domain controllers. I recently
> amended the Restricted Groups GPO that controls our Domain Admins and
> Exchange Full Admins group, and this has highlighted that we have some
> issues. Membership of the group yo-yo’s between how it was before, and
> after the new GPO was applied.
>
>
>
> I think I’ve traced the changes to 3 DC’s in a site in Europe, since I’m
> getting alerts from that Site constantly about changes to the group
> membership. However, when I look at the event logs, there are no errors for
> NTFRS. DCDiag shows that all Domain Partitions are up to date. I’ve
> restarted the NTFRS service on all three DC’s, and forced a manual AD
> replication from a good DC.
>
>
>
> I’m at a bit of a loss to work out how to troubleshoot this, since I have
> no error messages to work from.
>
>
>
> Any suggestions?
>
>
>
> Thanks
>
> Joe
>
>
>
> Maybe related, maybe not – As part of the same exercise, I also traced a DC
> exhibiting the problem described in the link below, and decommissioned it:
>
> http://support.microsoft.com/kb/325473
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
>
>
| | | |
| darren
Posts:386
| | 07/02/2010 6:21 PM |
| Matt-
GPP does add more options for managing groups but explicitly talks about managing local groups. And, since its processing model is really no different from "regular" policy, I don't think it provides a solution here.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Matt Quinn
Sent: Friday, July 02, 2010 8:37 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Darren,
That definitely makes sense. In practice, we use them to manage some AD groups (none of the privileged groups though). I've never seen an issue come up, but once you think about it, it is a really unstable way to restrict group membership. Does GPP offer a better way? I know you can do some sort of group management, but I've never really delved into it.
Thanks,
Matt
On Thu, Jul 1, 2010 at 12:49 PM, Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>> wrote:
Matt-
I suspect eventually it would, although keep in mind that security policy (including restricted groups) refreshes automatically every 16 hours by default, so the ping-ponging would be never ending. I think you have to ask, if I was doing this manually, would it be best practice to make the same AD group membership change to multiple DCs at roughly the same time? We always try to avoid that in practice, but that is exactly what GP is doing. At some point in the past, I had considered the idea of constraining this by permissioning the GPO delivering the group memberships such that only one DC at a time could process it. It seemed like an awful lot of work to go through to manage AD groups and probably not the right approach in the big, but it would probably work. GP is good for a lot of things, but I'm the first to admit that sometimes it looks like the proverbial hammer trying to make everything a nail.
Darren
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Matt Quinn
Sent: Thursday, July 01, 2010 7:56 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs are processing the same GPO? That's interesting though, I didn't know that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>> wrote:
Yea, this is generally a bad idea. I definitely don't recommend using Restricted Groups policy to manage AD groups. If you think about how GP applies policy, and the fact that each DC is going to process the identical restricted groups policies, but at potentially different times, you can imagine something like a ping-pong effect on AD group memberships. The underlying problem here is that each DC is writeable, which is not an ideal scenario for GP, for managing what should essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Biju_babu@cargill.com<mailto:Biju_babu@cargill.com>
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of rob@infraspec.net<mailto:rob@infraspec.net>
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
| joe1
Posts:27
| | 07/06/2010 1:44 PM |
| Update:-
Thanks for the pointer on GPOTool - I ran a comparison between the known good DC and the suspect ones (the tool couldn't handle contacting our 150 DCs + 1,000 GPOsΏ], although I did try it - it just bombed out). It picked out some differences, and I just did a straight file copy of the Policy files from A to B. This resolved the "symptom" at least, and our GPO is now correctly enforced.
I also cleaned up a bunch of stuff from the SYSVOL FRS portion of the Configuration partition based on the output of FRSDiag. I saw stuff in there that I assumed would have been cleaned up by a Metadata cleanup, but had not (in some cases, at least).
Regards
Joe
Ώ] I know, I know.... historically too many people with too many permissions...
________________________________
From: activedir-owner@mail.activedir.org on behalf of Biju_babu@cargill.com
Sent: Fri 02/07/2010 02:05
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I would suggest you to check the event id 632/633 or 636/637 (Global group member added/removed or Local group member added/removed according to your group scope) then you can see which DC is modifying the group (you can see caller user name as DCNAME$) and then you can go and run gpotool /domain:<FQDN> /DC:<DCNAME> which will give you if the SYSVOL and DS version of the GPO is different in that DC.
Or
you can run gpotool /domain:<FQDN> and omit /dc parameter and it will contact all the DCs in the domain to verify the GPO DS and SYSVOL version.
Both are intensive time taking operations
Gpotool.exe is a windows 2003 resource kit tool
You can use eventcombmt.exe to search events in multiple DCs. (if you have any audit log capturing solution ,then it should have the log details)
And I have done this in Windows 2003 boxes, in 2008 event ids are different for group modification and also it contains better details (no hands on experiance)
Hope this helps
Regards
Biju
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe@joemcnicholas.com
Sent: Thursday, July 01, 2010 10:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Exactly - we've run this GPO for a couple of years without incident - eventually everything lines up. But recently this GPO just won't get straight, so I think that SYSVOL replication is having trouble with a couple of DC's, but there are any errors to give me a lead.
I've been busy cleaning up deleted DC's from the replica set, and removing some dead DC objects from the Sites\Servers tool, but with no effect so far.
________________________________
From: activedir-owner@mail.activedir.org on behalf of Matt Quinn
Sent: Thu 01/07/2010 10:56
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] NTFRS & restricted Groups
Wouldn't the ping-ponging eventually stop once AD converges and all DCs are processing the same GPO? That's interesting though, I didn't know that Microsoft didn't support this.
Matt
On Thu, Jul 1, 2010 at 1:00 AM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Yea, this is generally a bad idea. I definitely don't recommend using Restricted Groups policy to manage AD groups. If you think about how GP applies policy, and the fact that each DC is going to process the identical restricted groups policies, but at potentially different times, you can imagine something like a ping-pong effect on AD group memberships. The underlying problem here is that each DC is writeable, which is not an ideal scenario for GP, for managing what should essentially be a single-master change.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris
Sent: Wednesday, June 30, 2010 9:52 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Perhaps you are referring to this KB http://support.microsoft.com/kb/279301
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Regards,
Mark Parris
MVP-DS
m.07801 690596
Blog: http://markparris.co.uk <http://markparris.co.uk/>
Facebook: http://facebook.com/markparris
Twitter: http://twitter.com/markparris
LinkedIn: http://uk.linkedin.com/in/markparris
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 01 July 2010 05:22
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
I remember reading somewhere it's not a good idea to put DA and EA in restricted group membership.
Isn't that so ?
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of rob@infraspec.net
Sent: Wednesday, June 30, 2010 11:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTFRS & restricted Groups
Have a look at Sonar to assess the health of the Sysvol folder replication.
Rob
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: 30 June 2010 6:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTFRS & restricted Groups
Hi Guys
I have an environment of 150 Win 2003 R2 Domain controllers. I recently amended the Restricted Groups GPO that controls our Domain Admins and Exchange Full Admins group, and this has highlighted that we have some issues. Membership of the group yo-yo's between how it was before, and after the new GPO was applied.
I think I've traced the changes to 3 DC's in a site in Europe, since I'm getting alerts from that Site constantly about changes to the group membership. However, when I look at the event logs, there are no errors for NTFRS. DCDiag shows that all Domain Partitions are up to date. I've restarted the NTFRS service on all three DC's, and forced a manual AD replication from a good DC.
I'm at a bit of a loss to work out how to troubleshoot this, since I have no error messages to work from.
Any suggestions?
Thanks
Joe
Maybe related, maybe not - As part of the same exercise, I also traced a DC exhibiting the problem described in the link below, and decommissioned it:
http://support.microsoft.com/kb/325473
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
| | | |
|
|