RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?

[Gil Kirkpatrick]

Title: Most common cause of Active Directory "failures"?

You want something done right, do it yourself.... :)   -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Maybe I shouldn’t be pushing so hard to take over DNS operations for clients and servers. ;-)   Actually, we manage the SRV records only, and while they are a bit tricky, but once it’s working it just works.  But trying to explain what’s going on to a Windows admin who doesn’t have an AD background is almost a bigger challenge. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com ----------------------------------------------  "Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III i.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, October 10, 2005 12:06 PM To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?   Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change.   (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user   I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS?   A little surprising is that the there were two votes for malicious attacks by an internal source.   Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...)   Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :)   The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP.   I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :)   -gil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.